DDG Tech Notes

Every want to use your Ubuntu distribution to obliterate the data on a disk volume? It may be easier than you think!

First thing - the disclaimer. I’m very conscious about not misrepresenting myself to my blog aggregators regarding what my posts are actually about. On the other hand, after looking at my blog stats, search queries have turned up my site for searches roughly along the lines “Ubuntu Wipe Disk” at a rate that I did not expect. So why this disclaimer?

All of the methods that I am about to present are not really Ubuntu specific. However, as a good blogger, I have an obligation to provide information pertinent to what my readers are looking for.

Also note that any method below that deals with disk partitions can be used equally for swap partitions - arguably one of the most critical partitions to wipe on any system.

And, with the exception of the section below regarding specific disk eradication software, you can perform pretty much any of these steps even with a “Live” Linux CD - which can save you the hassle of physically connecting the hard drive to your Ubuntu machine.

So, here goes…

So, you want to wipe a disk so that no one else can read what you might have written there?

While that sounds like a fairly simple task, there are really some assumptions built into the question that you must consider first:

1. What exactly do you want to wipe? Is it an entire disk, or just a partition on the disk?
2. Who is the “no one” that you want to protect your data from?
3. Are you performing this action in response to your own needs, or the needs of you company or corporation?
4. If you are performing these actions for your company, are there any particular regulatory requirements that you must meet?

With out question framed properly, we can move forward with an actual plan to meet your requirements. Here goes:

What exactly do you want to wipe?

For most methods presented in this article, the what you want to wipe doesn’t really change the method used to wipe it, except for the parameters passed to the specific tools.

Identifying where to perform your wipe.

OK. So you’ve either booted up the target machine with a Live CD, or you’ve attached the drive to your current workstation. How do you know which device it is? Well, here’s a little background. Those of you familiar with Linux device names and identifying attached hard drives will probably want to skip ahead.

Any attached hard drive can be accessed, as if it were a normal file, under the /dev tree. Generally speaking (there are definitely some exceptions to this) IDE type drives follow the naming convention /dev/hdX - where X is a letter a, b, c etc., and other non-IDE type drives (including SCSI, SATA, etc.) are identified as /dev/sdX.

So, for example, the first detected IDE drive (IDE Disk 1 on channel 1 of the first controller) would be at /dev/hda, which the second would be at /dev/hdb.

Likewise, SCSI drives follow a similar patters. The first drive (or LUN, if it is an array) on the first channel of the first detected SCSI controller would be identified as /dev/sda, the second /dev/sdb, etc.

So what do I mean by “first detected”? This is (again, generally speaking) the order in which the kernel module drivers for the devices are loaded.

OK - so that’s how to identify the drive. What about partitions? Those are assigned to a different point under the /dev tree, with a numeric indicator of the partition number (in sequential order.) For example, the first partition of the first IDE drive will be /dev/hda1, and the second /dev/hda2. As you might expect, the partitions of the first SCSI drive would be /dev/sda1, /dev/sda2, etc.

However, things get a little more interesting if you involve the Logical Volume Manager.

I won’t go into the details of how the Logical Volume Manager (LVM) relates to partition numbers. If you are faced with this situation and don’t quite understand which partition means what, I’d actually recommend just wiping the entire disk.

Performing the wipe the quick-n-dirty way.

This method is not entirely secure (meaning a determined person could potentially recover data even after this) but it will protect you against all reasonable, common attempts to scavenge data from the drive.

The core of all of this stems from the fact that deletes on pretty much all file system types don’t actually delete. Generally, they overwrite pointers on the disk that point to were actual data resides. With the pointers gone, the operating system (Linux, Windows, whatever) has no idea of how to read the data.  But, the data is still physically on the disk, and can be retrieved almost trivially with a little knowledge and commonly available tools such as Foremost (ubuntu package: ‘foremost’ - Forensics application to recover data)

So, what we want to do is actually overwrite all of the old data. (Note: if you are going to wipe a disk or a partition using these methods, there is no benefit to deleting stuff prior to the operation. Save yourself some time)

Also, for the methods below, it really makes no difference what operating system created the data in the first place.  If you can get the drive attached to you machine (or access it booting with a Live CD) you can easily erase a Windows, Mac OS X, MS-DOS or whatever drive.

So, here we go.

If all you want to do is overwrite the data, then the simple command line tool ‘dd’ is your friend. dd stands for ‘Direct Dump’ and it does just that - directly dump data to a file. Only in this case, our “file” will be the device link to a disk or partition.

dd has kind of a funny syntax (funny in the UNIX or Linux world, at least) for specifying command line parameters. It is <param>=<value>. To start off, there are only two that we need to worry about. These are ‘if’ (for input file) and ‘of’ (for output file). So, let’s say we want to wipe the first partition of the first SCSI drive in our system. That’s easy! just use:

dd if=/dev/zero of=/dev/sda1

of=/dev/sda1 tells dd to write all data to /dev/sda1, or the first partition of the first SCSI drive.

if=/dev/zero may seem a little strange if you’ve never seen it before. The device /dev/zero is essentially a pseudo-device that dumps out a continual string of zeros. So, dd will continually read from it’s input file (if=) and write that same data to it’s output file (of=) until…

Well, basically, until it gets an error that the disk is full. Which is exactly what we want in this situation, a disk full of zero bit data, or a completely erased disk.

If you want to be a little cooler with your use of dd parameters, you can utilize the bs= and count= parameters.  bs= designates the block size, and count= is the number of bs chunks of data (i.e. the number of blocks) of data that will be written.  If you are not familiar with how to determine the block size and block count of your disk drive, I’d highly recommend just using the method described above.

So that erased my disk!  Great, what else could I have to worry about?

Well, that depends on either 1) how paranoid you are, or 2) what your application is.

For the really paranoid, always remember remnance!

So what the heck is remnance?  Basically, you can think of this as leftovers in the process of writing data to magnetic media.  At a very high level, writing to magnetic media is basically applying a magnetic field to a region of the media to change the “pole” or “charge” of that region.  For simplicity sake, think of the two poles of a magnet north (N) and south (S).  No imagine that all N regions represent a 0 (zero) and all S regions represent a 1.  You’ve got a simple formula for representing your binary data on your magnetic media.

Since this is a process of changing the magnetic orientation of a region of media, things can change over time.  Fluctuations in the space between the write head and the media due to heat variations, humidity, etc, as well as changes in the media itself over time can effect the way the media responds to this reorientation process.

Or, as another analogy, imagine that you are standing in front of a wall with a bunch of balloons filled with either red or green paint.  Assuming you can always throw the balloon at the exact spot on the wall, tiny differences in the wind at the time it is thrown or whatever will result in slightly different patterns splattered on the wall.  While the center of the region will always obviously be either red or green after each throw, there will be remnants of previous throws around the rim of where they hit.  And, if you threw a green balloon last time, and a red balloon this time, the outer area of the “splatter” will show more green than red.

This is basically what happens with your magnetic media.  Tiny tell-tale signs are left on the periphery of the regions that can give clues to data that was written there previously.  Processes - such as Magnetic Force Microscopy - can then be run on the media itself to lift this information from the disk and deduce - if not outright read - what was previously there.  In other words, simply overwriting your magnetic media with all zeros as above doesn’t completely remove all traces of the data on the disk!

Minimizing remnance via software

It is very important to note that, while software based methods can significantly reduce the possibility of data recovery using magnetic remnance, it can never completely eliminate it.  Again, this is one of those things where you have to consider what your requirements are.  Do we just want to make sure that no one can reasonable pull our tax return from our hard drive after we sell it on EBay?  If so, the software solution below is probably very reasonable.  Are you trying to eradicate data from the hard drive that has the super-secret pictures of the alien autopsy performed at Area 51?  Well, then, software won’t cut it (and you’re hopefully not looking for advice from my blog anyhow!)

The general idea behind a software based approach to addressing remnance is to not simple overwrite the data once, but to repeatedly ‘flip’ the bit.  That is, write all zeros to the disk, followed by all ones, followed again by all zeros.  By using this method, you can scramble the data available from remnance, and make it much harder for anyone to pull anything useful from the drive.  The more times you consecutively ‘flip’ the bit, the better off you are.

Unfortunately, there is no really easy way to stream a series of bits of ones the way that /dev/zero streams bits of zeros.  For that, you’ll need some other piece of software.

xFlip

One options is xFlip (more details and downloads are available on the xFlip page) written by yours truly.  With xFlip, you can choose any combination of:

• Overwrite the data with random bits
• Overwrite the data with all zeros
• Overwrite the data with all ones
• ‘Flip’ all bits to their opposite (technically, XOR each byte with 255)

And you can repeat any combination of these steps an arbitrary number of times.  Currently, I’ve not yet created a Ubuntu package for this - either it’s source or a binary form.  However, if you are reasonable comfortable with gcc or your favorite ANSI C compiler, the source code is pretty small and basic.  If there is enough demand, I’ll gladly put the time into packaging this for Hardy, for whatever platforms I can get my hands on.

xFlip has its limitations too, however.  For example, any sectors that have been marked as “bad” by the disk will not be touched, and could potentially leak data that was originally written to them.

Wipe

The Ubuntu package wipe (sudo apt-get install wipe, or via synaptic package manager) is primarily focused on removing individual files.  However, it will happily work with full disk devices or partitions by addressing them with the same /dev tree locations described in the ‘dd’ method above.  You’ll probably have to manually install it when using a Live CD, however.

Secure Deletion Toolkit

The Secure deletion toolkit (Ubuntu package secure-delete) is another tool primarily targeting specific files.  Again, you’ll not likely find it on most Live CD distributions.

Actually, it is a collection of tools, including:

• srm - Effectively wiping all of the data from a file, instead of just removing the pointers
• sfill - fills (scrambles) all of the free space on a drive.  This will obfuscate any data left laying around from files previously deleted on your disk.
• smem - wipes data from memory in a secure way.  This may seem silly, until you consider the proliferation of solid state memory devices
• sswap - Wiping swap space.

It may seem odd, but if this is your toolkit of choice, sswap can actually be used to successfully eradicate the data (with the limitation describe above) from a hard disk or partition.  It’s kind of a hack, but here is the idea:

First, identify your target drive as describe in the ‘dd’ method above.  Then, after mounting the drive on your Ubuntu system, or operating off of a live CD, first initialize the disk or partition as swap space (however, see notes below.)  For, say, the first IDE drive, you would use the command:

mkswap /dev/hda

Similarly, the first partition on the second SCSI disk would be:

mkswap /dev/sda1

In fact, the mkswap command may not be necessary.  This is not my preferred method or software, so I haven’t tried it without the mkswap command.

Then, simply:

sswap {device}

and replace {device} with the /dev path to you hard drive or partition, and you’re good to go.

Further Methods

The only other options for data destruction above and beyond this are all physical based methods.  Obviously physical methods can not be accomplished from your workstation, but I include them for completeness:

• Passing the physical disk through a very strong magnetic field.  This is referred to as degaussing.
• Incineration.  But, you better make it really really hot.
• Shredding.  Even more important than with paper, though (due to the small ‘region’ size on high density hard drives) the size of the chunks coming out of a disk shredder are extremely important.

You’ll find a multitude of commercial services offering any of the above.  If you work for an organization that is serious about data destruction, but wants to keep it in-house for policy, compliance, or other reasons, commercial degaussers are probably the best bet.

So there ya have it!

In truth, if you are just the average person, the ‘dd’ method described above will likely be plenty for protecting the normal user data from any reasonable attempt to extract it.  It doesn’t take much more to go the next step and use a tool like xFlip, wipe, or sswap to eradicate the data in a way that would protect you from all but the most determined and money-rich government, investigative agency of contracted digital forensics firm.