Please, For the Love of All That's Recoverable, Shred Your Hard Drive!

by Kyle Rankin

Related link: http://www.timesonline.co.uk/article/0,,2-1487674,00.html



Bruce Schneier has linked to yet another study that shows that people don't securely delete data from drives before selling them. This group purchased 111 supposedly clean hard drives and recovered a lot of sensitive information including "national insurance numbers, evidence of a married woman’s affair and detailed biographical information about children." I think the major issue is that your common guy thinks that formatting the drive is the solution to erase data, and anything more sophisticated than that is too difficult or expensive. Here I'll show you how to easily shred a drive using free Open Source tools.

The basic problem with a regular format of a hard drive, is that it generally doesn't actually go back and scramble all of the data. Generally the data is sitting there waiting for someone with low-level tools to recover it. Even if you do a "low-level format" and write over the full drive with zeroes, there's still a chance that an individual with the right (albeit expensive) equipment can recover data from the drive. Even though the equipment is expensive, that's a minor issue if the data to be recovered is worth even more (such as company trade secrets, etc.). Because of the magnetic nature of hard drives, even when a sector on the drive is written to, it doesn't necessarily mean the previous data is completely overwritten. Often you can pick up the trace of the previous write.

The solution to this issue is to write over the drive multiple times with random data, that way any real data that is on there is scrambled with random data that will likely actually overwrite its place on the drive. Doing this isn't as hard as it might seem, and doesn't actually require any script-fu. All you need is some sort of bootable Linux distribution, such as Knoppix, that has the "shred" tool installed.

Shred is designed primarily to securely delete files on the system. When you shred a file, shred not only unlinks it, but it also overwrites the sectors on the drive 25 times with random data. Since "everything is a file" on a UNIX system, you can use this to shred the entire partition or even the entire drive.

First, boot your bootable Linux distribution. You don't need a graphical desktop for this operation, just a terminal, so if it can boot directly to console, save yourself some time and go that route (under Knoppix you'd boot with the knoppix 2 cheat code).

The next step is to identify the partition. If you only have a single IDE drive on the system, likely it will be /dev/hda and if it has a single partition, it will probably show up under /dev/hda1. If you are unfamiliar with Linux and what device your drive will show up as, in the case of a Knoppix CD you can just boot to the full graphical environment and look at the name of the hard drive icons on the desktop for a clue.

After you have identified the partition to shred, the next step is to actually shred it. You will need root permissions for this (most console modes on rescue CDs will automatically give you root permissions) since you are writing directly to the hard drive. Then, run:


# shred -n 2 -z -v /dev/hda1


What this tells shred, is to overwrite the partition 2 times with random data (-n 2) then finish it up by writing over it with zeroes (-z) and show you its progress (-v). Of course, change /dev/hda1 to whatever your partition is. Each pass can take some time, which is why I set it to only do 2 random passes instead of the default 25. You can adjust this number, of course, to your particular level of paranoia and the amount of time you have.

Since shred writes on such a low-level, it doesn't actually matter what kind of filesystem is on the partition--everything will be unrecoverable. Once shred is finished, you can shut down the machine and sell or throw away the drive with peace of mind.

Does your company have a data shredding policy?


12 Comments

myc18
2005-03-02 12:13:25
Great
Great tip. Knoppix Hacks is an incredible book. But what is the difference between this technique and the US Department of Defense disk clearing and sanitizing standard DoD 5220.22-M ("Overwrite all addressable locations with a character, its complement, then a random character and verify")?
greenfly
2005-03-02 12:38:40
Great
Thanks.


The primary difference between shred and the DoD standard is that shred writes a random character on all passes (except for the last pass if you use -z) instead of just the last pass. Two passes of dd the first writing a one, the second a zero, followed up by shred -n 1 would perform the DoD method. The idea behind the shred method is that since each write is random, it's more difficult to piece together legitimate data after the fact.

jwenting
2005-03-03 00:46:37
easier still
hard drives these days are so cheap you'd better just go to a garden center and rent one of those industrial wood shredders forrestry departments and cities use to shred branches of trees that have been cut down or pruned.
Turn it on the throw the drive into the input hopper. Guaranteed noone's going to read the data off it ever again.
blackhole
2005-03-04 04:22:25
Random or preset?
This is second place I have seen the assertion the
shred uses random data. The shred info page in my RH 7.0 system makes it sound like particular (non-random) patterns are used. Such as this description of the -n option:


By default, `shred' uses 25 passes of overwrite. This is enough for all of the useful overwrite patterns to be used at least once. You can reduce this to save time, or increase it if you have a lot of time to waste.


