Robot Butler
  Making those complicated tasks nice and easy.
  A hub for guides, walkthroughs and general information.
Follow us on Twitter RSS Feed
This guide applies to all normal writeable media such as Hard-Drives, Flash Drives (USB Pen Drives, Flash Memory Sticks, etc) and Floppy Disks.

Not many people realise that simply deleting a file from a drive doesn't really remove the file, it's still there, you have just removed the reference that your computer uses to "see" the file so it isn't aware it exists anymore and the place where that file used to sit may now be overwritten by a new file, but until that space is overwitten the old file's contents will still exist.

Now normally on a home computer this isn't an issue because that machine isn't going anywhere, but say you keep bank documents on your computer or you keep a file full of passwords for various things and you wanted to sell your PC, you may think formatting the drive will remove all those files and you'd be safe, but that isn't true and the next owner could easily recover everything that was on the drive before you formatted it.

If you remember earlier I mentioned that the files still exist until you overwrite them with something, so in this guide we are going to do exactly that, we're going to use a handy little program named dd to write rubbish or blank information directly onto the drive, destroying anything that still existed. This program comes with almost every version of Linux, it is available on most Macintosh (Mac) machines and if you're using Windows then you can use a Linux LiveCD to gain access to dd without having to change anything on your PC, other than burning a CD to boot from.

Finding the Right Drive


Once you're in Linux or MacOS you will need to open up a Terminal and find out the name of the drive that you want to wipe. This is critical because getting the name wrong may result in you wiping the wrong drive!

You can normally use the dmesg command to find out which drive it is you want to wipe by matching the name to the size of the drive. When you use dmesg you will want to look for entries referring to sdx where x is the number of the drive. The naming may be slightly different on a Mac.

You can either run dmesg and look through the cruft manually to find it, or you can use the command below to show only the relevant parts:

dmesg | grep "\[sd"

You should then get an output that looks something like this (these are also the relevant parts you need to look for if you are searching manually):

[ 3.523452] sd 0:0:0:0: [sda] 976773168 512-byte logical blocks: (500 GB/465 GiB) [ 3.523691] sd 0:0:0:0: [sda] Write Protect is off [ 3.523837] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00 [ 3.523867] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 3.530972] sd 0:0:0:0: [sda] Attached SCSI disk [ 1316.577354] sd 6:0:0:0: [sdb] 7831552 512-byte logical blocks: (4.00 GB/3.73 GiB) [ 1316.578413] sd 6:0:0:0: [sdb] Write Protect is off [ 1316.578421] sd 6:0:0:0: [sdb] Mode Sense: 43 00 00 00 [ 1316.578426] sd 6:0:0:0: [sdb] Assuming drive cache: write through [ 1316.582396] sd 6:0:0:0: [sdb] Assuming drive cache: write through [ 1316.584577] sd 6:0:0:0: [sdb] Assuming drive cache: write through [ 1316.584584] sd 6:0:0:0: [sdb] Attached SCSI removable disk

From that we can see we have two drives in this machine. A 500GB drive named 'sda' and a 4GB drive named 'sdb'. The 4GB drive is my USB Flash Drive that I want to wipe, so we know only to worry about 'sdb' and nothing else. I use sdb as an example in this guide, ensure that in all instances you replace it with the correct name for your own drive.

Completely Wiping the Drive


First, ensure that the drive isn't mounted first by using the following command:

umount /dev/sdb*

This will unmount sdb and any partitions it has before we start. Now to make sure that all information has been completely wiped from the drive, I would use the dd command, telling it to write just zeros to the drive. We do that by using the following command:

dd if=/dev/zero of=/dev/sdb bs=1M

This tells dd that we would like to write the contents of /dev/zero (which is an endless stream of zeros) to the drive /dev/sdb which is the 4GB Flash Drive. dd will then write the zeros to the drive until it runs out of space, by which point we know it has finished.

Once completed, you will see something like this:

dd: writing `/dev/sdb': No space left on device 3825+0 records in 3824+0 records out 4009754624 bytes (4.0 GB) copied, 526.231 s, 7.6 MB/s

This is also useful to show us the speed of the drive (or the interface that it's connected to).

Extra Secure Wiping


What you have done now will almost certainly make any recovery of the drive almost impossible, but if you want to be completely certain you can wipe the drive with zeros, fill it with random garbage and then write it with zeros again. Keep in mind that this will take just over three times as long (for obvious reasons).

If you want to write random garbage to the drive instead of zeros then you can use the handy pseudo device urandom instead which much like zero is also a constant stream, but this time it is a stream of random dada rather than zeros. To use this, just replace zero with urandom, like so:

dd if=/dev/urandom of=/dev/sdb bs=1M

Putting it all together is easier if we use a variable instead of the drive name, because then we only have to set the drive name in one place, not three, so you end up with the following command:

WIPEDRIVE=/dev/sdb; dd if=/dev/zero of=$WIPEDRIVE bs=1M; dd if=/dev/urandom of=$WIPEDRIVE bs=1M; dd if=/dev/zero of=$WIPEDRIVE bs=1M

As you can see there is only one reference to sdb. Change this to the correct drive for you and then run it to perform the secure wipe outlined above. On a side note, most military documents state that a military grade wipe is the same as running the above command twice (so 6 wipes in total).

Comments

Auto-Avatar
Aleister   ~   Posted on 2011-12-16 12:47:15
Very nice the Extra Secure Wiping.
Auto-Avatar
Hristo   ~   Posted on 2014-03-07 17:47:00
Excellent article. The problem is that seems after couple of wrong formats on windows and mac, dd command gives me an error: dd: writing `/dev/sdb': No space left on device. Also, linux does not recognize it in any programs, just lsusb (Bus 001 Device 010: ID 0951:1624 Kingston Technology DataTraveler G2 4GB Pen Drive). Seems I really messed it up...
Auto-Avatar
Benjamin Hodgetts   ~   Posted on 2014-03-07 17:50:38
"No space left on device" is fine, it means you've filled up the device/disk. The reason for this is we've told it to get the data it's writing to the disk from a source that is essentially infinite, so eventually the disk fills up but it's still trying to write to it. You can safely cancel it at this point.

Hristo: Once you've stopped DD, remove the device, wait 10 seconds, plug it back in then try and open it with fdisk.

Post a Comment

    Name
    Email (not displayed)

The name of this website is Robot...      


Info STATISTICS

  • 14 categories
  • 50 articles
  • 137 comments

Site, design and code by Benjamin Hodgetts.