How-to: Erase Old Hard Disks
In a recent study, a research team purchased roughly 100 hard disks off eBay and found half of them to contain sensitive information, including insurance records, biographical information about children, and even blackmailable material such as evidence of an affair.
Apparently, those folks didn't know that with a Linux boot disk and a little patience, you can securely and easily erase your old hard disks.
Overview
That's a photo of my old computer graveyard. The relics are starting to take up a lot of space and they need
to go. But who knows what's on any of them — financial data, secret plans for world domination, etc.
Whatever it is, I'm sure it's no good.
So what can you do to secure your information before selling or throwing away your old computer?
Unfortunately, you need to do more than just format your hard disk. It's not even sufficient to overwrite and
fill your hard disk with non-sensitive information. In 1996 Peter Gutmann published a
paper describing techniques for making it as
difficult as possible for an attacker to recover data from magnetic media. Basically, it comes down to scrubbing
the disk a number of times with random data.
In addition to commercial software and services that do this, there are some free tools that can get the job
done.
You may want to check out Darik's Boot and Nuke, which is a boot floppy
that will automatically scan for hard disks and erase them. This is probably the easiest way to go, but it would
scare the crap out of me having this disk anywhere in my house. Label it well.
Instead, I use the shred utility that is part of the
GNU fileutils package. Here's
why I do it this way:
- It's available on most Linux boot CDs
- You can examine a disk before you erase it (regardless of the filesystem used)
- It works on any machine that will run Linux
Booting Gentoo From CD
We'll be booting from a Gentoo CD and then running a quick (err. slow.) command to wipe the drive.
Like I said, the software we are using is part of the standard GNU fileutils package, so if you want to use a
different flavor of Linux/Unix, that's fine too.
Download a gentoo live cd from here. Just grab the ISO
CD image for your platform. You can find it at /releases/x86/../livecd/install-x86-minimal.iso
for PC users and /releases/ppc/.../livecd/install-ppc-minimal.iso for Mac users.
Then use your favorite cd burning app to write the image to a new CD-R.
Boot the CD and wait for the boot prompt to appear. At the boot prompt type the following and hit enter:
gentoo noX
Gentoo Linux will proceed to boot into command line mode.
A Note About Really Old Computers
Several of my old machines can't even boot from CD. The easiest thing to do in this case is just to unplug a
newer computer's hard disk and connect the old drive to your new machine. I have a little mini-itx machine that I
use all the time for stuff like this.
Just make darn sure you have disconnected all of the drives from your new machine.
Running Shred
In Linux, your first IDE hard drive is called /dev/hda, the second /dev/hdb, and so
on. Assuming you only have one drive in your machine, you'll want to wipe out /dev/hda. If
you have other disks, you'll need to run the same command for each of the devices.
If you are a *nix person, this would be a good time to mount your disk and examine it before you blow it away for
good.
When you are ready to destroy your data, just type:
shred -vz -n 3 /dev/hda
This will write 3 passes of random data to your hard disk, followed by a 4th pass of zeros. It takes some time,
so if you don't mind random (suspiciously random) data on the drive, you can skip the zeroing pass by omitting the z
flag.
Why only three passes? It comes down to a matter of time versus diminishing returns. There are actually
some non-random patterns that can be written to certain types of hard disks that 'saturate' the media more effectively
and can be used in-between random passes to further destroy any memory that your disk had of your scandalous
data.
Here's what Peter Gutmann has to say on the subject:
In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques.
If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do.
As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.
Still want the extra voodoo? Run this instead:
shred -vz /dev/hda
Be prepared to let this one sit for a while. For a large drive this will take all day.
Bad Drives
Sometimes you've got an old drive that just doesn't work any more. The one pictured above makes noises like
there are some marbles loose inside. It's just a no-good, dirty hard drive, and it's got bad written all over
it.
That doesn't mean, however, that there isn't still a wealth of data on those platters. Your level of paranoia
will determine the best course of action, ranging from 'who cares?' to 'get the blowtorch'.
I like to remove the platters and make coasters.
The Ultra Paranoid
Dear Jason,
Over the last 5 years, I've slept with a different married woman every night, cheated on my taxes to the tune of
$10billion, sold nukes to Iran, North Korea and Jerry Falwell, conspired with international terrorists to undermine
freedom, liberty and the expansion of Mc Donalds, and documented all of this in a personal manifesto on my PC.
My hard disk was full so I've upgraded to a new PC. I used shred (with extra voodoo) to clean the hard drive in
my old machine, but I'm still afraid to sell it on eBay. Do you have any recommendations?
Sincerely,
Cletus
We like to think of digital devices as holding a bunch of 0s and 1s. In reality, data is ultimately stored in
some analog form. Two bits of data on a drive may both be recognized as a 1, but one of them may not carry as
strong a magnetic force... a giveaway that it may have been a zero that was recently overwritten with a 1. Those
bits retain a history, Cletus.
So if you really want to be sure that your data will never be read, you will have to destroy your hard disk. The
best thing to do is to melt it down. Other alternatives might be to destroy the surface with a belt sander, cut
it into pieces and bury them in geographically seperate locations.
This sort of ruins your opportunity to resell the drive on eBay, though, unless you cast it into a collectable
figurine.
Reader Comments (Page 1 of 1)
Dean Shan @ Dec 19th 2005 2:45AM
Even though the it is no longer being supported I prefer Autoclave. Anything that can boot a floppy can handle this bad boy.
http://staff.washington.edu/jdlarios/autoclave-discontinued/
Kurt Ramsauer @ Dec 19th 2005 2:45AM
When I through out my last drive, I just pried it open and started breaking stuff. I was more curious as to the insides than desiring data destruction, but hey, two birds, right?
TAZ427 @ Dec 19th 2005 2:45AM
I find that my drill press and 1/2 drill bit does a much faster job of making the HDDs unreadable.
I've never tossed a HDD out prior to it becomming effectively un-sellable. By then it's in one of my older Linux boxes (486 DX2-66 is my Oldest PC alive right now and it has 1GB, 540MB and 270MB HDDs in it) Yes, I know it's kinda creepy. It's funny that my camera has more memory then this thing.
The rest of my HDDs have met my drill press.
TAZ
Whiplash @ Dec 19th 2005 2:45AM
I find that a sledgehammer works pretty well. And it's fun too!
Mike Holzapfel @ Dec 19th 2005 2:45AM
Exactly Taz,
Take one pen-ball hammer and go out in the backyard. Take out frustrations since she won't give you a date or your parents want you to move out.
Chances are that if you are upgrading your PC, then your old one isn't worth squat. Don't take the chance of having someone find personal info on the old hard drive.
Frank @ Dec 19th 2005 2:45AM
How are people getting data off these things after a format? I work for a company that regularly uses DriveSavers (http://www.drivesavers.com/) to recover data from failed hard drives. These people are supposed to be the best in the biz, yet they continually fail to recover data on drives that were working just days before they received them. On more than one occasion, I've had a user call the help desk because they're getting disk controller failure error, when their machine booted fine the day before or just hours ago in some cases. I've sent it to DriveSavers and their stock answer is that it "suffered a physical crash" and that no data whatsoever was recoverable. These people are supposedly getting all kinds of crazy in a clean room, popping out platters and what not.
So you're telling me that some hacker out there can recover data from a drive that has been not only formatted but rewritten over?
And I can't even recover a stupid accidental file deletion on a NTFS drive...
Virtual1 @ Dec 19th 2005 2:45AM
What drivesavers is saying by "physical crash" is that something has happened inside the drive that has allowed something (usually the read heads or arm assembly) to come into contact with the platter when it's spinning. You can usually tell this has happened because the drive will make a grinding or metal-on-metal sound as it tries to spin up, and will get warm very fast. In this case, the magnetic media has been ground off of the surface of the platter, usually in one or more rings around the platters. The data under these rings is totally unrecoverable, as the media has been ground off. Other areas on the drive may be recoverable, but usually the damage occurs where the heads are positioned by default, track 0. Many tracks are damaged when the heads "crash", and the most important information (MDB, partition table, root directory) are all located near track 0 and are probably gone for good. Drive Savers has platter readers, and these can be used to pull raw data off the good areas of the platters, but it's extremely time consuming, difficult, and the data requires extensive post-processing by a data recovery specialist to pull off. If you REALLY wanted your data off there badly, you could probably pay them enough to recover file fragments and blocks of unrecognizable data off the drive. You would be extremely lucky to get any filenames associated with the data recovered.