Can you account for this discrepancy. Did the functioning of shred change?



KLK
2005-03-04 06:46:16
Look at DBAN
At my company we use dban. It has a few advantages over shred if you are throwing out a hard drive. Fist shread must live on the OS, so you can not shred the OS itself. Also, shred only works on OS's that have shred, so shreding a windows box is more difficult.
DBAN is a small linux distro on a bootable floppy. You just boot from the floppy and it erases everything from your hard drive. The OS on the hard drive no longer matters (windows or linux).
markybob
2005-03-04 06:47:03
from man shred
Since shred writes on such a low-level, it doesn't actually matter what kind of filesystem is on the partition


[snip...]


CAUTION: Note that shred relies on a very important assumption: that
the filesystem overwrites data in place. This is the traditional way
to do things, but many modern filesystem designs do not satisfy this
assumption. The following are examples of filesystems on which shred
is not effective:


* log-structured or journaled filesystems, such as those supplied with
AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)


* filesystems that write redundant data and carry on even if some
writes fail, such as RAID-based filesystems


* filesystems that make snapshots, such as Network Appliance's NFS server


* filesystems that cache in temporary locations, such as NFS version 3
clients


* compressed filesystems


greenfly
2005-03-04 08:56:49
from man shred
I think you have misunderstood me. You are talking about using shred when overwriting a single file. I'm talking about using shred to write bit-by-bit over an entire partition. From the shred info page:



Generally speaking, it is more reliable to shred a device than a file, since this bypasses the problem of filesystem design mentioned above. However, even shredding devices is not always completely reliable. For example, most disks map out bad sectors invisibly to the application; if the bad sectors contain sensitive data, `shred' won't be able to destroy it.
greenfly
2005-03-04 08:58:32
Look at DBAN
In my blog entry, I was discussing using shred on some sort of bootable CD, so like DBAN, it doesn't matter what OS is running on the actual hard drive.
greenfly
2005-03-04 09:08:31
Random or preset?
You seem to be correct. That seems to indicate that the patterns aren't exactly random (not that the man or info pages go into detail on what type of patterns it uses, I imagine we'd have to look at the source). Of course, it's altogether possible that at least some of the patterns are in fact random.
LynnBecker
2005-03-05 16:58:33
Eraser - Free and Open Source
I use the "Nuke" disk option from the Eraser program to do this.


http://www.heidi.ie/eraser/


pretty user-friendly.


tellarite
2005-03-31 17:50:12
from man shred
I assume that since you pasted part of the man page from shred you assume that the article's method does not work on filesystems like JFS, ReiserFS, XFS, Ext3, etc.


This is completely incorrect. The article's method works great _no_matter_what_filesystem is used on the hard drive.


What the man page is saying is that it cannot gurantee that a individual _file_ can be erased on journaling filesystems. Since we're shredding the entire filesystem this is a non-issue.

justme
2006-05-11 14:12:55
Hello,
In the interest of being super-paranoid & protective of data, can someone please post here whether there is a way to ERASE/"defile"/damage all contents on a hard drive that is damaged already and won't start and stay running? We had a drive fail and managed to get most of the data copied off it, but it stopped and now we cannot shred/delete sensitive data. We wonder if there is any way to WRECK the thing before tossing it, in case it decided in the future to start up for some Dumpster-Diver...
We managed to get it to start today after it's been sitting about 4 years in a box on shelf. So apparently it MIGHT still be possible for it to start up and provide the data in the future. But subsequent tries, about 50 or so, after it died today just causes it to START, WHINE AND GROAN, and QUIT on us.


Help??? Thanks.