DBAN question

I can't seem to find this anywhere. I have three, 2.5" hard drives I
was planning on selling soon and they are all different sizes. I am
currently using one of the 7 pass DBAN algorithms on all three
simultaneously on an unused desktop. Obviously, being three different
sizes, two have finished before the last one. DBAN reports "succeeded"
for the two while the last one continues to run. Can I remove the two
that have finished, or should I wait until all three are done? Thank you.

JBI wrote:
I can't seem to find this anywhere. I have three, 2.5" hard drives I was planning on
selling soon and they are all different sizes. I am currently using one of the 7 pass
DBAN algorithms on all three simultaneously on an unused desktop. Obviously, being three
different sizes, two have finished before the last one. DBAN reports "succeeded" for the
two while the last one continues to run. Can I remove the two that have finished, or
should I wait until all three are done? Thank you.

Are they set for Hot Swap in the bios / uefi?

JBI wrote:
I can't seem to find this anywhere. I have three, 2.5" hard drives I
was planning on selling soon and they are all different sizes. I am
currently using one of the 7 pass DBAN algorithms on all three
simultaneously on an unused desktop. Obviously, being three different
sizes, two have finished before the last one. DBAN reports "succeeded"
for the two while the last one continues to run. Can I remove the two
that have finished, or should I wait until all three are done? Thank you.

You don't have to do it that way, as a start.

Yes, DBAN runs in parallel. It can erase 99 drives
in parallel, or so it claims.

You could abort the outstanding run, disconnect
the two drives which are finished, then consider your
options.

The 35 pass Gutmann algorithm is intended for drives
which are 15 years old or older. These would be drives
with maybe 4-5MB/sec write rates, with MFM encoding
at the heads. Such drives have large fringing fields.
And since they didn't use servo wedges and used a
servo surface, it was possible to push them a half-track
off the path and attempt to read the fringing field
on the track. Doing 35 pass erasure, was an attempt
to erase the track and the fringing field (after
enough passes with the right patterns).

Modern drives don't make it easy to do that sort of
thing. I don't believe there is any track-offset capability
on modern drives. In addition, a recent MFM (Magnetic Force
Microscopy) picture, showed there is hardly any fringing
field at all on modern recording tracks (and that's
what makes SMR recording feasable). If someone is
going to "scrounge" old passwords off your hard drive,
or your bank account number, that's going to be a
significant technical challenge.

In summary, the remaining drive likely only
needs *one* pass, not seven or thirty-five passes.
That should save you some time.

*******

Sufficiently modern drives, support the added "Secure Erase"
command added to the ATA command set. It does a one
pass erasure, done by the drive itself, and not by
external software. The "Enhanced Secure Erase" even erases
the re-allocated sectors. That flavor writes to every
possible sector on the platter.

Doing a single pass with DBAN, is less work. You have to
find a copy of the Secure Erase program from CMRR, and set
a password on the drive, in order to do a Secure Erase.

*******

Note that, whether Secure Erase or DBAN, if an HPA
is set on a drive, this can interfere with erasure
and allow previously written information to be hidden.
But it's pretty hard to set an HPA after the fact and
shoot yourself in the foot.

At least one brand of PC, used to "multiplex" five partitions
into a four partition MBR, by using an HPA to hide the
fifth partition, and a BIOS routine would edit the
MBR to make the sleigh-of-hand seamless. That would
be an example of your worst nightmare, in terms
of proper DBAN (or Secure Erase) cleanup of a
drive for resale. From an odds perspective, that's
not too likely to be the drive in your hand right now.
If you had such a drive, you remove it from the original
computer, move it to another machine, remove the HPA, and
erase all five partitions.

On my current machine, the Intel SATA ports are blocked
on HPA and cannot set or remove one. Only my Jmicron
chip has a hole in the BIOS code that allows HPA work.
And I've both set and cleared an HPA as an experiment.
I changed a 250GB drive into a 6GB drive, to accelerate
some "disk filling" experiments. That means 244GB of the
drive was hidden from view, for as long as the HPA
was asserted. If I were to DBAN the drive, only 6GB
would be erased, and the other 244GB would be untouched.
If you know for a fact some of the drive capacity is
"missing", then you check for an HPA before selling
the drive. And you need a port with the capability
for that (like the JMicron IDE chip, plus an IDE to
SATA adapter).