It all comes down to "how much are you willing to pay"? The author of this article makes it sound like any random joe off eBay can rebuild your hard drive and slap it in a computer and boot up after 5 minutes of work. That's quite a stretch. Simply quickformatting is probably not a good idea, since there are commercially available tools that can reverse that sort of damage. Zero'ing a hard drive, however, is enough to deter anyone that wants to keep the recovery costs under five digits. Anyone that's investing that kind of money on random drives purchased on eBay is not likely to find enough dirt to turn a proffit. Fishing drives out of machines in a bank's dumpster might have a better return on investment, but the last banker I talked with about this said they have a "hammer policy" - hard drives are zero'd, and then opened and the platters beaten repeatedly with a hammer before disposal. Ouch. The NSA would have problems salvaging anything from THAT kind of damage.
brian @ Dec 19th 2005 2:45AM
i disassemble the drive, and then remove the platters and bash them to hell with rocks. kinda caveman-like, and i'm pretty sure that the platter is useless at that point. takes about 30 minutes, less time than shred...
Alexander @ Dec 19th 2005 2:45AM
I prefer a 22LR and my grandmas backyard. Not only do I get to improve my shooting skill, but I'm destroying 'valuable' data at the same time. Nice. plus, its always a fun thing to watch the metal bits fly off in all kinds of crazy directions. And when I have a old SCSI drive that bits the dust... well, that requires some more firepower--mainly, the 1911 .45 or if I'm not in the mood to have the police arrive on the premises, the 9mm.
Josh @ Dec 19th 2005 2:45AM
Dean:
I wrote Autoclave, and while I appreciate the praise, I myself use DBAN instead of Autoclave now. DBAN boots on a lot of hardware Autoclave wouldn't boot on (Autoclave had particular problems with laptops), has a better user interface, and allows you to wipe SCSI and SATA drives. All things considered, DBAN is flat-out better. Autoclave may be a tiny bit faster than DBAN in some cases, but that's because it's not doing as much work.
MaX @ Dec 19th 2005 2:45AM
This is what works best for me:
http://www.lowes.com/lkn?action=productDetail&productId=147579-302-1198400
Mike Piontek @ Dec 19th 2005 2:45AM
On a Mac there's a much easier way to do this:
- Boot from a recent OS X installer disc (hold down C while booting to boot from a disc)
- Choose Disk Utility from the Installer menu
- Select the disk and click the Erase tab
- Click the Options button
- Check the 8 Way Random Write Format option
- Click OK and then Erase
TAZ427 @ Dec 19th 2005 2:45AM
Wow, this comming from a Canuck Blogger with his own website and of course tagging his site at the end. What a true blogger, eh?
TAZ
jct @ Dec 19th 2005 2:45AM
Something else old hard drives are good for: magnets! The little arc-shaped magnets you find inside of hard drives are very powerful for their size, and just plain fun to play with. You'll usually find them in the corner of the case, underneath the "fat" end of the read/write arm. Getting them out sometimes requires drilling out rivets, or the careful application of force, but be careful because the magnets are brittle and will shatter if you pry on them too hard.
Disk drive platters are pretty. I have a little display on my shelf, illuminated from above by a little 10W Ikea lamp. My favorite is a stack of nine or ten silver platters that came out of an ancient full-height 100MB drive.
Stan @ Dec 19th 2005 2:45AM
Any advise for Mac users? I have an old OS 8 machine that I'd like to wipe before I toss it. Thanks.
ikkedus @ Dec 19th 2005 2:45AM
> How are people getting data off these things after a format?
I'm no profi, but of what I've heart it was about a ghosted magnetic image. For example magnetizing from 0 to 1, makes it 90% magnetized instead of 100%, while rewriting a 1, makes it go near 100%. So, that leaves two equal 1's, but one of them is slightly more saturated
TAZ427 @ Dec 19th 2005 2:45AM
Most formatting utilities do not overwrite the majority of information that is on the drive. It instead overwrites the FAT (File Allocation Tables) tables which describe what all the files are on the disk. It also does partitioning and some other stuff. But the data that was there before formatting the drive is still there (well at least most of it is.)
Files are typically fragmented (having peices of files all over the disk) but sufficiently large peices can be found and read (especially of text files) in which you can find personal information. People who degfrag their HDDs regularly will have less file fragmentation and you'll find more whole files. It's a matter of analyzing the 1's and 0's that are left to figure out information about the files.
As mentioned even if the data has been overwritten, one can use techniques to give a best estimate of what has been changed lately and what has not to reconstruct a drive which has been completely overwritten. The best way to erase a drive is to first reformat it as a single partitioned drive and triple write all 1's. After a tripple write of all 1's you should not be able to tell a difference in the saturation level beyond natural variances in the magnetic fields to determine what the bit was before.
