[danbuter]

Just curious if there is a good way to completely wipe a hard drive on a Ubuntu computer that I am going to be donating. I am pretty damn sure the sudo rm... command doesn't work on Ubuntu. (At least to get hidden stuff like old passwords or card numbers) Thanks!

[Juan Pablo]

Yes, boot with a LiveCD and then use this command to fill the hard drive with zeros

dd if=/dev/zero of=/dev/hda

I would suggest using a tool to check if the partitions are recoverable at all, try testdisk to see if it finds anything

TestDisk - CGSecurity

[devils casper]

I would suggest you to execute this

Code:

sudo dd if=/dev/zero of=/dev/hda bs=521 count=1 

if you execute dd with bs and count parameters, It will erase first 512 bytes only which includes Partition Table, Boot Loader and Hard Disk Signatures. There is no need to re-write whole disk. Its not recommended.

[danbuter]

Thanks, guys!

[Juan Pablo]

Quote:

if you execute dd with bs and count parameters, It will erase first 512 bytes only which includes Partition Table, Boot Loader and Hard Disk Signatures. There is no need to re-write whole disk. Its not recommended.

Are you sure? If you just erase the MBR everything will be recoverable using TestDisk or a similar program

[devils casper]

Quote:

Originally Posted by Juan Pablo

Are you sure? If you just erase the MBR everything will be recoverable using TestDisk or a similar program

Yes, I am sure about that, if you re-write every byte of first sector, TestDisk could not recover Partition Structure.

[Lakshmipathi]

hmm..interesting one...deleting MBR alone makes harddisk un-recoverable???
...any links or docs on it?...i would love to learn more about this ...

[devils casper]

Quote:

Originally Posted by Lakshmipathi

hmm..interesting one...deleting MBR alone makes harddisk un-recoverable???
...any links or docs on it?...i would love to learn more about this ...

Check the manual of dd command.

[ami32]

Yes ..there is lots of way to erase hard drive. Formatting the hard drive will erase data..wiping our MBR or damaging your hard drive physically. Best option is use of drive wipe utilities which will wipe your data permanently using best algorithm so that data become unrecoverable.

Thank You

[kakariko81280]

Wiping the MBR or formatting the disk is not enough to wipe the data. I've set up a 1MB test image to demonstrate. First of all, scrubbing the MBR doesn't change the data needed to mount a disk, so it can simply be re-mounted.

Code:

root@angua:/mnt# df -h | grep test
/dev/loop0           1003K   21K  931K   3% /mnt/test
root@angua:/mnt# find ./test
./test
./test/lost+found
./test/quick
./test/quick/brown
./test/quick/brown/fox.txt
./test/hello.txt
root@angua:/mnt# umount test
root@angua:/mnt# dd if=/dev/zero of=/dev/loop0 bs=512 count=1
1+0 records in
1+0 records out
512 bytes (512 B) copied, 0.000130744 seconds, 3.9 MB/s
root@angua:/mnt# mount /dev/loop0 ./test
root@angua:/mnt# find ./test
./test
./test/lost+found
./test/quick
./test/quick/brown
./test/quick/brown/fox.txt
./test/hello.txt

Formatting the disk does appear to wipe the data, but a dump of the disk image shows what is left.

Code:

00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400  80 00 00 00 00 04 00 00  33 00 00 00 da 03 00 00  |........3.......|
00000410  75 00 00 00 01 00 00 00  00 00 00 00 00 00 00 00  |u...............|
00000420  00 20 00 00 00 20 00 00  80 00 00 00 00 00 00 00  |. ... ..........|
00000430  e1 2d 6d 48 00 00 20 00  53 ef 01 00 01 00 00 00  |.-mH.. .S.......|
00000440  e1 2d 6d 48 00 4e ed 00  00 00 00 00 01 00 00 00  |.-mH.N..........|
00000450  00 00 00 00 0b 00 00 00  80 00 00 00 30 00 00 00  |............0...|
00000460  02 00 00 00 01 00 00 00  49 05 65 1e 87 2c 49 ac  |........I.e..,I.|
00000470  a4 7f d0 0a c1 e7 31 39  00 00 00 00 00 00 00 00  |......19........|
00000480  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00006000  02 00 00 00 0c 00 01 02  2e 00 00 00 02 00 00 00  |................|
00006010  0c 00 02 02 2e 2e 00 00  0b 00 00 00 e8 03 0a 02  |................|
00006020  6c 6f 73 74 2b 66 6f 75  6e 64 00 00 00 00 00 00  |lost+found......|
00006030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00006400  0b 00 00 00 0c 00 01 02  2e 00 00 00 02 00 00 00  |................|
00006410  f4 03 02 02 2e 2e 00 00  00 00 00 00 00 00 00 00  |................|
00006420  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00009800  0c 00 00 00 0c 00 01 02  2e 00 00 00 02 00 00 00  |................|
00009810  0c 00 02 02 2e 2e 00 00  0d 00 00 00 e8 03 05 02  |................|
00009820  62 72 6f 77 6e 00 00 00  00 00 00 00 00 00 00 00  |brown...........|
00009830  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00009c00  0d 00 00 00 0c 00 01 02  2e 00 00 00 0c 00 00 00  |................|
00009c10  0c 00 02 02 2e 2e 00 00  0e 00 00 00 e8 03 07 01  |................|
00009c20  66 6f 78 2e 74 78 74 00  00 00 00 00 00 00 00 00  |fox.txt.........|
00009c30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
0000a000  54 68 65 20 71 75 69 63  6b 20 62 72 6f 77 6e 20  |The quick brown |
0000a010  66 6f 78 20 6a 75 6d 70  65 64 20 6f 76 65 72 20  |fox jumped over |
0000a020  74 68 65 20 6c 61 7a 79  20 64 6f 67 0a 00 00 00  |the lazy dog....|
0000a030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
0000a400  48 65 6c 6c 6f 2c 20 57  6f 72 6c 64 21 0a 00 00  |Hello, World!...|
0000a410  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00100000

The first line followed by the * indicates that the first 0x400 bytes (1KB) are all null so even the original formatting to set up this test didn't write there.

The blocks at 0x6000 and 0x6400 show the directories set up by the ext2 formatting. It's not readily apparent, but the '01 02 2e' at 0x6006 and '02 02 2e 2e' at 0x6012 are the '.' and '..' directories. This pattern can be searched for to recover directories, and find the data that was in them. 0x6400 repeats this pattern for the contents of the lost+found directory.

So the formatting deleted the 'quick' directory and the 'hello.txt' filename, but we can see the 'brown' directory at 0x9800, with the same '.' and '..' patterns, and the next block shows the filename fox.txt. The last two blocks are the contents of the test files shown in the first example. Files with predictable headers can be searched for and recovered in this way too, for example jpegs.

I've watched an expert use off the shelf tools to recover a disk that had been through fdisk. It's also worth noting that the Windows full format is essentially a bad blocks check and does not destroy any more data than a quick format.

Writing zeros to the *entire* disk would prevent an interested amateur from recovering the data, but I'd write random data several times. A disk wiping utility would be a good idea, but I read news reports based on a report from Glamorgan University that suggested some were ineffective and some just totally useless.

After that you get into the territory of ghost images recovered by filtering out the main signal and looking at what is left. For example a 1 overwritten with a 0 looks different from a 0 overwritten with a 0. Also, if the write head drifts slightly during a write, then the underlying data may be available on the other edge of the track.


My advice is that hard disks are reasonably cheap. Bash it with a hammer and build a wind chime out of the bits.

Chris...