Secure Erase / Wipe : Definition and Methods

Secure Erase / Wipe - and the Basic Methods​

A secure erase or more commonly referred to as a wipe is a way to over-write all existing data on a Hard Disk Drive (HDD) / Solid State Drive (SSD) with at least one set of binary zeroes ( 0 ) or ones ( 1 ) so the data cannot be retrieved.

Contrary to popular belief, doing a full format with Windows 7 only over-writes the old disk format configuration data (the MBR) with the new and checks for sector errors, then marks the remaining space to be over-written as needed, it does not over-write (remove) any other data at all, it's all still there including code from previous Operating Systems and all of the old personal data.

It is also very useful before starting the Windows installation process to correct for disk format errors of many kinds, to include over-writing the Linux / Grub boot loader, that is known to cause serious issues when installing Windows to a HDD / SSD that has had Grub as a loader in the past; also to correct installation errors when clean installing Windows 7 to a space that originally contained Windows XP.

A wipe is very effective to 'remove' any previous malware infections and start fresh.

   Warning

All the methods outlined in this guide have the capability to over-write any and all data on an entire HDD / SSD so be completely sure you are using the correct method on the correct drive.

These first 2 methods below, to include the clean and the clean all command(s) will only do the entire HDD / SSD they will not do a single partition on a HDD / SSD, they will do the whole drive.

   Note

The HDD / SSD partition structure can be viewed in Windows disk management by typing diskmgmt.msc into the Windows start menu search box; it is always better to be safe than sorry, so if you have any doubts, make back-ups of anything you would not want to lose permanently, to external media before you start any of these procedures.

Method One

This is very useful while using Windows to do a wipe of a HDD / SSD that does not have the Windows partition on it as it will not allow a "System" partition to be done; if you just need to over-write the Master Boot Record or "disk format configuration data" use the clean command listed at #6, if you need to over-write the entire HDD / SSD use the clean all command listed at #7 in this tutorial.
Disk - Clean and Clean All with Diskpart Command


Method Two

If you need to do a secure erase / wipe to a HDD / SSD before you start a Windows installation, see Step One and then to use the command-line to create the partition(s) to do the installation to, see Step Two #2 or #3 of this tutorial.

Have a look here to view additional important information on this entire process.
SSD / HDD : Optimize for Windows Reinstallation


Method Three

This is similar to what is commonly known as a file shredder, making it no longer necessary to use third-party software to do a secure delete (secure erase) of files or any other data you need to over-write so they can't be recovered from your system without your knowledge.

This does not simply delete data it's pointed at, it completely over-writes it.
Permanently Delete - Add to Context Menu
If you are an adventurous sort and would like to use the command line instead, type sdelete in an elevated command window to secure delete files or data of any type you may need to wipe / over-write.


Method Four

If you don't want to wipe the entire HDD / SSD, you can do a partition-specific wipe of any single partition using the Partition Wizard free software, have a look at Option Two in the tutorial at this link below to get some ideas.
Partition Wizard : Use the Bootable CD
Enjoy!

Related Tutorials

---

• http://www.sevenforums.com/tutorials/55728-file-delete-command-prompt.html
• http://www.sevenforums.com/tutorials/91629-windows-explorer-add-remove-delete-button.html
• http://www.sevenforums.com/tutorials/55721-folder-delete-command-prompt.html
• http://www.sevenforums.com/tutorials/12205-recycle-bin-permanently-delete-items-automatically.html

 

[soewhaty]

If you have a platter drive you want to use DBAN.

Out of curiousity - why do you favour DBAN instead of Windows's native 'clean all' command for HDDs?

If you have a SSD you want to use secure erase in Parted Magic.

Never heard of 'Parted Magic'. Must be one out of many 3rd party tools. So again - how is doing a secure erase in Parted Magic any different than Windows's native 'clean all' command? 'Clean all' is secure erase so basically they are the same thing. Not that you said they aren't but I'm just asking.

Never use DBAN with a SSD. Writes help destroy SSDs. Although, SSDs have been made better, but you just don't want thousands upon thousands of writes on a SSD.

I used DBAN once long ago but basically it does secure erase with various algorithms and passes. So AGAIN - if DBAN performs a secure erase and you recommend 'secure erase in Parted Magic' then it's the same thing - secure erase/secure delete/wipe etc. Only difference I imagine is that DBAN does more passes or the wiping algorithms require more writes versus the 'secure erase in Parted Magic' (which you recommend) which I guess is simply 1 pass of secure erase. Pls, explain what you recommend, I'm curious.

But with Truecrypt you need to learn and understand about Evil maid.

