You may recall that both GSD posts on secure wiping -- Free Wipies and Wipies - Part II (Full Coverage Cleaning) -- were both inspired by a blog post by the TinyApps.Org blogger.
Last night I received a kind message from this dear friend pulling my attention back to the deeper issue raised in that post, and while this isn’t a completely unknown issue, it is one that can be easily overlooked by the best of sysadmins in our zeal to “secure wipe the darn thing” and get on with our other daily grinds.
The TinyApps how-to post ATA Secure Erase (SE) and hdparm shares an added benefit for those who dare to tread that hard-drive wiping technique through the “enhanced secure erase” option.
(Very) Basically the issue comes down to this: hard drives may have bad sectors that have been found and so marked as well as additional “host protected area (HPA)s” both of which can be skipped by many “block-erase” wiping tools and utilities. The end result is the possibility of recoverable data left behind in these areas if a standard block-erase method is used.
- Host protected area - Wikipedia, the free encyclopedia
- Device configuration overlay - Wikipedia, the free encyclopedia
So even though you are diligently laying down your randomized data and/or zeros to all the (accessible) sectors of the drive, the drive itself may be actually hiding physical sectors from your software that will not get overwritten no matter how hard you try.
As TinyApps linked for me in the communication, even the almighty Darik's Boot And Nuke clearly says in its FAQ that it must be used with knowledge to address some of these issues:
Does DBAN wipe remapped sectors? - Darik's Boot And Nuke
Does DBAN wipe remapped sectors?
Use the ATA-6 wipe method if you want to wipe remapped sectors. Most methods do not wipe remapped sectors.
Does DBAN wipe the Host Protected Area ("HPA")? - Darik's Boot And Nuke
Does DBAN wipe the Host Protected Area ("HPA")?
No.
Most vendors that are using the HPA have a toggle for it in the BIOS setup program. Future releases of DBAN may override or dishonor the HPA.
Why not now and why not by default?
Some vendors are using the HPA instead of providing rescue media.
Wiping the HPA would surprise and strand people that expect the HPA to have rescue materials, and it often results in OEM technical support marking and abandoning people that do it. The HPA is a low risk because it is not accessible during normal operations.
DBAN defaults are chosen to best protect people with a minimal understanding of this kind of problem. This point is still open for discussion in the help forum and in the appropriate bug ticket.
That’s not to say this information makes DBAN (or any of the others like it) a bad or faulty tool, just one with some limitations (like most all other block-erase wipe tools) that must be fully understood before deciding if its methods are sufficient for the use at hand.
For example, there are forensic drive access/capture tools that can detect these areas and ensure the investigator is able to respond to them. That’s great news for the good guys and a warning that bad-guys can also take advantage of this as well: HPA/DCO Detection - WiebeTech Forensic Docks
Here (again) are links to two posts about the HPA/remapped sector issue with drive wiping well worth the read:
- Securely erase hard drives - ultraparanoid
- Can God Create a Rock So Heavy Even He Can’t Lift It? - ultraparanoid
I suppose one good place to start is pre-inspecting your drive before you get wiping to better understand what you are dealing with.
There are a few Windows-based tools that I am aware of that can let you look at either/both HPA area(s) as well as DCO info (if they exist). In most cases, these do require specialized booting of the system either directly with a true DOS disk or a Linux tool to access the drive correctly.
- MHDD - HDDGuru
- HDAT2/CBL Hard Disk Repair Utility - Lubomir Cabla
- TestDisk 6.12 Release - CGSecurity
So, that brings us back to using a combo of tools and methods to wipe both check for the presence of HPA/DCO and address/remove them first before using a block-erase wipe tool or to learn some new techniques for an “all-in-one” wipe method to get it all.
For “modern” hard disk drives that support this feature the “enhanced secure erase” method may be the only option short of extreme physical destruction (with prejudice and malice aforethought) of the drive to ensure all data is irrevocably cleared from the drive.
TinyApps “how-to” post is a great starting point at using a Linux Live CD to accomplish the process and what is happening :
- ATA Secure Erase (SE) and hdparm - TinyApps blog
- More background here at ATA Secure Erase - ata Wiki
- SSD Secure Erase with proper ATA command - mackonsti blog
- CMRR - Secure Erase tool - over at the Center for Magnetic Recording Research (CMRR) is another option, though a read through of many comments and other posts suggests this tool may have some performance issues…or not.
- Guide How to use HDDErase - OCZ Forum
- The Parted Magic LiveCD- I have learned - includes an ERASE tool which does support the “enhanced secure erase” protocol if the drive at hand does as well. It takes care of a lot of the CLI work that might off-put casual wipers. How To Secure Erase Corsair SSDs With Parted Magic -- Corsair Blog. I’ve used Parted Magic quite a lot in the past but never for secure wiping and never realized it had this option.
- GParted can do this as well, though it doesn’t seem to have the “wizard” for hdparm that Parted Magic does: Use GParted to secure erase SSD - GSKILL TECH FORUM.
- Note: As TinyApps points out in his post, in-fact any Linux distro that includes hdparm at a version of 9.31 or greater would work; the lower versions have a 2-hour timeout which can leave the remaining portion of the disk unwiped.
- Guide Secure Erase for Windows - OCZ Forum
- Guide Secure Erase From Within Linux For Windows Users - OCZ Forum
- Guide How to Restore SSD performance WITHOUT using HDDErase - OCZ Forum
It is my understanding that Windows port of hdparm may work as well that is found in Cygwin. I’ve seen some forum posts discuss that some versions (the later ones) are better than earlier ones.
- The Win32/Cygwin version of 'hdparm' will tell you if you have HIPM or DIPM capabilities. - Aaron Tiensivu's Blog
Christian Franke has also provided a native Win32 tool version if you just need it without Cygwin.
- Index of /hdparm - via Christian Franke
So to sum up from my perspective,
- If you want to keep the OEM HPA area intact (maybe you have a Dell system with diagnostics loaded there) and plan to recycle the drive/system in your organization, then a simple whole-disk block-erase of the drive may be sufficient. Updating the DCO information probably isn’t necessary and may help -- in fact -- preserve the previously found “bad sectors” info if it is present.
- If you plan on giving the drive/system away then you should strongly consider attempting the “enhanced secure erase” method first to see if your drive supports it. If not, then you may have to settle for either a whole-disk block-erase wipe and hope for the best (that there is no sensitive data in any HPA/DCO areas (if present) or use one of many reliable, complete, irrevocable, physically destructive methods.
Hopefully I have covered this sufficiently for you to Google on from here.
If not, as always your comments are welcome and appreciated.
And if anyone knows of any additional Windows/DOS/*Nix tools that can handle “enhanced secure erase” wiping of a modern drive, please leave a tip in the comments.
Cheers!
--Claus V.
1 comment:
One of the DOS tools I've been digging into is Lubomir Cabla's HDAT2: http://www.hdat2.com/ . Offers an "Auto Remove Hidden Areas" option, Security Erase, great documentation, and several download options (bootable CD, standalone executable, etc).
Post a Comment