±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 36445
New Yesterday: 2 Visitors: 133

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Which tools would you suggest to erase drive from "middle" ?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Zul22
Senior Member
 

Which tools would you suggest to erase drive from "middle" ?

Post Posted: Sep 02, 15 22:46

Hi,

Having second hard drives, I'm looking for a possibly simple but handy tool allowing erasing with an initial offset.

I don't need an ultra-secure shredding tool ; the purpose for instance that if someone purchases a second hand computer, and a data recovery becomes necessary after some years, the data from the new owner not being polluted by those of the old owner.

Another example is that when cloning a damaged drive, the defective sectors are not copied. Hence, it is important that the target media is clean, so that the data recovery results are not polluted by other data.

There is of course this method:
Code:
dd if=/dev/zero of=/dev/sdN bs=sector_size count=sector_number seek=partitions_start_sector

But it's sometime a bit boring, because you need some computation with the size of sectors, also because you sometimes want to erase several drives at the same time without having to open several consoles, or simply because you booted your computer on Windows and not Linux.

So, currently, my favorite way to quickly zero fill a drive is Linux shred command:
Code:
shred -n0 -z -v /dev/sdN

The isssue is that sometimes you only want to erase the second middle of a drive.
For instance, you are planning to clone a smaller drive at the beginning of the drive and before this, you want to zero-fill its second half only.

Another typical case is when 90% of the drive was erased and you want to shut the computer down and leave the office. The next morning, you would like to finish with the last 10%.

Like many erasing tools, the shred command doesn't accept an initial offset.
Of course, it's possible to create a partition with an offset with tools like GParted, but it's boring.

I'm looking for some software, possibly with a handy interface like the one of the "Error scan" tab in HD Tune Pro. Stranglely the author of this software left the possiblity to specify "Start" and "End", in gB, mB or sector, but it did not came to his mind to do the same for the "Erase" tab.

It would be nice if the tool is tough enough to not freeze when one of the drives goes wrong.

If the software has some checkbox to automatically shutdown the computer when the erasing finished it would be very nice too.

So, which tool would you recommand ?
Preferably running Windows, suggestions for Linux or Mac are welcome too.
(Please mention the operating system required.)

Thanks a lot.  
 
  

Dmitri
Member
 

Re: Which tools would you suggest to erase hard drive from

Post Posted: Sep 03, 15 17:30

- Zul22
I'm looking for a possibly simple but handy tool allowing erasing with an initial offset...
I'm looking for some software, possibly with a handy interface...
Preferably running Windows.

"Erase" surface test in HDDScan, which wipes the data securely:

hddscan.com/

It allows to specify both the beginning and the end. Besides that, without spending any extra time you'll get a detailed, LBA-level health report, which could be handy for used hard drives.

HDDScan also supports command line arguments, so can be launched the same way as dd / shred.  
 
  

jaclaz
Senior Member
 

Re: Which tools would you suggest to erase hard drive from

Post Posted: Sep 03, 15 19:57

- Dmitri

"Erase" surface test in HDDScan, which wipes the data securely:

Does it actually writes 00's?
It seems like it writes "special pattern":
In Erase mode the program prepares block of data field with special pattern and number of logical sector. The program sends the block of data to drive and drive writes the block (All data in the block on drive will be overwritten and gone forever!) The program measures operation time for each block. The program tests blocks one by one from minimum to maximum.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Dmitri
Member
 

Re: Which tools would you suggest to erase hard drive from

Post Posted: Sep 04, 15 15:11

- jaclaz
It seems like it writes "special pattern"

Yes, that's correct, thanks for the note.

HDDScan indeed writes a pattern, which is as secure as zeros, since it overwrites everything.
Also it's quite distinguishable, should that be necessary for hex analysis of some kind:
 
 
  

jaclaz
Senior Member
 

Re: Which tools would you suggest to erase hard drive from

Post Posted: Sep 04, 15 19:43

- Dmitri
- jaclaz
It seems like it writes "special pattern"

Yes, that's correct, thanks for the note.

HDDScan indeed writes a pattern, which is as secure as zeros, since it overwrites everything.
Also it's quite distinguishable, should that be necessary for hex analysis of some kind:

Yep, still it is not the "expected" result.

Of course it will do in most cases Smile , but I can well see a number of situations in which all 00's would be preferable, *like*:
www.forensicfocus.com/...c/t=10971/

Also (from the mere description of the feature) the "testing" and "timing" feature of HDDScan will likely slow the actual wiping/00's writing. Confused

Unlike a "normal" dd, what is expected by the OP as final goal is to write all zero's to a disk and have a handy way to do this in parts.

Personally I wouldn't actually bother with the "switching off the computer at night", and more generally a "safe erase" through ATA commands (which will be anyway faster than anything else) needs not really-really any computer connected, so one could hook up the power to an "external brick" and once initiated the safe erase only the power to the disk drive is needed.

Another approach IMHO could be that of reusing some old hardware (and leave it on overnight).

But the idea in itself seems nice to me, and while I don't know any existing program that does exactly what the OP asked about, my guess is that it should be not too difficult to be put together.

The additional point I am raising (because the OP does not mention it) is the efficiency/speed of this hypothetical (at the moment) tool. I mean if an ATA Safe Erase for the whole disk takes (say) three hours, does it really make sense to have a software based solution that will take (still say) the same three hours to write 00's to just 1/3 of the disk sectors?

A ratio of 1:2.5 or 1:3 between time needed with the ATA internal command vs DBAN (single pass) has been reported in the past, and I don't think that piping from the zero device to dd can be faster than the *whatever* DBAN uses.

As side-side note, there is Windows NT port of dd that includes a zero device:
home.comcast.net/~plav...ools/pldd/
And even more side-side and JFYI, at the time it was not easy to find it:
reboot.pro/topic/15207...for-ddexe/

Most probably using not a myriad of dd writes with block size set to device sector size , but rather create an "optimum sized" all 00's area in the disk cache and then write that to platters multiple times would speed up the procedure very noticeably, but really cannot say if it can be done easily and "universally".

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Zul22
Senior Member
 

Re: Which tools would you suggest to erase drive from "middl

Post Posted: Sep 05, 15 22:50

Thank you Dmitri and jaclaz,

I visited HDDscan's website. This freeware looks nice to shred a drive easily, with start end sectors. The fact that it writes a pattern is not truly a problem for most uses.
The main concern for me is the risk of false positives in the case of data recoveries, but in general, most sectors can be cloned, so that the random patterns would only be limited to the "holes".

Concerning the command line arguments, this would be interesting, but I could not find the documentation. Maybe will it come with the software that I have not downloaded yet.

Killdisk killdisk.com (that I did not test yet) supports erasing several drives simultaneously, but I could not find any documentation about the possibility to specify start and end sectors, even in the command line arguments:
www.killdisk.com/commandline.htm

HD Tune Pro also supports command line options; which unfortunately do not allow to specify start and end offsets.
Code:
/DISK:1 /FUNCTION:erase /START /LOG:\erase.txt
Command line options are at chapter 18 of the manual:
http://jerryching.no-ip.org/Software/Utility/HD%20Tune%20Pro%20v5.50/HD%20Tune%20Pro%20v5.50/App/HDTunePro/hdtunepro.pdf

But the idea in itself seems nice to me, and while I don't know any existing program that does exactly what the OP asked about, my guess is that it should be not too difficult to be put together.

I agree, probably, on Windows, with some easy to edit batch file (.BAT).

Personally I wouldn't actually bother with the "switching off the computer at night

This is poor energy management if you must leave the office when the drive is 95% erased and the computer as wells as the docking stations will be powered on for nothing during all the night.

For Linux, I currently use the dd command, together with the "seek" parameters, which let specify the offset in blocks. The block size can be specified with bs. Larger block size should mean faster erasing.

I watch try to estimate how long time is required to finish the erasing and in another terminal, I write something like this if I want the computer to shut down automatically:
Code:
shutdown -P +75
This shuts the computer down in 75 minutes.

On some systems, the -h option is required too:
Code:
shutdown -h -P +75

If Linux is running from a live CD, I observed that above command requires that you press "Enter" after the CD was ejected. So, I prefer running Linux from a hard drive or SSD, so that the computer really shuts down.

Alternatively, the shutdown command also let you specify a shutdown hour.

There are also options to shutdown the computer after a process ends, which would be the best, but the commands were more complicated to remember.

I purchased a multimedia multi outlet where a master outlet master several slave outlets.
If I plug a desktop or a laptop without battery in the master outlet and the SATA docks in the slave outlets, the later automatically shuts down when the computer shuts down.
This spares energy.

... and more generally a "safe erase" through ATA commands (which will be anyway faster than anything else) needs not really-really any computer connected, so one could hook up the power to an "external brick" and once initiated the safe erase only the power to the disk drive is needed.

I understand this as a hardware that direclty sends ATA commands to erase the drive.
Is it? This sound interesting.
Which brands / models would you advise.

The additional point I am raising (because the OP does not mention it) is the efficiency/speed of this hypothetical (at the moment) tool. I mean if an ATA Safe Erase for the whole disk takes (say) three hours, does it really make sense to have a software based solution that will take (still say) the same three hours to write 00's to just 1/3 of the disk sectors?


Thank you for mentioning the speed issue.
What do you think about using a software like MHDD http://hddguru.com/software/2005.10.02-MHDD/,
ERASE command together with the /DISABLEBIOS option?
(see the MHDD documentation for details)
Ok, maybe not the most handy to use, but probably faster than conventional erasing softwares. I assume that special hardware combines speed and easyness of use...  
 
  

jaclaz
Senior Member
 

Re: Which tools would you suggest to erase drive from "middl

Post Posted: Sep 05, 15 23:23

- Zul22

Personally I wouldn't actually bother with the "switching off the computer at night

This is poor energy management if you must leave the office when the drive is 95% erased and the computer as wells as the docking stations will be powered on for nothing during all the night.


Of course it depends on the computer, as said one can use some oldish hardware and as soon as the Safe Erase command has been issued the computer can go to sleep (I do have a couple MiniITX boards that use around 20/30 W ), or as said, use a "brick PSU" to power only the hard disk, they typically are 5V/2A + 12V/2A but an average 3.5" harddisk is likely to use MAX 5V/0.7A 12V/0.5A i.e. around 10 W.

There is no real need for "special hardware" you hook up the disk with the data cable to your "wiping station" but you power it from the "brick", you issue (say with hdparm) the Safe Erase command and then everything that happens is "internal" to the disk:
digital-forensics.sans...quick-easy

But there are "cloning docks" with "self standing" erase (though of course these would need to be validated if the scope is "secure wipe", while they may be more than OK "as is" and possibly also faster than any software for your use), example:
www.startech.com/HDD/D...TDOCK2REU3
or actual "self standing erasers":
www.startech.com/HDD/D...SDOCK1EU3P

Now a new idea would be an app that notifies you on your smartphone when the wiping has finished Shocked so that you can remotely switch off the power through another app Wink .

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 2
Page 1, 2  Next