HDD Wiping

I recently downloaded a free tool called DBAN, google it.
It has all the top commercial wiping tools in one package that is bootable.
You can throw the software onto a DVD or USB and boot it when you turn on your PC. It's a very useful tool which consists of 5-6 different extensive wiping procedures that you can choose from.
It's very easy to use and has DOD Verified wiping methods in there that can come in handy. Then there's other one's that just completely wipe the hard-drive but can take some time.

I recently downloaded a free tool called DBAN, google it.
It has all the top commercial wiping tools in one package that is bootable.

Not really.
DBAN
http//www.dban.org/
contains NOT ANY "Commercial" tools, it promotes one ( BTW unneeded).

jaclaz

Ok, so I have been using encase as well, but how about when you need to present a proof that the drive was actually wiped? Will encase log will be sufficient? Will it be court acceptable?

What if the Encase log is acceptable but right after you ran Encase you wrote something to the disk?

I would be curious to know an example of a request for such a "proof".

jaclaz

As to proof, we have used all the methods and verified by hash of the drive for each method for a particular size of drive. We use 1 TB drives typically as standard stock in our lab. If we hash an unused already all zero'd drive and retain that hash and then compare it to a hash of a used drive that has been wiped they should match. This can be verified no matter what method has been used to wipe, as long as it zero's the drive in this case.

As to proof, we have used all the methods and verified by hash of the drive for each method for a particular size of drive. We use 1 TB drives typically as standard stock in our lab. If we hash an unused already all zero'd drive and retain that hash and then compare it to a hash of a used drive that has been wiped they should match. This can be verified no matter what method has been used to wipe, as long as it zero's the drive in this case.

And you can also re-calculate it at will, JFYI
http//www.forensicfocus.com/Forums/viewtopic/t=5077/
Program is here
http//www.edenprime.com/tools/epAllZeroHashCalculator.htm

But what I meant was that *somehow*there is no way to "prove" that you have wiped a disk if not your word for it that it was wiped (and checked) and used for whatever you need to use it for before any modification.
Or - if you prefer - unless you provide a surely unedited video recording of the device from the moment you have a valid hash until you write to it the image, anyone in the lab may have "sabotaged" or however "altered" the device.

Let's also imagine that
1) you fail 😯 to wipe a whole disk before using it
2) you partition/format it then write to the filesystem an image of the contents of a smaller disk
3) you run on the device a tool *like* sdelete to zero all unused sectors.

jaclaz

I use OSForensics to wipe drives - it actually works very quickly. The wiping function is under "Drive Preparation".

Just fill with zeros from the first to the end sector of the HDD and create a hash of the zeroed drive at the end. The program doing it is not important.

I use an older Tableau TD2 for wiping drives, with logs and hash generated, but I would not see any difference in the results if the same thing is done with a software like hddguru's wipe tool in a documented session.

Just fill with zeros from the first to the end sector of the HDD and create a hash of the zeroed drive at the end. The program doing it is not important.

I use an older Tableau TD2 for wiping drives, with logs and hash generated, but I would not see any difference in the results if the same thing is done with a software like hddguru's wipe tool in a documented session.

JFYI, there may be differences on some devices (think of DCO and HPA's).

The "right" way for hard disks is the ATA Secure Erase that is BTW faster than anything else, being "internal".
https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Of course an HPA and particularly a DCO might be there for a reason wink , so you should be very careful when mingling with those, particularly the DCO. not so casually hdparm has a "–yes-i-know-what-i-am-doing" flag for the DCO –dco-restore command.
http//superuser.com/questions/642637/harddrive-wipe-out-hidden-areas-like-hpa-and-dco-also-after-malware-infectio

Clearing the HPA and restoring a DCO is not however relevant in the case of wiping a disk to store an image on all 00's, since they won't be normally accessed anyway.

The issue with Secure Erase may be with some SSD's that have been found to not implement correctly the (BTW mandatory) feature.
http//cseweb.ucsd.edu/~swanson/papers/Fast2011SecErase.pdf
https://www.thomas-krenn.com/en/wiki/SSD_Secure_Erase
but again in this case usually hard disk drives (and not SSD's) are used to store images for obvious size and cost limitations.

jaclaz

( BTW unneeded).
jaclaz

Just out of curiosity, will the 3 or 7 pass by the DOD work, or even the quick quick erase that comes with DBAN?

Clearing the HPA and restoring a DCO is not however relevant in the case of wiping a disk to store an image on all 00's, since they won't be normally accessed anyway.

The issue with Secure Erase may be with some SSD's that have been found to not implement correctly the (BTW mandatory) feature.
http//cseweb.ucsd.edu/~swanson/papers/Fast2011SecErase.pdf
https://www.thomas-krenn.com/en/wiki/SSD_Secure_Erase
but again in this case usually hard disk drives (and not SSD's) are used to store images for obvious size and cost limitations.
jaclaz

Dealing with SSD is a bit different, but I don't know any person/lab that recovered successfully useful data from a wiped SSD either.

The original post is about HDD Wiping, let's stick to that. Let's say somebody gets access to the host protected area of a zeros-filled HDD …and then what ? I'd be interested to know if that could be used for further data recovery ?! And if yes, how ?! )

( BTW unneeded).
jaclaz

Just out of curiosity, will the 3 or 7 pass by the DOD work, or even the quick quick erase that comes with DBAN?

What do you mean will they work?
Each pass will be as effective as a single 00 pass (that is ALL that is needed), only it will take minimum 3 (three) to 7 (seven) times the time of a single 00 pass, and this single pass will take anyway more time (if made by a set of external commands) than the single pass initiated by the built-in Secure Erase.
In the real world, given the large sizes of common hard disks you are looking for several hours for each pass, let's say roughly 30 minutes (or more) every 100 Gb of hard disk size.
During this time the disk is continuously spinning and writing data, a good way to "stress test" it.
Hint make sure that the drive is cooled efficiently, a good idea is to have a fan blowing on it.
Continuing to torture the poor hard disk another 2 or 6 times is consider cruelty by many wink .

Let's say somebody gets access to the host protected area of a zeros-filled HDD …and then what ? I'd be interested to know if that could be used for further data recovery ?! And if yes, how?!

I don't understand the question.
The HPA is simply an extent of the disk that is normally not exposed as part of the disk to the OS.
So, for all you know a malware may write data to an area at the end of the disk and then set it as HPA.
This area will survive any wiping done with the exposed disk as target, since the HPA is "outside" the disk.

jaclaz