an empty hdd has hi...
 
Notifications
Clear all

an empty hdd has hidden areas like HPA DCO g lists etc?

10 Posts
6 Users
0 Likes
637 Views
electronic_x
(@electronic_x)
Posts: 48
Eminent Member
Topic starter
 

in order to know how correctly clean a HDD I would like to know if an empty HDD previously installed in a PC and running with Operatins System but now formatted and empty contains hidden areas or not.

 
Posted : 08/08/2013 12:10 am
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

in order to know how correctly clean a HDD I would like to know if an empty HDD previously installed in a PC and running with Operatins System but now formatted and empty contains hidden areas or not.

Yes.

Or maybe no. ?

Who knows?

I mean are trying to establish a record for indeterminateness of a question?

WHICH Disk (EXACT make/model)?
WHICH PC?
WHICH Operating System?
etc. ….

Just look if there is one.

Mechanic's comparison
Q.Does a car engine previously mounted on a car and later removed from it contain some diesel fuel?
A. Look and see if you can find any.

jaclaz

 
Posted : 08/08/2013 1:41 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

What is the end purpose?

in order to know how correctly clean a HDD I would like to know if an empty HDD previously installed in a PC and running with Operatins System but now formatted and empty contains hidden areas or not.

 
Posted : 08/08/2013 1:57 am
electronic_x
(@electronic_x)
Posts: 48
Eminent Member
Topic starter
 

the end purpose is to safely erase some hard drives. Different Windows versions were running in these disks. Now all are formatted and would like to wipe them. If hidden áreas are still present containing some information after the HDD has been formatted and no OS is installed, then I had to use a tool targetting HPA/DCO like BCWipe total or Blancco. If no hidden áreas are not present, then a DBAN zero wiping ould be enough.

What should I do, then?

 
Posted : 08/08/2013 4:00 am
Passmark
(@passmark)
Posts: 374
Reputable Member
 

We recently did a survey of about a 20 different models of hard drives.
The vast majority don't have HPA / DCO. At least not in their factory state. Installing an O/S doesn't change this.

The couple we found with HPA / DCO seemed to have nothing of great interest in these areas, and the hidden areas were small.

There might be an exception for this if you are looking at brand name PCs. e.g. HP might drop some diagnostic tools in a HPA area on their PCs. But we didn't come across this. And in any case do you care about vendor diagnostic tools still being on the drive anyway?

So in my opinion you only need to worry about this if you are looking for information that was deliberately hidden away in these areas. Which I think is extremely unlikely for a normal user.

If you did want to check, OSForensics V2.1 can find & remove HPA / DCO areas..

 
Posted : 08/08/2013 8:23 am
athulin
(@athulin)
Posts: 1141
Noble Member
 

If hidden áreas are still present containing some information after the HDD has been formatted and no OS is installed, then I had to use a tool targetting HPA/DCO like BCWipe total or Blancco. If no hidden áreas are not present, then a DBAN zero wiping ould be enough.

Or, if the drive supports it, you can use the built-in SECURITY ERASE UNIT command – it erases HPA as well. It doesn't erase DCO, though. There's a utility 'HDDErase' from CMMR that does that – I think I've seen in on Ultimate Boot CD.

What should I do, then?

You already say that BCWipe Total WIpeout or Blancco does the job. Why search further? At the price, it seems you'll recoup your costs fairly quick. Don't forget to do test the erased disks for signs of non-erasure, though. (You mention DBAN as a tool – you are aware that it does not give any guarantee that data is removed? You always need to verify that for yourself.)

It's also a question of who will do the job, and how big it is. For larger jobs, get a ready-made solutions. It's possible to do a manual job, but after, say, half-a-dozen disks, the temptation to skip over steps like testing for presence of DCO gets fairly big. You probably don't want to cope with the question if the operator can be trusted to do all the required steps. Also, if this is something that will need to be repeated in the future, yoi have the problem of ensuring that process remains the same. Easier with ready-made tools.

For single job, I'd use the tools on Ultimate Boot CD, to remove DCO if there is one, and the HDDerase the disk.

 
Posted : 08/08/2013 12:50 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

@jhup
@athulin
JFYI, these same topic has been talked to death in an earlier thread
http//www.forensicfocus.com/Forums/viewtopic/t=10808/

@electronic_x
Reportedly a Secure Erase command will wipe also any HPA and DCO areas (if present)
http//tinyapps.org/docs/wipe_drives_hdparm.html

But as always - unless you are just playing - you will need to validate results, and again behaviour may be different on different drives (i.e. it is possible that the "standard" command operates in "non-standard ways" on some disks).

jaclaz

 
Posted : 08/08/2013 6:59 pm
athulin
(@athulin)
Posts: 1141
Noble Member
 

@electronic_x
Reportedly a Secure Erase command will wipe also any HPA and DCO areas (if present)
http//tinyapps.org/docs/wipe_drives_hdparm.html

The document I last checked this in said it (normal security erase) would erase all sectors from LBA 0 to LBA n, where n was the value returned by READ NATIVE MAX (or the corresponding EXT version – this is normal disk + HPA space), and that it *may* erase also LBA n+1 to LBA real_max (which is the DCO space).

The enhanced security erase erases full disk space, also DCO. But it is an optional command, and may not be supported. Enhanced security erase is the only one that goes for all user written data (i.e. also remapped sectors). It does not necessarily reset anything else. In particular any master password set remains set after execution.

 
Posted : 08/08/2013 9:23 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

I wrote BXDR about 10 years ago to do just this for ATA drives. Pretty much every drive I looked at had the security set features enabled including the enhanced security erase function.

Basically you issue the command (and a password if memory serves) the drive then starts to wipe itself. At thids point you can disconnect the data cable and turn the drive on and off but it will continue the erase and wont "come ready" until the erase has completed. Enhanced erase wipes the drive including DCO/HPA and spare sectors.

 
Posted : 08/08/2013 9:57 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

The document I last checked this in said it (normal security erase) would erase all sectors from LBA 0 to LBA n, where n was the value returned by READ NATIVE MAX (or the corresponding EXT version – this is normal disk + HPA space), and that it *may* erase also LBA n+1 to LBA real_max (which is the DCO space).

The enhanced security erase erases full disk space, also DCO. But it is an optional command, and may not be supported. Enhanced security erase is the only one that goes for all user written data (i.e. also remapped sectors). It does not necessarily reset anything else. In particular any master password set remains set after execution.

Yep, that's what I meant by recommending verification.
Whilst the HPA should never be an issue, a DCO may, and this depends on what the actual hard disk manufacturer did (the way the command were implemented), besides the "type" of security erase that is chosen.

Still, the original question started with
http//www.forensicfocus.com/Forums/viewtopic/t=10808/

hello everyone!

We want to sell a few of my 2-3 years old laptops and pcs as we have upgraded to new models.
However we´d like to leave the computers -although obviously used- totally as new, so nobody, in the future although being and expert could not recover none of the old stored data.
We don´t know much about computers and even less about forensic.

and, as explained on that thread, there is NO actual *need* in the specific case to be (reasonably) worried by any HPA, let alone DCO, a simple 00 wipe of the accessible parts of the hard disk would be more than enough, and a plain "format" (without the /q oprtion) under a Vista or later actually enough.

@Paul
Maybe this nice article on your blog
http//sandersonforensics.com/forum/entry.php?9-Securely-wiping-a-hard-disk-versus-destroying-it
may be of help to the OP.
But the BXDR tool has been discontinued ?
http//web.archive.org/web/20060221053651/http//www.sandersonforensics.co.uk/BXDR.htm
or is it still available (possibly included in one of your other tools?)
I cannot find a page for it on your site.

jaclaz

 
Posted : 08/08/2013 10:39 pm
Share:
Share to...