Wednesday, December 12, 2012

Utility to verify wipe/erase of hard drive

I was recently looking for a utility that I could use to efficiently verify the wiping of various types of hard drives. While there are many tools out there to perform a wipe or erasure of a hard disk, I really could not find many utilities that let me validate the erasure with some know technique.

For example, EnCase has a wipe disk function under the tools menu. Part of that process is to verify the wiping of the disk, but it's kind of a "black box" in that you really don't know what its doing to verify it. It either says verified or not. Many other tools do this same thing. They run some type of verification process but the technical aspects of what exactly its doing is somewhat of a mystery. I understand that there has to be  a certain amount of trust that we put into the tools we use, but we also need to validate our tools periodically.  If I plug in a drive and push a button and 30 minutes later the LCD says "wipe complete", I need to know that its doing what it says. You should be cross-validating all of your forensic tools on a periodic basis (once a year, major releases, etc.)

With the different types of drives commonly available today (magnetic spinning vs SSD), I wanted a quick, easy, understandable tool that I could use to verify the erasure of data from a drive. I wanted to use a tool where the technique used to verify it was understandable and verifiable so if I was using it to validate another tool, I was not relying on one "black box" to validate another "black box".

I finally settled on using a utility that calculated a sum of all bits on the drive. commonly referred to as a modulo sum or BSD checksum, it simply takes each byte on the disk and adds them together. at the end of the process, if your sum equals zero, then you can be assured all the input values were zero.

When searching for Windows GUI applications hat performed this checksum, I was disappointed to find only a few that performed this sum operation. Most did hashing and used algorithms that cannot be used for different sized disks.

I ultimately chose the BSD "sum" program (run in a Linux distro). One of the main reasons was the source code for that program is available via GPL and you can easily read and understand what its doing:

FILE *fp;             /* The file handle for input data* /
int ch;               /* Each character read. */
int checksum = 0;     /* The checksum mod 2^16. */

while ((ch = getc (fp)) != EOF)
    checksum = (checksum >> 1) + ((checksum & 1) << 15);
    checksum += ch;
    checksum &= 0xffff;       /* Keep it within bounds. */

Furthermore, since the source code is available, I was able to modify the code to print out the location on the disk where it read any value that was not a zero value. That way when the sum process was done, I could m, manually go to that portion of the disk and look exactly where the non-zero data was.

I would love to hear what other people are using to validate the wiping process and why?

(sorry, you have to have/create a blogger account to comment, anonymous spamming was getting out of control. You can email me your comments directly at lance (@) if you wish and I will add your comment.)

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles