Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28

Thread: Linux tools to wipe out a hard drive

  1. #21
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    if you plan on reservicing it (which is pretty stupid if its confidential info) then a simple...

    cat /dev/null > /dev/[sh]h[a-z];

    (chose the ones in brackets carefully)
    can generally fix it beyond normal forensics.

    Else I suggest cracking that sucker open, rip the disc out, then grind it down to nothing. next light the case on fire and hit repeadetly with a hammer, both sides of the hammer.

    LEave it at the roadside (free harddrive)

  2. #22
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by Gitsnik View Post
    No actually, it's not necessary. 1 pass is enough. OLD drives could be pulled off if you only did one overwrite. Current forensics training (coming in via ASIO and the .au defence department, as well as from some international forensics techs) says that the new disks are packed too tightly to be able to get away with an electron microscope.
    Exactly. For modern/large drives (post 2001/>15 GB) Australia's Defense Signals Directorate (world masters when it comes to over-protection and general IT paranoia) specify that a one pass overwrite followed by verification is sufficient to sanitise media holding data up to and including TOP SECRET. (Ref 2009 ISM). After having spent several years dealing with them I can confirm that they don't make concessions when it comes to security (they are justifiably famous for setting security requirements that border on the impractical), so this can be taken as strong evidence that a one pass verified overwrite is "good enough"...

    That research I referred to earlier included attempts to retrieve data from overwritten drives using force microscopy (which is the most commonly referred to hardware retrieval method) and found that retrieval was infeasible.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #23
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by lupin View Post
    ...and found that retrieval was infeasible.
    Unless, you know, they click the big red "Plant Evidence" button before clicking the big blue "Find Evidence" button!
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #24
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by Gitsnik View Post
    Unless, you know, they click the big red "Plant Evidence" button before clicking the big blue "Find Evidence" button!
    Yes, thats a given, "Plant Evidence" trumps all. I wonder if thats a feature in the LEO version of Encase...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #25
    Just burned his ISO sl33p's Avatar
    Join Date
    Jan 2010
    Posts
    19

    Talking

    Quote Originally Posted by lupin View Post
    Its my method actually (its the method I use at work to wipe drives and I posted it to that thread)



    xxd can be used to display binary data in a friendly fashion from the command line. Combine it with dd to view hard drive contents

    e.g. view the contents of the first sector of hard drive device /dev/sda
    Code:
    dd if=/dev/sda count=1 bs=512 | xxd
    hexedit and khexedit can also be used to display binary data in this fashion. Combine either one with dd which can dump the contents of your desired part of the hard drive to a file, and you can then view the contents of that file, which will show you what is in that location in disk

    Dump second sector of /dev/sda to file secondsect, which can then be viewed with hexedit or khexedit to show the contents of that disk sector
    Code:
    dd if=/dev/sda count=1 skip=1 bs=512 >secondsect
    The dd commands need to be run as root so preface with sudo if you are using a non root user.

    Theres a number of other forensic tools in the sleuthkit if you find that the hexeditors don't give you what you expected.
    Ok Lupin, sorry! The method is yours.

    In fact, what I need to prove is that some files inside the disk were deleted, you know?
    Like, I don't need to wipe the whole partition. Just need to delete some files and then look for them again using the HexEditor and (hopefully) not find them there anymore. And take a screenshot of the screen. That's it!

    Now, how can I know where in the disk my files are located, I mean... and if it's a program, them I need to know where all the files related to that program are, so I can evidence the correct cleaning of that program?

    I hope I'm not too confusing... lol!

    Thanks again guys!
    sl33p

  6. #26
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by sleep View Post
    Ok Lupin, sorry! The method is yours.
    No problem

    Quote Originally Posted by sleep View Post
    In fact, what I need to prove is that some files inside the disk were deleted, you know?
    Like, I don't need to wipe the whole partition. Just need to delete some files and then look for them again using the HexEditor and (hopefully) not find them there anymore. And take a screenshot of the screen. That's it!

    Now, how can I know where in the disk my files are located, I mean... and if it's a program, them I need to know where all the files related to that program are, so I can evidence the correct cleaning of that program?
    The sleuthkit tools can be used to find out the location of a file on disk, as well as to show the contents of particular sections of the disk.

    Theres a list of tools in the sleuthkit here
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #27
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    10

    Default

    Not sure if this is useful but you can check out this script which i wrote
    bit.ly/2kdjsR

  8. #28
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    old thread is old but what the hell

    wrote my own little dd if of script before i found ....

    srm file
    srm -r dir

    uses gutman method i.e. 27 overwrites + a few more for good measure
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

Page 3 of 3 FirstFirst 123

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •