Wednesday, December 12, 2012

Utility to verify wipe/erase of hard drive

I was recently looking for a utility that I could use to efficiently verify the wiping of various types of hard drives. While there are many tools out there to perform a wipe or erasure of a hard disk, I really could not find many utilities that let me validate the erasure with some know technique.

For example, EnCase has a wipe disk function under the tools menu. Part of that process is to verify the wiping of the disk, but it's kind of a "black box" in that you really don't know what its doing to verify it. It either says verified or not. Many other tools do this same thing. They run some type of verification process but the technical aspects of what exactly its doing is somewhat of a mystery. I understand that there has to be  a certain amount of trust that we put into the tools we use, but we also need to validate our tools periodically.  If I plug in a drive and push a button and 30 minutes later the LCD says "wipe complete", I need to know that its doing what it says. You should be cross-validating all of your forensic tools on a periodic basis (once a year, major releases, etc.)

With the different types of drives commonly available today (magnetic spinning vs SSD), I wanted a quick, easy, understandable tool that I could use to verify the erasure of data from a drive. I wanted to use a tool where the technique used to verify it was understandable and verifiable so if I was using it to validate another tool, I was not relying on one "black box" to validate another "black box".

I finally settled on using a utility that calculated a sum of all bits on the drive. commonly referred to as a modulo sum or BSD checksum, it simply takes each byte on the disk and adds them together. at the end of the process, if your sum equals zero, then you can be assured all the input values were zero.

When searching for Windows GUI applications hat performed this checksum, I was disappointed to find only a few that performed this sum operation. Most did hashing and used algorithms that cannot be used for different sized disks.

I ultimately chose the BSD "sum" program (run in a Linux distro). One of the main reasons was the source code for that program is available via GPL and you can easily read and understand what its doing:

FILE *fp;             /* The file handle for input data* /
int ch;               /* Each character read. */
int checksum = 0;     /* The checksum mod 2^16. */

while ((ch = getc (fp)) != EOF)
    checksum = (checksum >> 1) + ((checksum & 1) << 15);
    checksum += ch;
    checksum &= 0xffff;       /* Keep it within bounds. */

Furthermore, since the source code is available, I was able to modify the code to print out the location on the disk where it read any value that was not a zero value. That way when the sum process was done, I could m, manually go to that portion of the disk and look exactly where the non-zero data was.

I would love to hear what other people are using to validate the wiping process and why?

(sorry, you have to have/create a blogger account to comment, anonymous spamming was getting out of control. You can email me your comments directly at lance (@) if you wish and I will add your comment.)


proneer Wednesday, 12 December, 2012  

There are plenty of different ways to wipe drive, 00h, 01h, 02h, ..., FFh, Random, or Certain Byte(i.e, wiping tool name). So, if you'd like to verify results of wipe, finding notable context(ASCII, signature, pattern, and so on) data would be better...

Lance Mueller Thursday, 13 December, 2012  

Comment sent to me via email:

I also prefer the use of live ubuntu based distro for wiping and verification.
For wiping is use the terminal and the following command:
$ sudo shred -v -n 0 -z \dev\sdx
Where v is verbose n is to wipe 0 times with random numbers (default is 3) and z is to add a final wipe with zeros.

To verify I use terminal and
$ sudo xxd -a \dev\sdx
Where a is for autoskip. If the disk has nothing but zeros you will get a null "*" value. If the disk has anything but zeros, the data will be displayed.

Lance Mueller Thursday, 13 December, 2012  

Comment sent to me via email:

1. For me, I do the verification using WinHex via a rather crude method, which is to perform a search of !\x00. The issue with this is it will stop at the first occurrence of non-zero but if my objective is to ensure that the HD is totally wiped, just the first occurrence is sufficient for me to stop and to re-wipe the HD.
2. The current checksum code would be useful to check for HD that were wiped with zeros (\x00). I have seen people who wiped with other data, e.g. \xFF and some even weirder combinations. The checksum code will fail for such cases.

One of the reason why i used WinHex and did a search instead is the flexibility that it provided. If the wiping was done using \xFF, i can just search for !\xFF. Hope my comment is useful and have a great day!

DW Monday, 17 December, 2012  

I shred with shred under linux like above.
But to verify I use the compare command,seems to be the quickest way.

cmp /dev/sda /dev/zero

will return an end of file(EOF) is successful otherwise fail as soon as it detects any non zero data.

Rich Friday, 12 April, 2013  

A lot of the times when people try to erase their hard drive, they don't actually clear everything and have no idea that they didn't.

Mike Monday, 29 July, 2013  

This is the best tool I've seen:

More of an industrial platform for doing verification on a larger scale, but it works well and offers reporting.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles