Saturday, December 31, 2011

Free Wipies

New Year’s Eve is almost upon us.  Figured I close out 2011 with one final post.

Out of a recent TinyApps.org post on drive wiping I followed a white-rabbit and ended up on this Disk Wiping with dcfldd at the Anti-Forensics blog.

I’m always on the lookout for tips and techniques when it comes to secure-wiping drives and the post was full of great info regarding use of the dcfldd tool.

When it comes to secure drive (whole-disk) wiping, I’ve still tended to rely on two tools in particular for their ease-of-use and convenience.

The first is Microsoft Windows DISKPART command “Clean all” which “specifies that each and every sector on the disk is zeroed, which completely deletes all data contained on the disk.”

The pro is that the command is very simple to remember and use, and when coupled with a WinPE disk, is dead-simple to effectively wipe out most all drives I encounter.

The second one I love is the CLI tool “wipe.exe” as found in the Forensic Acquisition Utilities set by George M. Garner.

The pro about this one is that it actually includes a progress indicator so you have some degree of feedback on how far you’ve wiped.

I always verify my zero-out wipes when done. For that I prefer to use the sector-viewer tool HxD to scan through the post-wiped drive to ensure it all come up clean; Frhed - Free hex editor is another nice alternative.

I also keep a collection of secure file-wipe tools handy as well.  These are useful for when I have a personal document with sensitive info that is no longer needed, or at work where I have successfully recovered a customer’s data from a seriously crashed drive and the files were successfully restored; don’t need to keep those around on the workbench PC.

EraserDrop Portable - PortableApps.com is an easy to use and easy-to-configure tool I find useful to manage large volumes of files/folders needing secure deletion. It is based on Eraser.

Eraser Portable - PortableApps.com - Portable software for USB, portable and cloud drives is the portable version of that tool. It is very flexible and powerful, though the interface and job/task “scheduling” might be off-putting to less advanced users. Besides handing wiping of files/folders, it also can wipe free-space on a drive.

WipeFile over at Gaijin is a simple and basic file-wipe tool with lots of options. Just launch, set your wipe-preferences, and drag-n-drop your files for wiping.  See the related Gaijin tool WipeDisk as well.

File Shredder is a “new-to-me” secure-wipe tool. It is quite small and consists of two files; the main exe and a dll helper.  The interface is nice and it also includes wiping of free-space.

ultrashredder is even smaller. Basically just drag-n-drop. While you can set the number of over-writes, you can’t set the pattern.

DPWipe 1.1 by Dirk Paehl is similar to Ultrashredder in the GUI layout, however it does allow selection of the wipe method.

Blowfish Advanced CS. This is an oldie-but-a-goodie which was the very first secure wipe (file and freespace) tool I started using back in my Win98 days. It probably has been passed on by other tools here but I still keep it around for fond-memories.

SDelete is Microsoft Sysinternal’s CLI tool to wipe files as well as zero-out free-space.  I like it particularly well for that second task.

Disk Redactor also handles wiping of all free space on a drive very nicely with a helpful GUI interface.

These are all specialized secure-wipe tools and are pretty easy and convenient to use; a few even have options to integrate into the Windows context-menu shell.  However if you frequently use an alternative Windows file manager (like I prefer to do), there are more than one which include a hand-dandy “secure-file-wipe” option baked right in!

FreeCommander remains my #1 all-time favorite “multi-pass” tool for Windows file management. it includes a secure wipe action that performs a multi-step wipe of the selected item(s). You can set how many passes you want that routine to run.

Explorer++ also includes a “destroy” option (1 or 3-pass choice) to secure delete selected files/folders.

A43 likewise includes a basic secure-destroy option.

NexusFile has a “shred and delete” feature.

My Commander reminds me in many ways of FreeCommander, and it does have a secure delete action.

Happy New Year!

Claus V.

6 comments:

Miles Wolbe said...

Happy New Year, Claus! Many thanks for the shout-out.

ATA Secure Erase is also worth checking out:

1. Hidden data areas like the Host Protected Area (HPA) and Device Configuration Overlay (DCO) can be overwritten.
2. Bad blocks are overwritten.
3. ATA SE is faster than block erase wiping tools.

For further details, see Securely erase hard drives.

cdman83 said...

Happy new year!

Had to use a wiper to zero out the unused space on HDD recently (so that the VHD created from it could be smaller) and here is my experience:

- SDelete has a weird syntax and refused to work on the non-primary partition (it could only wipe the free space in C not on D)
- Eraser has a weird interface (you have to create jobs and run them) and was slower than SDelete but at least it worked :-)

Looking forward to many useful blogposts this year!

MarkG said...

Don't forget Windows other built in wiping command:

cipher /W:C:

Wipes unallocated space on your file system. You can do the whole drive, or only a directory.

Claus said...

@cdman83. Thank you for the greetings cdman83!

Like you mention, I've also had to zero-out freespace on a VHD to compact it. My VHD constructs have been pretty simple (single primary partition) so I've not run into the SDelete issue you mentioned, and it is indeed my choice for VHD free-space zero outs.

I find the syntax (and descriptions) less than clear and there are sizable discussions in forums on the difference between "cleaning" free space versus "zeroing" free space.

Sysinternals recently made some minor updates to SDelete: Updates: Coreinfo v3, DebugView v4.77, SDelete v1.6, and Process Explorer v15.04 "SDelete, a command-line utility for securely deleting files and zeroing volume free space, fixes a bug that prevented it from accessing some files on 64-bit Windows and swaps the zero-free-space and clean-free-space arguments to make them more intuitive." OK, if they say it is more intuitive...

I fully agree with the main issue with Eraser and the tasks/jobs scheduling. Once you understand it is OK but it does seems a bit clunky for the user-interaction.

Cheers!

--Claus V.

Claus said...

@MarkG -- You betcha!

I think I was focusing on GUI'ish tools rather than CLI ones with this post (with the exception of passing mention of FAU's wipe.exe which I like and the dcfldd tool); at least that's what I'm telling myself. I probably should have included mention of cipher and SDelete both.

Back in a 2009 post I did spend some time on cipher: grand stream dreams: Partition and Disk Management: Part IV ...

And again in a follow-on post hit them both again grand stream dreams: Secure Drive Wiping postscript…

SDelete – Microsoft Sysinternals – This is a command-line only tool that has a number of flexible options for secure wiping and cleaning of free space. It is tiny and relatively fast at what it does. Mark Russinovich also goes into great detail explaining just what the tool does and why it is good information to know about. Read the page closely to understand the command-line arguments particular to it as well as the method it uses.

Then there is the previously described…

cipher.exe -- nV News Forums. Another command-line only tool that should be present on most XP/Vista systems, this Microsoft utility can also wipe out deleted files and remnants from free-space on a drive. The basic command is CIPHER /W:directory so to wipe the free space on your C: partition you would issue the command CIPHER /W:C:

Both are great pocket-tools to keep handy for quick ad-hoc wiping jobs.

Cheers!

--Claus V.

Tony said...

Another option is a FULL format (not quick) in Windows Vista or 7.

Granted it is not an end to end wipe like DBAN but it does wipe all data and build the filesystem.

This is documented by Microsoft at http://support.microsoft.com/kb/941961

I have tested it in Vista and others have verified it in Windows 7.

TonyC