Sanitising hard drives

Forums › Desktop computing › Sanitising hard drives

Elpie

1304 posts

Uber Geek
+1 received by user: 272

#153817 8-Oct-2014 20:19

Hi all,
My PC is going to a new home, complete with it's two HD's and two SSD's. Normally, I would destroy disks to ensure my data was unreadable but this time they are remaining intact and will go to the new owner (family member) as a fully working machine, Windows 7 installed. He will be taking it to Aussie and will potentially need to grant access at the border.
Sooo... I need to remove all my data and santise the disks. I've recovered data from formatted disks myself so am aware that deleting, overwriting, and reformatting before reinstalling Windows is not enough to ensure my data has completely gone. Never having done this before, I need some advice on how to remove all traces of me from these drives. I contemplated destroying the drives and replacing with new but this is money I can't afford (and it seems a waste when the drives are relatively newish). Any tips on how to santise please?

1 | 2

1110 posts

Uber Geek
+1 received by user: 884

ID Verified

Subscriber

#1150233 8-Oct-2014 20:22

http://lifehacker.com/5153684/properly-erase-your-physical-media

Worth a read.

AKLWestie

650 posts

Ultimate Geek
+1 received by user: 115

Trusted

Lifetime subscriber

#1150235 8-Oct-2014 20:24

You can give dban (www.dban.org) a try.

If you are not afraid of Linux, try secure erase for ATA (https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase).

coffeebaron

6304 posts

Uber Geek
+1 received by user: 3566

Trusted

Lifetime subscriber

#1150238 8-Oct-2014 20:31

http://www.killdisk.com/eraser.htm

Rural IT and Broadband support.

Broadband troubleshooting and master filter installs.
Starlink installer - one month free: https://www.starlink.com/?referral=RC-32845-88860-71
Wi-Fi and networking
Cel-Fi supply and installer - boost your mobile phone coverage legally

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

nathan

5695 posts

Uber Geek
+1 received by user: 1630
Inactive user

#1150286 8-Oct-2014 21:22

Grant access at the border??

NonprayingMantis

6434 posts

Uber Geek
+1 received by user: 1528

#1150288 8-Oct-2014 21:28

Nuke the disk from orbit.

....it's the only way to be sure

stocksp

721 posts

Ultimate Geek
+1 received by user: 355

ID Verified

Lifetime subscriber

#1150324 8-Oct-2014 22:49

Wow – what was on them that you are so paranoid about - and that you would not want border authorities to see?

AliExpress

Shop now on AliExpress (affiliate link).

DravidDavid

1907 posts

Uber Geek
+1 received by user: 305

#1150347 9-Oct-2014 01:53

stocksp: Wow – what was on them that you are so paranoid about - and that you would not want border authorities to see?

Why does this even matter? This question seems to pop up every time someone asks about securing a hard drive. It's a legitimate practice and more people should learn how. There are also lots of reasons. I wouldn't want some random customs specialist imaging my drive on his lunch break so he could rummage through my business outlines and intellectual property. Potentially stealing assets that took hundreds of hours to develop. Or even looking at pictures of my family and friends. Gaining access to stored passwords and other information that could compromise any of my online accounts like email, dropbox, forums...etc...

...To be honest. This is the first I've heard of "granting access" at the boarder. The very idea of some busy customs officer wanting to waste their time setting up my computer or removing my drive for analysis just seems stupid.

Which begs the question....If I "granted access" and files were encrypted, or even a thumb drive or CD...What if there were encrypted files on that? Would the media be destroyed or held for further analysis?

--

In terms of securely erasing data off of metal media. There are various tools that will scrub the drive with a series of 1's and 0's to counter the ghosting phenomenon and ensure all data is over-written. However, this still isn't a guarantee, which is why the best policy is still destruction.

One tool I once used was a diagnostic application called TuffTest. It had a media test function which read and wrote to the drive aggressively until you decided to stop it. I've never been able to recover anything after a media test.

If the data on the drive is worth 10's or 100's of thousands of dollars and security is a major concern, $200.00 for a new drive and keeping the older one does not seem like much of an expense anymore.

Elpie

1304 posts

Uber Geek
+1 received by user: 272

#1150354 9-Oct-2014 02:33

stocksp: Wow – what was on them that you are so paranoid about - and that you would not want border authorities to see?

It's not paranoia, just common sense. I will no longer be using the drives so my data will be elsewhere. Once they have left my control I don't want ANYONE being able to see, or copy, business files, passwords, confidential client files, or anything of personal or professional nature. Some files relating to business activities would disclose information entrusted to me by clients and I doubt they would want commercially-sensitive information viewed by anyone either, so I have a duty of care to them.

Elpie

1304 posts

Uber Geek
+1 received by user: 272

#1150355 9-Oct-2014 02:47

DravidDavid:
...To be honest. This is the first I've heard of "granting access" at the boarder. The very idea of some busy customs officer wanting to waste their time setting up my computer or removing my drive for analysis just seems stupid.

Which begs the question....If I "granted access" and files were encrypted, or even a thumb drive or CD...What if there were encrypted files on that? Would the media be destroyed or held for further analysis?

It's standard practise at borders now to have to power on devices to prove they are genuine devices. Any border control officer pretty much anywhere can "request" access to any electronic device to check what is on it. I had an Australian customs officer go through my Kindle two years ago in a random check. I don't know what for because he wouldn't tell me. At the Canadian border in June I saw someone have his laptop taken away. He was given paperwork and told he would get it back in 4-6 weeks. Why, I don't know, but checks are happening and I've never seen that before.

I'm not so concerned about border checks but I don't know who may end up looking at these drives once I no longer own them. If the guy whose taking it ever needs to get it serviced, or needs data recovery, I want to make sure nothing of mine hangs around. He wants it as it is, with all four drives. Due to the cost factor, I don't want to destroy these drives only to have to then pay out for four more.

I will take the advice given here and do everything I can to make my data unrecoverable. Signatures will still get left behind but I doubt that anyone will ever be doing any serious forensics on them.

nathan

5695 posts

Uber Geek
+1 received by user: 1630
Inactive user

#1150357 9-Oct-2014 03:14

Elpie:
stocksp: Wow – what was on them that you are so paranoid about - and that you would not want border authorities to see?

It's not paranoia, just common sense. I will no longer be using the drives so my data will be elsewhere. Once they have left my control I don't want ANYONE being able to see, or copy, business files, passwords, confidential client files, or anything of personal or professional nature. Some files relating to business activities would disclose information entrusted to me by clients and I doubt they would want commercially-sensitive information viewed by anyone either, so I have a duty of care to them.

you should really be running local encryption on the drives then, what if someone broke into the house and stole your desktop

BitLocker built into Windows makes this simple.

When you pass on the drives, you can just yank out your protector key and the data is unobtanium

Bung

6733 posts

Uber Geek
+1 received by user: 2926

Subscriber

#1150383 9-Oct-2014 06:20

Elpie: I will take the advice given here and do everything I can to make my data unrecoverable. Signatures will still get left behind but I doubt that anyone will ever be doing any serious forensics on them.

I believe the idea that overwritten data even if only once can be recovered is urban myth. The much easier task of recovering the erased sections of audio "Watergate" tape from Nixon's office hasn't been done yet. If a drive marked sectors as damaged and replaced them from the pool of spares they wouldn't be available for overwriting but if there were enough to contain contiguous data the drive is failing. That is probably the real issue "what do you do with a faulty drive that you can't write to?"

New World

Shop on-line at New World now for your groceries (affiliate link).

notesgnome

130 posts

Master Geek
+1 received by user: 91

ID Verified

Lifetime subscriber

#1150423 9-Oct-2014 08:46

+1 for dban

Used to use it when we were repurposing machines for sale.

7 times overwrite/wipe is usually good enough.

If people have enough money, they can probably get most of the data back after 7 overwrites (of random data), but it gets VERY expensive for them.

DravidDavid

1907 posts

Uber Geek
+1 received by user: 305

#1150538 9-Oct-2014 10:57

Bung: I believe the idea that overwritten data even if only once can be recovered is urban myth. The much easier task of recovering the erased sections of audio "Watergate" tape from Nixon's office hasn't been done yet. If a drive marked sectors as damaged and replaced them from the pool of spares they wouldn't be available for overwriting but if there were enough to contain contiguous data the drive is failing.

It is very hard, very expensive and not always possible, but it is possible to retrieve some data after it has been over-written. When people are recovering data after over-writing they are not plugging it in to a regular computer to run CCleaner, They are reading the exposed disk directly with an electronic oscilloscope to pick up 1's and 0's to put them together. As mentioned earlier. When a disk over-writes information it never writes it in the same place and leaves behind some sort of ghost of the old data. This can be countered with multiple passes of writing data, which I highly recommend. But you can never be 100% sure.

I believe it has been made easier with SSDs simply due to the way the SSDs allocate data and the way it shifts around. You can never really truly delete something. There is always a fragment left somewhere which may lead to another somewhere else. Someone correct me if I'm wrong, I did read that years ago, it may be different now.

Bung:
That is probably the real issue "what do you do with a faulty drive that you can't write to?"

Destroy it physically. There are crushing devices specifically designed to cripple hard drives to the extent that they cannot be recovered. I believe it sends a pin through the case splitting the disks, case, and circuit board on the bottom pretty much destroying the internals and flattening the drive.

TL;DR: A single or double random data write pass on a drive will stop a 12 year old plugging your drive in and recovering anything usable by a regular windows computer. But if a data recovery specialist had the correct equipment, I wouldn't be so sure there would be nothing left behind.

Better safe than sorry I say. I ran over-writes on drives for 24/48 hours depending on the size of the drive. Usually managed 5 to 8 passes in that time frame with the software I used.

Bung

6733 posts

Uber Geek
+1 received by user: 2926

Subscriber

#1150561 9-Oct-2014 11:18

Current Research

Fortunately, several security researchers presented a paper [WRIG08] at the Fourth International Conference on Information Systems Security (ICISS 2008) that declares the “great wiping controversy” about how many passes of overwriting with various data values to be settled: their research demonstrates that a single overwrite using an arbitrary data value will render the original data irretrievable even if MFM and STM techniques are employed.

The researchers found that the probability of recovering a single bit from a previously used HDD was only slightly better than a coin toss, and that the probability of recovering more bits decreases exponentially so that it quickly becomes close to zero.

Therefore, a single pass overwrite with any arbitrary value (randomly chosen or not) is sufficient to render the original HDD data effectively irretrievable." http://www.infosecisland.com/blogview/16130-The-Urban-Legend-of-Multipass-Hard-Disk-Overwrite.html

Just in case that research is a smokescreen spread by the NSA to hide their true capabilities I think anyone with the resources to recover overwritten data from a modern high density drive would just arrange for Elpie's new computer to be stolen or give her a room on Cuba and ask her to retype it all.

DravidDavid

1907 posts

Uber Geek
+1 received by user: 305

#1150594 9-Oct-2014 12:03

Bung: " Current Research Fortunately, several security researchers presented a paper [WRIG08] at the Fourth International Conference on Information Systems Security (ICISS 2008) that declares the “great wiping controversy” about how many passes of overwriting with various data values to be settled: their research demonstrates that a single overwrite using an arbitrary data value will render the original data irretrievable even if MFM and STM techniques are employed. The researchers found that the probability of recovering a single bit from a previously used HDD was only slightly better than a coin toss, and that the probability of recovering more bits decreases exponentially so that it quickly becomes close to zero. Therefore, a single pass overwrite with any arbitrary value (randomly chosen or not) is sufficient to render the original HDD data effectively irretrievable." http://www.infosecisland.com/blogview/16130-The-Urban-Legend-of-Multipass-Hard-Disk-Overwrite.html

Just in case that research is a smokescreen spread by the NSA to hide their true capabilities I think anyone with the resources to recover overwritten data from a modern high density drive would just arrange for Elpie's new computer to be stolen or give her a room on Cuba and ask her to retype it all.

Thanks for posting this. Interesting considering I've heard about criminal cases where near destroyed or securely erased data has been retrieved and used against said person. I don't have any specific examples...But I'm sure I've heard of it being done before.

I still say better safe than sorry. If the data is worth more to you than a new drive, it's best to just outright destroy it and buy another one.

1 | 2