Storage Bits

Robin Harris
Home / News & Blogs / Storage Bits

How to REALLY erase a hard drive

By | May 1, 2007, 8:44pm PDT

You may already know that “deleting” a file does nothing of the sort. But did you know that your disk drive has a built-in system for the secure erasure of data?

No? Then read on.

What do you mean “delete” doesn’t delete?
File information is maintained in a directory so your operating system can find it. All that “delete” does is erase the file’s reference information. Your OS can’t find it, but the data is still there.

That’s what those “file recovery” programs look for: data in blocks that the directory says aren’t in use.

You really want to do this
If you keep business, medical, or personal financial information on disks, simple deletion isn’t enough to protect the data when disposing of the equipment.

Besides identity theft, data loss may leave you or your company liable under federal laws such as HIPAA, Sarbanes-Oxley, Graham-Leach-Bliley or other state laws. Criminal penalties include fines and prison terms up to 20 years. Not to mention the civil suits that can result.

So what’s the magic?
Something called Secure Erase, a set of commands embedded in most ATA drives built since 2001. If this is so wonderful, why haven’t you heard of it before? Because it’s been disabled by most motherboard BIOSes.

Secure Erase is a loaded gun aimed right at your data. And Murphy’s Law is still in force. But hey, if you’re smart enough to read Storage Bits, you’re smart enough to not play with Secure Erase until you need to.

How does Secure Erase work?
Secure Erase overwrites every single track on the hard drive. That includes the data on “bad blocks”, the data left at the end of partly overwritten blocks, directories, everything. There is no data recovery from Secure Erase.

Says who?
The National Security Agency, for one. And the National Institute for Standards and Testing (NIST), who give it a higher security rating than external block overwrite software that you’d have to buy. Update: There is an open source external block overwrite utility called Boot and Nuke that is free.

Secure Erase is approved for complying with the legal requirements noted above.

UCSD’s CMRR to the rescue
The University of California at San Diego hosts the Center for Magnetic Recording Research. Dr. Gordon Hughes of CMRR helped develop the Secure Erase standard.

Download his Freeware Secure Erase Utility, read the ReadMe file and you’re good to go.

To use it you’ll need to know how to create a DOS boot disk - in XP you can do it with the “Format” option after you right-click the floppy icon in My Computer.

August 2009 Update: The NSA is no longer supporting Dr. Hughes research, so he and his grad students can no longer support the software. However it still works. I also updated the link above. End update.

Update: Some folks have commented that I didn’t actually say how to use the utility, leaving that to the readme. For those of you who’d like to judge how tricky this is - and it is definitely not for newbies - here’s a quote from the instructions:

Instructions for using HDDerase.exe
—————————————-
Copy the downloaded file, HDDerase.exe onto the created floppy/CD-ROM bootable DOS disk. Boot the computer in DOS using the bootable disk. Make sure to set the correct boot priority setting in the system BIOS. Type “hdderase” at system/DOS prompt to run HDDerase.exe. All ATA hard disk drives connected to the main system board will be identified and their information displayed. Make sure that the jumpers on the hard disk drives are correctly configured. Avoid setting the jumpers to CS (cable select) on the hard disk drives. Master or slave jumper setting is preferred.

There’s more, but if this is more than you want to deal with then Secure Erase isn’t for you. Update II: A late commenter says “Floppy boot does not understand SATA drives and thus the method described does not work.” I don’t know if it is true or not, but if it is it is worth knowing. Maybe someone well-versed in Windows floppy booting can confirm.

Update III: Well, it appears that bad information can be found on the web. Who knew? This just in from Daniel Commins, a grad student in the CMRR program:

SATA drives can be erased after being booted from a Windows XP MS-DOS startup disk using our software, with over a dozen such drives from various manufacturers I have tested as proof. Another excerpt from the FAQ section of the readme file:

Q: Can HDDerase.exe be used to erase my onboard SATA drive?

A: Yes, but some BIOS configuration may be required. Since hdderase.exe only
detects drives on the primary and secondary IDE channels (P0, P1, S0, S1) the
BIOS must be configured so that the SATA drive is detected one of these channels.
This can be done by switching the SATA drive from “enhanced mode” to
“compatibility mode” in BIOS (compatibility mode is sometimes called “native mode”
or “IDE mode”). E.g. BIOS >> IDE configuration >> onboard IDE operate mode >>
compatibility mode. Note - not all BIOSs support this feature.

Thanks for setting the record straight, Daniel.

The Storage Bits take
Protecting data sometimes means erasing it. With this utility every storage pro has another tool to protect confidential information.

PS. Mac users already have a similar option under the Finder: “Secure Empty Trash”. And with Disk Utility you can perform a secure erase of all drive free space.

Comments welcome.
Another August 2009 update: Laptop users should have charged batteries and preferably wall power. If power fails during a secure erase the “. . . the drive will be in a locked state, preventing all I/O access.” Since a large drive can take 2-3 hours to erase, I recommend plugging in wall power for all notebook machines. End update.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Storage Bits”

Topics

IDE, Hard Drive, Disk, BIOS, Disk Drive, Serial ATA, Robin Harris

Robin Harris has been messing with computers for over 30 years and selling and marketing data storage for over 20 in companies large and small.

Disclosure

Robin Harris

Robin Harris is a president of TechnoQWAN, a consulting and analyst firm in northern Arizona. He also writes StorageMojo.com, a blog which accepts advertising from companies in the storage industry, and has a 25 year history with IT vendors. He has many industry contacts, many of whom are friends and all of whom he has opinions about. Robin has relationships with many companies in the technology industry. Every company he writes about may have sought to influence his opinion through carefully-crafted marketing messages and self-serving white papers, gifts ranging from desk calendars, t-shirts, lunches and trips as well as analyst or consulting assignments. He also invests in some technology companies. He may accept payment for services in stock as well. Robin discloses financial investments in or client relationships with companies named in Storage Bits. To help readers sort out the gold from the dross in his writings, Robin tries to communicate his reasons as clearly as he can. If you agree, you are intelligent and discerning. If you disagree, well, you disagree. In all cases, Robin encourages readers to subject everything they read, see or hear on the internet or from politicians to some simple questions: * What assumptions are implicit in the world view and judgments of the author? * What, if any, is the factual basis for the opinions the author expresses? * Is it reasonable, logical and clear? Your critical faculties: use ‘em or lose ‘em!

Biography

Robin Harris

Harris has been messing with computers for over 30 years and selling and marketing data storage for over 20 in companies large and small. He introduced a couple of multi-billion dollar storage products (DLT, the first Fibre Channel array) to market, as well as a many smaller ones. Earlier he spent 10 years marketing servers and networks. After leaving corporate life he founded TechnoQWAN, a consulting and analyst firm. He also developed StorageMojo into one of the top storage industry blogs.

Robin writes, consults, coaches and lives among the mountains of northern Arizona.

Talkback Most Recent of 302 Talkback(s)

  • You've got to be kidding, right?
    This article fails to mention the Darik's Boot and Nuke? Which is without question, and always has been, the best open source (so you know it actually works) and respected hard drive wiper for many many years.

    Come on. This article gets a 'D' at best.
    ZDNet Gravatar
    tecopa03
    1st May 2007

  • ZDNet Blogger

    Boot & Nuke is technically and legally inferior
    I guess in your rush to defend what you've used you overlooked a few key points:

    Boot & Nuke is an external disk wiper and will, for instance, ignore
    remapped block
    Boot & Nuke is not NIST certified per NIST 800-88 to meet legal
    requirements, nor could it be, since it is an external disk wiper
    Secure Erase is faster and allows you to erase multiple disks in parallel
    since it is the disk doing the work, not the CPU

    I like open source software too, but sometimes you need to look under the covers
    to understand what you are getting.

    Robin
    ZDNet Gravatar
    R Harris
    2nd May 2007
  • Message has been deleted.
    ZDNet Gravatar
    tecopa03
    2nd May 2007
    • Flagged
  • DBAN vs. Secure Erase
    Checked it out for myself, then talked to a good friend who is a computer sciences professor at a nearby state university. We tried it out on 2 systems. Robin's right, Secure Erase is SIGNIFICANTLY faster and completely compliant with U.S. gov standards and practices, DBAN is effective but much slower and NOT technically compliant. In a world where people get sued at the drop of a hat and "noncompliance" can involve obscene fines and endless harassment by government agencies... no thanks I'll take the "compliant" choice every time... Thanks for the heads up Robin!
    ZDNet Gravatar
    tech3@...
    2nd May 2007
  • I have to agree...
    ... with Mr. Harris. If you'll read the Boot & Nuke FAQ, it states explicitly that he will not state that DBAN will work properly, and when asked "Does DBAN conform to my favorite certification or fulfill my local regulatory requirements? HIPAA, Sorbanes-Oxley, PIPEDA, et al?" the answer is simply "No." If you want/need such certifications, you are instructed to buy EBAN, which is the commercial version of DBAN.

    Given this, I would strongly recommend you discuss the legal implications of your present data sanitation practices with your legal department.

    Also, since "Secure Erase" is free and that the body that created the utility (CMRR) is not a commercial entity but a research center based at the University of California, San Diego, I believe your accusations of Mr. Harris benefiting financially from promoting this utility are baseless. If you wish to examine the code for this utility to confirm to your own satisfaction that it works as advertised, I suggest you contact Dr. Hughes at CMRR.
    ZDNet Gravatar
    muzhik
    2nd May 2007
  • More secure way.
    Hi all, the software in question is top dog, but for me i take the harddrive to bits, breakup the disks into small pieces and pass on to recycling (melted down for new).Though if you would want the harddrive to have a secound life then "Secure Erase" is the way to go.
    ZDNet Gravatar
    Peconet Tietokoneet-21703818799325819467806990363298
    14th May 2007
  • Please be polite
    You lose credibility and make it difficult to be taken seriously when you are vulgar and rude.
    ZDNet Gravatar
    krisaustinse@...
    2nd May 2007
  • Rightful observation
    Justifiable observation and, when vulgarity is introduced in the message, it is the clearest indicator of the writer being uneducated. Now, how's that for a disk wipe?
    ZDNet Gravatar
    professordnm
    2nd May 2007
  • You really should READ an article before you begin to slam it.
    You'd see that Secure Erase IS IN THE HARDWARE.

    If you really do work for the DoD (not DOD), I shudder for our national security and begin to understand where some of our problems are coming from.

    From now on RTFA!
    ZDNet Gravatar
    friedcow
    2nd May 2007
  • I used to work for the Department of Defense
    Even the security gurus are often clueless about the software they use and 'recommend'.

    The fact of the matter is, most of them are handed an application, told that it does such and such, and ordered to use it and nothing else. Failure to do so is considered failure to obey a lawful order and a nasty legal offense which tends to eliminate any desire to explore other alternatives, or even understand how something works.

    My favorite story is the time I bought a couple of pallets of computers from DRMO, and found the OSI had nelected to remove their investigation case files from a bunch of them. And after repossessing them for two weeks to 'sanitize' them, returned them to me after merely deleting the files and not properly erasing them.

    And you don't even want to know the abysmal institutional and individual acts of stupidity my brother saw when he worked for crypto maintenance.

    That's why I'm none too impressed by our government agencies when it comes to security.
    ZDNet Gravatar
    Dr_Zinj
    2nd May 2007
  • Too true...
    Unfortunately, public servants tend not to bother with doing things well, but rather with doing them just barely well enough.

    For an example, look here:

    http://screamingweasel.org/~bixbyru/notmyjob.jpg

    As for private industry, where there is a profit motive, things can be a little better. They're not always better, but usually they are.

    As a former Federal staffer m'self, my heart goes out to you.

    Bix
    ZDNet Gravatar
    bixbyru@...
    2nd May 2007
  • Turned into DRMO
    If I read your message correctly, you blame OSI and not DRMO. I have turned in plenty of computer equipment to DRMO it just would not be possible for them to wipe everything they get.

    I can remember using the DOD authorized software we got from TobyHannah(sp?)to do a low level wipe (7 passes) on about 250 computers we then turned into DRMO. We had to attach a form to each one to verify they were wiped. We had them stacked on pallats in our storage room with a monitor on each pallet and a couple of power strips. We would boot with the wipe disk, start the wipe, unplug the keyboard and monitor and move to the next one. We probably wiped about 20-30 at a time, and let them run all day as it took so long, usually starting a batch before we left for the night. Then move the monitor cable back to verify they were done.

    Lots of work, sounds like this utility would run much faster. Did I mention the computers we were wiping were 386 and 486 with only 20-40GB drives in 2002? Gotta love army hardware.
    ZDNet Gravatar
    swattz101
    2nd May 2007
  • 386?
    With a drive over a gig? Why upgrade the drive on something that oulde?

    Wow...
    ZDNet Gravatar
    bixbyru@...
    2nd May 2007
  • Sandpaper and Elbow-Grease
    Ex Navy vet here.. I recall disassembling HDDs and taking sandpaper to the plattens before dispoal of the remains as a frizbee.
    ZDNet Gravatar
    CiberWulf
    3rd May 2007
  • Degausse and done
    I have to say I prefer the current method required the IA unit I am working for now at Camp Lejeune. Buy the NSA approved degausser and render the drives forever inoperable. Only takes about 10 seconds per drive, though it costs a good bit more than free. Taxpayer money hard at work.
    ZDNet Gravatar
    Silverbow
    7th May 2007
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources