My question is about the efficacy of two specific built-in Windows 10 utilities for wiping a disk and preparing it to be sold. One is cipher.exe and the other is the "Fully clean the drive" option when reinstalling Windows 10.
I recently sold a laptop with a 500 GB SATA HDD and now I am questioning my wiping procedure. Generally I use DBAN to wipe a PC I'm no longer using, but I've encountered problems with the performance of the drive after DBAN in the past, and since I was selling this one, I wanted to be a little kinder to it, so I only used built-in Microsoft utilities.
First, I deleted all my personal files and used cipher.exe /w to rewrite any unallocated space, which allegedly does 3 passes. I then reinstalled Windows using the "Fully clean the drive" option. Microsoft seems generally pretty vague about what this feature actually does, but here they claim (actually for Windows 8 ) that it writes one pass of zeroes over the drive. https://
Once Windows was reinstalled, I installed Recuva, which of course found nothing, but I'm under the impression it's a fairly tame recovery tool. I then uninstalled Recuva, ran cipher again (3 passes) and reinstalled Windows once more with the "fully clean the drive" option.
Here is a Harvard study examining the efficacy of cipher.exe in older versions of Windows. The article seems to take the opinion of doubting its efficacy, but they also don't seem to be able to recover any files after using it. http//
Does anyone know what these two utilities actually do and how well they work? Compared to DBAN? If Windows is writing a parse of zeroes over the entire drive, where is it pulling the data to install Windows from?
I apologize if these questions have been posted before. I promise I looked.
The only sure way to know if a tool works is to test and validate it yourself.
Your best bet is to preview your drive and look at it for any data from the previous install. Do you see all the sectors wiped over with all 0's or 1's (or some Hex wiping pattern?).
Personally, I would wipe the drive first before installing an OS, vs let the OS do the wiping for me. This way it would be easier to tell if its clean or not. Your results could be fine, but may want to use a forensic analysis tool like Autopsy, Xways, FTK or EnCase to see the raw data on the drive and know for sure.
Since Vista when you format a drive (actually a volume, i.e. the thing that gets a drive letter in Explorer) WITHOUT the /q (or checking "quick" in the GUI) the program fills each and every sector within the volume extents with 00's before applying the filesystem/creating the filesystem structures.
Nothing else (let alone more than one pass) is needed.
Of course anything outside the extents of the volume is unaffected by the format, BUT it is not likely that there is any meaningful data outside the extents comprising the volume(s) that you format, typically they are
1) the MBR and a bunch of "hidden sectors" typically 62 sectors up to XP/2003 and 2047 sectors since Vista
2) in case of an extended partition (and logical volumes in them) the EPBR and the same (63 or 2047) sectors (one set for each logical volume)
3) in some cases (more common in XP/2003 and much less in Vista and later) a bunch of sectors at the end of the disk (typically less than one cylinder, i.e. max 1x255x63=16065 sectors in the case of XP/2003 and less than 1 Mb in Vista and later max 2048 sectors).
The whole point (beside the fact that once a byte is overwritten once with 00 it remains 00 and you cannot read anything different from 00 from it, and thus anything but a single pass is a waste of time and unneeded stress on the hard disk) is that these sectors NEVER contain "personal", "private" or "sensible" data.
In "normal" operation of a PC/OS they will all be 00 anyway, at the very most (and only in case of "queer", repeated partitioning/re-partitioning ) they might contain traces of a previous partitioning scheme (which scheme does not in itself contain any "personal", "private" or "sensible" data), BUT in a few, extreme and particular cases they may contain some DATA originally belonging to files in the previous filesystem.
So if you
1) dd 00's to the first 2048 sectors
2) dd 00's to the last 16065 sectors
3) create a single primary partition/volume spanning the whole size of the disk and format it without the /q or "quick" switch in any Windows OS (Vista or later)
you are 100% sure that NO DATA can be retrieved from the disk.
In 99% of the cases steps #1 and #2 above are not needed, but since they cost nothing and it takes no more than a few seconds to carry them on, it doesn't make a difference.
Very likely soon some other member will mention HPA's and DCO's (and also p-lists and g-lists) and will tell you how the only secure method of deletion is that of physically destroying the device, but of course that will prevent you from selling the disk drive, so I would say that it shouldn't matter wink .
JFYI, somehow related
http//www.forensicfocus.com/Forums/viewtopic/t=9682/
http//www.forensicfocus.com/Forums/viewtopic/t=10233/
jaclaz
Here is a Harvard study examining the efficacy of cipher.exe in older versions of Windows. The article seems to take the opinion of doubting its efficacy,
Well. the authors makes it fairly clear where the shortcomings are, don't they?
Does anyone know what these two utilities actually do and how well they work?
The cipher method is sensitive to whatever else is going on on the system. Anything hogging sectors will prevent them from being overwritten. That's one of the things mentioned in the article. You don't really want that kind of dependency.
The reinstall method probably does a format /p – which means it does not suffer from the the weaknesses if cipher. However, it is only applies to a volume (which Microsoft sometimes refers to as 'drive').
Compared to DBAN?
DBAN is used to erase an entire disk. That is, everything from sector 0 to SECTOR_MAX. Not just a partition or parts of a partition, but 'everything'.
Yes, that makes it slower.
If Windows is writing a parse of zeroes over the entire drive, where is it pulling the data to install Windows from?
It doesn't write zeroes over the entire drive (= hard disk). Format does not work on hard disks. It works on partitions established by fdisk (or more modern equivalents).
The Windows installation data is obtained from the recovery partition, I'll bet.
As I said, the tools you are asking about work on partitions and/or volumes, not entire disks.
The behaviour of Windows 10 (i.e. it does a format /p) is a guess on my part, but I see that a Microsoft source does mention it. Still, without deeper investigation, it is only a guess.
Jaclaz has already described how you can format some part and overwrite some.
However, it is likely to take just about as long as DBAN, and perhaps longer.
Me, I'd probably go for the ATA SECURE ERASE, followed by some reasonable sampling of sector verification to estimate the likelihood that it wasn't faked or buggy. This sends one command to the disk, which then does the remaining job on its own. No need for a fast data channel over which oodles of zero sectors need to pass. (The sample verification needs a nippy data path, however.)
Me, I'd probably go for the ATA SECURE ERASE, followed by some reasonable sampling of sector verification to estimate the likelihood that it wasn't faked or buggy. This sends one command to the disk, which then does the remaining job on its own. No need for a fast data channel over which oodles of zero sectors need to pass. (The sample verification needs a nippy data path, however.)
As a corollary, Secure Erase in itself makes all zeroes "internally" to the drive, but the tool used to activate that internal command may log the result (which is a good thing in itself as it is proff that everything went well).
As an example (and IF I recall correctly) the good ol' (now a tadbit dated) HDDErase
http//
wrote on first sector (the MBR) some data.
Nowadays using hdparm is advised, see
https://
A good way to make sure (once it has been verified that also the MBR is all 00's) that all accessible areas on the drive are actually 00's would be to checksum the whole disk (it will take time) and compare with the result of this calculator
http//
See also
http//www.forensicfocus.com/Forums/viewtopic/t=5077/
This way (though as said the time needed to read the whole disk will be needed) you would be certain of the result (as the "reasonable sampling", though "reasonable" remains a "sampling" and as such potentially not fully "exact").
jaclaz