Have used TrueCrypt but never knew about Evil maid. What's that?

 

[joe7dust]

If you have a platter drive you want to use DBAN. If you have a SSD you want to use secure erase in Parted Magic. Never use DBAN with a SSD. Writes help destroy SSDs. Although, SSDs have been made better, but you just don't want thousands upon thousands of writes on a SSD.

As to Ccleaner's wipe methods, they suck. I used it once and then ran some recovery software and was still able to recover the data.

If you want to be absolutely sure, and it's a platter drive, you can encrypt the drive with Truecrypt or Veracrypt first. The run DBAN. With flash-based storage like SSDs encryption is a little different since the data may still be stored on other cells and thus encryption may be redundant. If you ever chose to use whole disk encryption with a SSD it is best to install the OS, then immediately encrypt the drive with Truecrypt or Veracrypt. But with Truecrypt you need to learn and understand about Evil maid.

What data recovery software makes ccleaner wipe obsolete? I'm assuming you checked all the additional options like MFT table, cluster tips, etc.? Is there a software that will wipe free space within windows like ccleaner that actually works? DBAN downtime sucks.

 

[soewhaty]

In this context ... I found here Secure Erase / Wipe : Definition and Methods - Windows 7 Help Forums that

'If you don't want to wipe the entire HDD / SSD, you can do a partition-specific wipe of any single partition using the Partition Wizard free software, have a look at Option Two in the tutorial at this link below to get some ideas - Partition Wizard : Use the Bootable CD - Windows 7 Help Forums'.

Tried it and it worked exactly as described. And as highlighted - you will need to burn the ISO to a CD, it was designed for use and works best from a CD rather than a DVD. I confirm this. Tried also with a USB and it failed.

 

[joe7dust]

In this context ... I found here Secure Erase / Wipe : Definition and Methods - Windows 7 Help Forums that

'If you don't want to wipe the entire HDD / SSD, you can do a partition-specific wipe of any single partition using the Partition Wizard free software, have a look at Option Two in the tutorial at this link below to get some ideas - Partition Wizard : Use the Bootable CD - Windows 7 Help Forums'.

Tried it and it worked exactly as described. And as highlighted - you will need to burn the ISO to a CD, it was designed for use and works best from a CD rather than a DVD. I confirm this. Tried also with a USB and it failed.

Sounds like dban for just one partition. Wouldn't be useful to me. Also it is boot time only which is the main drawback shared with dban.

 

[soewhaty]

Sounds like dban for just one partition. Wouldn't be useful to me. Also it is boot time only which is the main drawback shared with dban.

Could be, but it's rather fast to clean all a 100gb partition on a speedy ssd. You did mention long waiting with DBAN so ... not sure what DBAN's algorithms are but this one is fast indeed.

No big deal with being boot time only - slot in a cd, 3 clicks and in no time you're there

 

[file3456]

To answer the questions here.

The clean command as I understand it just zeros the HDD. There is no data written over the current data at all, making recovery very easy. DBAN on the other hand, while very slow will overwrite the data many times making data recovery much more harder. Like I said, you don't want to use DBAN on a flash-based medium as it can only handle so many writes. With a SSD you want to use Parted Magic's secure erase option. Secure Erase - Powerful, easy to use, and inexpensive.

Evil Maid: The Invisible Things Lab's blog: Evil Maid goes after TrueCrypt!

I have used Ccleaner's wipe options and then ran Recuva and all the files were still able to be recovered.

 

[joe7dust]

To answer the questions here.

The clean command as I understand it just zeros the HDD. There is no data written over the current data at all, making recovery very easy. DBAN on the other hand, while very slow will overwrite the data many times making data recovery much more harder. Like I said, you don't want to use DBAN on a flash-based medium as it can only handle so many writes. With a SSD you want to use Parted Magic's secure erase option. Secure Erase - Powerful, easy to use, and inexpensive.

Evil Maid: The Invisible Things Lab's blog: Evil Maid goes after TrueCrypt!

I have used Ccleaner's wipe options and then ran Recuva and all the files were still able to be recovered.

I ran clean all and it took over 24 hours. I mainly did this as a way of "super defrag" because my defrag got stuck on 27% for over 12 hours with 15% space left on the drive. If I was paranoid I would have rendered my pc unuseable by doing dban or removing the drive and physically destroying.


Are you saying there is no benefit to running clean all instead of clean because file recovery software will just be able to get it? I know there is theoretically the potential to recover after a zero fill because of residual magnetics left from the previous bit setting however I was under the impression that this type of recovery was general only used by law enforcement / NSA and it required special equipment and microscopic analysis not just a sata connector and some software...


Not sure if anyone has ever tried to boot DBAN in hyper V or some Virtual environment but if I could actually use the PC during the process then DBAN would have been my go to.

 

[soewhaty]

To answer the questions here.

...

Like I said, you don't want to use DBAN on a flash-based medium as it can only handle so many writes. With a SSD you want to use Parted Magic's secure erase option. Secure Erase - Powerful, easy to use, and inexpensive.

As I said earlier - you can't just say something without arguing why it is that way. If you say that 'with an SSD you want to use Parted Magic's secure erase option' then explain or show how this is different to any other secure erase option ... Windows's default clean all via CMD is also a secure erase ... doesn't matter if it just writes zeros or whatever.

I don't see how Parted Magic's secure erase option is any different to running a clean all via CMD ...

so instead of telling us that this should be our preferred option, say why it is ... give me an argument or tell me how it is different/better ...

I'm trying to get to the bottom of this. No hard feelings.

 

[soewhaty]

Are you saying there is no benefit to running clean all instead of clean because file recovery software will just be able to get it?

From what I understood in several discussion in the forum here - 'clean all' actually does write zeros, whereas 'clean' only marks data to be written zeros to later on when there's demand for that. So there's the difference. Seems to me like full format VS quick format.

 

[joe7dust]

From what I understood in several discussion in the forum here - 'clean all' actually does write zeros, whereas 'clean' only marks data to be written zeros to later on when there's demand for that. So there's the difference. Seems to me like full format VS quick format.

" I have used Ccleaner's wipe options and then ran Recuva and all the files were still able to be recovered."


Well if everything is to be believed in this thread then neither CCleaner, cleanall, or dban 1 pass Simple are effective. And I still never got a response on whether residual magnetic recovery is possible after a zero fill using a SATA connection and recovery software.

 

[soewhaty]

" I have used Ccleaner's wipe options and then ran Recuva and all the files were still able to be recovered."


Well if everything is to be believed in this thread then neither CCleaner, cleanall, or dban 1 pass Simple are effective. And I still never got a response on whether residual magnetic recovery is possible after a zero fill using a SATA connection and recovery software.

You managed to recover data after 'clean all' via CMD?

 

[joe7dust]

You managed to recover data after 'clean all' via CMD?

Not I, but I think someone earlier in the thread had said that.

 

[soewhaty]

Not I, but I think someone earlier in the thread had said that.

That was F22 Simpilot's response to your questions - 'What data recovery software makes ccleaner wipe obsolete?'

So, unless we equate ccleaner's wipe to a 'clean all' then we can't say that it is psbl to recover data after a 'clean all'.

 

[joe7dust]

That was F22 Simpilot's response to your questions - 'What data recovery software makes ccleaner wipe obsolete?'

So, unless we equate ccleaner's wipe to a 'clean all' then we can't say that it is psbl to recover data after a 'clean all'.

If secure wipe in ccleaner doesn't do it I would consider that a bug.


Worse than a bug, perhaps more like a Vulnerability of the open secret type.

 

[soewhaty]

If secure wipe in ccleaner doesn't do it I would consider that a bug.


Worse than a bug, perhaps more like a Vulnerability of the open secret type.

If there's a native way to do this in Windows, which there is (via clean all in CMD), then I'd much rather stick to that than to CCleaner or any third party tool for that manner.

But I'm still curious to hear F22 Simpilot's views on what I asked him lastly. Hope he understands I meant it well in the name of discussion ...

 

[joe7dust]

To answer the questions here.

The clean command as I understand it just zeros the HDD. There is no data written over the current data at all, making recovery very easy. DBAN on the other hand, while very slow will overwrite the data many times making data recovery much more harder. Like I said, you don't want to use DBAN on a flash-based medium as it can only handle so many writes. With a SSD you want to use Parted Magic's secure erase option. Secure Erase - Powerful, easy to use, and inexpensive.

Evil Maid: The Invisible Things Lab's blog: Evil Maid goes after TrueCrypt!

I have used Ccleaner's wipe options and then ran Recuva and all the files were still able to be recovered.

If all this is fact then clean is the same effectively as 1 pass dban. And CCleaner needs to patch this vulnerability of a bullshit wipe implementation.

 

[soewhaty]

If all this is fact then clean is the same effectively as 1 pass dban. And CCleaner needs to patch this vulnerability of a bullshit wipe implementation.

Again ... distinguish carefully between 'clean' and 'clean all' ... they are not the same thing.

What you are referring to is 'clean all' and from what became evident from the discussion here - dban overwrites a drives sectors with new data, instead of only zeroing those sectors (which is seemingly what 'clean all' does).