Sunday, January 08, 2012

Wipies -- Addendum

You may recall that both GSD posts on secure wiping -- Free Wipies and Wipies - Part II (Full Coverage Cleaning) -- were both inspired by a blog post by the TinyApps.Org blogger.

Last night I received a kind message from this dear friend pulling my attention back to the deeper issue raised in that post, and while this isn’t a completely unknown issue, it is one that can be easily overlooked by the best of sysadmins in our zeal to “secure wipe the darn thing” and get on with our other daily grinds.

The TinyApps how-to post ATA Secure Erase (SE) and hdparm shares an added benefit for those who dare to tread that hard-drive wiping technique through the “enhanced secure erase” option.

(Very) Basically the issue comes down to this: hard drives may have bad sectors that have been found and so marked as well as additional “host protected area (HPA)s” both of which can be skipped by many “block-erase” wiping tools and utilities. The end result is the possibility of recoverable data left behind in these areas if a standard block-erase method is used.

So even though you are diligently laying down your randomized data and/or zeros to all the (accessible) sectors of the drive, the drive itself may be actually hiding physical sectors from your software that will not get overwritten no matter how hard you try.

As TinyApps linked for me in the communication, even the almighty Darik's Boot And Nuke clearly says in its FAQ that it must be used with knowledge to address some of these issues:

Does DBAN wipe remapped sectors? - Darik's Boot And Nuke

Does DBAN wipe remapped sectors?

Use the ATA-6 wipe method if you want to wipe remapped sectors. Most methods do not wipe remapped sectors.

Does DBAN wipe the Host Protected Area ("HPA")? - Darik's Boot And Nuke

Does DBAN wipe the Host Protected Area ("HPA")?


Most vendors that are using the HPA have a toggle for it in the BIOS setup program. Future releases of DBAN may override or dishonor the HPA.

Why not now and why not by default?

Some vendors are using the HPA instead of providing rescue media.

Wiping the HPA would surprise and strand people that expect the HPA to have rescue materials, and it often results in OEM technical support marking and abandoning people that do it. The HPA is a low risk because it is not accessible during normal operations.

DBAN defaults are chosen to best protect people with a minimal understanding of this kind of problem. This point is still open for discussion in the help forum and in the appropriate bug ticket.

That’s not to say this information makes DBAN (or any of the others like it) a bad or faulty tool, just one with some limitations (like most all other block-erase wipe tools) that must be fully understood before deciding if its methods are sufficient for the use at hand.

For example, there are forensic drive access/capture tools that can detect these areas and ensure the investigator is able to respond to them.  That’s great news for the good guys and a warning that bad-guys can also take advantage of this as well: HPA/DCO Detection - WiebeTech Forensic Docks

Here (again) are links to two posts about the HPA/remapped sector issue with drive wiping well worth the read:

I suppose one good place to start is pre-inspecting your drive before you get wiping to better understand what you are dealing with.

There are a few Windows-based tools that I am aware of that can let you look at either/both HPA area(s) as well as DCO info (if they exist).  In most cases, these do require specialized booting of the system either directly with a true DOS disk or a Linux tool to access the drive correctly.

So, that brings us back to using a combo of tools and methods to wipe both check for the presence of  HPA/DCO and address/remove them first before using a block-erase wipe tool or to learn some new techniques for an “all-in-one” wipe method to get it all.

For “modern” hard disk drives that support this feature the “enhanced secure erase” method may be the only option short of extreme physical destruction (with prejudice and malice aforethought) of the drive to ensure all data is irrevocably cleared from the drive.

TinyApps “how-to” post is a great starting point at using a Linux Live CD to accomplish the process and what is happening :

It is my understanding that Windows port of hdparm may work as well that is found in Cygwin. I’ve seen some forum posts discuss that some versions (the later ones) are better than earlier ones.

Christian Franke has also provided a native Win32 tool version if you just need it without Cygwin.

So to sum up from my perspective,

  1. If you want to keep the OEM HPA area intact (maybe you have a Dell system with diagnostics loaded there) and plan to recycle the drive/system in your organization, then a simple whole-disk block-erase of the drive may be sufficient.  Updating the DCO information probably isn’t necessary and may help -- in fact -- preserve the previously found “bad sectors” info if it is present.
  2. If you plan on giving the drive/system away then you should strongly consider attempting the “enhanced secure erase” method first to see if your drive supports it. If not, then you may have to settle for either a whole-disk block-erase wipe and hope for the best (that there is no sensitive data in any HPA/DCO areas (if present) or use one of many reliable, completeirrevocable, physically destructive methods.

Hopefully I have covered this sufficiently for you to Google on from here.

If not, as always your comments are welcome and appreciated.

And if anyone knows of any additional Windows/DOS/*Nix tools that can handle “enhanced secure erase” wiping of a modern drive, please leave a tip in the comments.


--Claus V.

1 comment:

Miles Wolbe said...

One of the DOS tools I've been digging into is Lubomir Cabla's HDAT2: . Offers an "Auto Remove Hidden Areas" option, Security Erase, great documentation, and several download options (bootable CD, standalone executable, etc).