TAZ
SamS @ Dec 19th 2005 2:45AM
The IT department here is popular for our "shiny coasters." They even use them in the boardroom!
mrben @ Dec 19th 2005 2:45AM
Rather than having a DBAN floppy lying around the house, I use the System Rescue CD (http://www.sysresccd.org/) which include DBAN, but doesn't fly into action until you tell it to ;)
Oscar @ Dec 19th 2005 2:45AM
If you ever want to recover data on a HD that has failed in a machine that has been connected to the internet all you really have to do is talk to the purveyor of last porn site you visited or the guys that you have been swapping bootleg music and videos with.
Matthew @ Dec 19th 2005 2:45AM
I love salvaging the magnets from dead drives too! They work great on the fridge, because they are so strong and your stuff wont keep falling off.
Belvadere @ Dec 19th 2005 2:45AM
Drill a hole through it and you're finished.
esarge @ Dec 19th 2005 2:45AM
i am a principal systems admin at a large company.
although some of the means suggested are in fact enjoyable, we use an appliance designed to annihilate any recoverable residue of information using powerful directed magnetic field.
tom @ Dec 19th 2005 2:45AM
For a more hands-off erasure that doesn't eat any CPU cycles and is more reliable than a megnetic field, a nice, long salt-water bath will do the trick. Completely and utterly useless afterwards.
Viking @ Dec 19th 2005 2:45AM
Destroying the drive physically is rather wasteful if the drive itself works, i'd rather low level format my drives with the harddrive manufacturers tools, then i fill it with fragmented files and do an ordinary format on it before selling it. Another thing is to window-modify it (cut out a large hole in the lid and put a plastic window glued on) an use it as show, but do it in a rather dust free space if you want it to survive the procedure. But if you REALLY want to kill it the most painfull way possible you should remove the lid, start it up (connecting an old AT powersupply) and have some fun with it, like hitting it on the spindle motor with a hammer, after the first hit you'll hear the awful sound of ruined ball bearings, if it spins down, try to restart it, if it's dead, then just mangle it with every powerful tool you can reach.
Richard @ Dec 19th 2005 2:45AM
many of you seem to be missing the point. The guy who wrote this article wants to be able to resell his disks on ebay without people getting at his sensitive data
In reality, as someone said above, a simple zero-write is probably enough to stop 99% of people - any more than that, and the recovery costs will run into four, or probably five digits.
Still, a little extra paranoia never hurt anyone. Normally, I shred my disks five times, followed by two zero-writes, before I let anyone else near them. However, if it is a disk that has had confidential client data on it, the platters goes in the salt-water swimming pool for a week, then the drill, then the bin.
Francisco V. @ Dec 19th 2005 2:45AM
I'm a hobbyist and always have been attracted to magnetism (a pleonasm :) so, whenever I get a screwed hard disk I dissasamble it and take the powerful NdFeB Magnets that come inside them. Almost all of the hard disks come with one pair of Neodymium Ferrum Boron magnets inside, but the strongest come inside the 120MB to 500MB HDs.The HDs above 1GB only come with one magnet, very powerful and sometimes bigger than the ones inside HDs of lesser capacity, but it still being just one against a pair.
Just be extra careful with those magnets, they are so strong that can harm you if you put them close to eachother. If you don't handle them with respect they'll pinch your skin so strong like if you were pinched with pliers, believe me, they're not a toy. If you put one of these magnets on a frige's door you'll harm the paint of it, so don't do it :)
They're also too fragile, if you let them fall or get attracted to eachother they will brittle.
The platters are made of a material whose surface is mirror like, I think it's aluminium, but of high quality, you should see one, they are just like a mirror.
So don't worry if someone can get to your precious data, just dissasamble you old HD and keep the parts, we never know when they'll come in handy.
Here is a link that I find interesting about these NdFeB magnets, and what to do with them (besides getting hurt or erasing your oldies-but-goodies 90minutes tapes)
http://groups.mrl.uiuc.edu/chiang/Chiang/Magnetic%20Levitation.htm
Ryan Schmidt @ Dec 19th 2005 2:45AM
In answer to Stan's post from 2005-03-16: Most Macs made from 1994 onwards using System 7.5 thru Mac OS 9 use the Drive Setup program to initialize their disks. Macs made before 1994 running systems up to 7.5 use the Apple HD SC Setup program. And as already mentioned, in OS X the program is called Disk Utility. Each program has an option to "zero all data" which erases all data so that it's much more difficult to recover it. If you're trying to erase the disk your computer normally starts up from, you'll need to start up from a different disk, such as the operating system CD or disk tools floppy. To start up from CD, insert the CD, restart the computer, and hold down "C" on the keyboard. To start up from floppy, restart the computer, and after the startup chime, insert the floppy.
Rohail @ Dec 19th 2005 2:45AM
hi there, it's really nice service on net .. well i have a serious problem of my data & need your help ... i have HD 20 GB western digital ..
his media has been crushed ... & i have some very important data in it ... can i recover it? please email me on rohailtherock@hotmail.com i shall wait for your responce ... Thanks
Rohail @ Dec 19th 2005 2:45AM
hi there, it's really nice service on net .. well i have a serious problem of my data & need your help ... i have HD 20 GB western digital ..
his media has been crushed ... & i have some very important data in it ... can i recover it? please email me on rohailtherock@hotmail.com i shall wait for your responce ... Thanks
PrinceM @ Dec 19th 2005 2:45AM
In regards to the complaint above about recovering data that's been formatted. There's always the possibility depending on how it has been formatted or deleted. Low-level formats do not allow for a recovery because they write zeros all over the data area. There can be some possibilities of recovering data even in the event of a head crash depending on the extent of the crash. From my understanding companies like ontrack, dataleach http://www.dataleach.com and dataRAID http://www.dataraid.com can probably do a bit more than drivesavers.
Scott Schuetz @ Dec 19th 2005 2:45AM
Secure deleation is something that if it is desired should only be done by a professional
RonH @ Dec 19th 2005 2:45AM
I find it interesting that most people think that this hard drive recovery is a simple process. I am a network administrator of a large hospital and have had many experiences with data loss, even though we have backup proceedures in place. We have been using Advanced Computing Solutions http://www.acsdatarecovery.com when we need data recovery and have had excellent results with them. They have even recovered a hard drive that we accidentally ghosted over. Check them out they do great work!
RonH @ Dec 19th 2005 2:45AM
I find it interesting that most people think that this hard drive recovery is a simple process. I am a network administrator of a large hospital and have had many experiences with data loss, even though we have backup proceedures in place. We have been using Advanced Computing Solutions http://www.acsdatarecovery.com when we need data recovery and have had excellent results with them. They have even recovered a hard drive that we accidentally ghosted over. Check them out they do great work!
Jeff @ Dec 19th 2005 2:45AM
Jason, are you stealing other people's articles? ;)
http://bizpartner.com.my/article/21
And they even go on to list a copyright notice at the bottom. lol
Cordial @ Dec 19th 2005 2:45AM
Staying out of trouble
Follow these steps to minimize the effects of a disk failure and protect your system:
Always back up all your files, including fonts, desk accessories, config.sys, autoexec.bat, and other customizable files.
Don't ignore warning signs. If you have unexplained system or application crashes on a Macintosh, check first for a virus, and then have your system checked out at an authorized dealer. Likewise on the PC side, if your system seems slower or you get frequent "abort, retry, fail" messages, first check for a virus and then have your system checked out.
-------------------------------------
Joseph Ntfsal
File Recovery Software
Recupero di Dati
Datenrettungs Software
Frank @ Dec 19th 2005 2:45AM
Take the drive apart remove the magnets above and bellow the head arm and spin it up while holding 1 of these magnets above the platter have destroyed many disks this way and have never been able to recover them even the bios won't detect them after this so I asume they are very dead well I've never had anyone come back to me and say they've found my data :-D.
A word of warning: don't get these magnets near a drive you wish to use or floppy disks tapes videos ect.... uless you want them destroyed of course :-)
Victor @ Dec 19th 2005 2:45AM
Magic Recovery Professional 3.2 is a data recovery software, and you will can recover all deleted or format files, have a Demo and you will can comprobe inf the files that you want to recover appear with this software.
http://www.software-recovery.com
you can download or buy the software there! ;)
Data Recovery Software & Services @ Dec 19th 2005 2:45AM
Laptops are great because you can take your entire office or all of your personal data with you wherever you go but you then need to recognize that all of that data could be lost or damaged if you dont treat your laptop with care, said Sunil Chandna, director of Data Recovery Software and Services for Stellar Information System Ltd. As a matter of fact, 66 percent of Stellar(http://www.stellarinfo.com) laptop recoveries are due to some form of physical damage, often a result of mistreatment.
chuck strutt @ Jan 9th 2006 12:08PM
Still, none of this solves the biggest danger to users. A hard drive fails under warrenty and needs to be sent back to the mfgr to get a free new one. You can't erase it (because it doesn't work) and they will refurbish it and send it out to someone else who may have the skills to check out your files. Magnets are said not to work - unless you have a professional $2,000 unit. Solutions?