Paul

JBI wrote:

I can't seem to find this anywhere. I have three, 2.5" hard drives I
was planning on selling soon and they are all different sizes. I am
currently using one of the 7 pass DBAN algorithms on all three
simultaneously on an unused desktop. Obviously, being three different
sizes, two have finished before the last one. DBAN reports "succeeded"
for the two while the last one continues to run. Can I remove the two
that have finished, or should I wait until all three are done? Thank you.

In a command shell with admin privileges, what happens when you run:

mount drive\ /d

For example, if the drive letter assignment to a partition on a disk was
D: then you use:

mount d:\ /d

Make sure to include the backslash after the drive letter since the root
is the mount point of that volume. While you can unmount a volume
(partition), there could be multiple partitions on a disk. You didn't
say if there was 1, or more, partitions on the disks that complete the
wipe. Run "mount /?" to see its command-line syntax and arguments.

If you require a pretty GUI to do unmounting, read:

https://www.computerhope.com/issues/ch001898.htm

Are the already-wiped disks also hot-swappable? Since the computer is
still powered while you wipe the other volume/partition/drive, you would
be removing the other 2 disks while still powered. Are the wiped disks
in hot-swap bays? That is, do you have hot-swap *hardware*? You can't
get into the BIOS/UEFI settings while you are wiping the last disk, so
you cannot go into the BIOS to disable the controllers to the
already-wiped disks.

Of course, since you booted using the DBAN media, you aren't in Windows
to be unmounting drives. You loaded whatever OS (probably Linux) on
which DBAN runs. You booted using that OS. You still cannot get into
the BIOS screens while running DBAN.

Just wait. What can you do with the 2 already-wiped drives before the
3rd still-wiping disk completes its erase?

On 09/26/2018 09:37 PM, Paul wrote:
JBI wrote:
I can't seem to find this anywhere.Â* I have three, 2.5" hard drives I
was planning on selling soon and they are all different sizes.Â* I am
currently using one of the 7 pass DBAN algorithms on all three
simultaneously on an unused desktop.Â* Obviously, being three different
sizes, two have finished before the last one.Â* DBAN reports
"succeeded" for the two while the last one continues to run.Â* Can I
remove the two that have finished, or should I wait until all three
are done?Â* Thank you.

You don't have to do it that way, as a start.

Yes, DBAN runs in parallel. It can erase 99 drives
in parallel, or so it claims.

I suppose actual limitations might depend on the power supply. Not sure
how many drives a standard PC switching supply would support, but I
suppose if you got up to half a dozen, there might be too much stress on
the ps.


You could abort the outstanding run, disconnect
the two drives which are finished, then consider your
options.

I've decided I'm just going to let them run.


The 35 pass Gutmann algorithm is intended for drives
which are 15 years old or older. These would be drives
with maybe 4-5MB/sec write rates, with MFM encoding
at the heads. Such drives have large fringing fields.
And since they didn't use servo wedges and used a
servo surface, it was possible to push them a half-track
off the path and attempt to read the fringing field
on the track. Doing 35 pass erasure, was an attempt
to erase the track and the fringing field (after
enough passes with the right patterns).

Modern drives don't make it easy to do that sort of
thing. I don't believe there is any track-offset capability
on modern drives. In addition, a recent MFM (Magnetic Force
Microscopy) picture, showed there is hardly any fringing
field at all on modern recording tracks (and that's
what makes SMR recording feasable). If someone is
going to "scrounge" old passwords off your hard drive,
or your bank account number, that's going to be a
significant technical challenge.

In summary, the remaining drive likely only
needs *one* pass, not seven or thirty-five passes.
That should save you some time.

Before I started, I researched this a bit and came up with inconclusive
results. I came away thinking in some cases, one pass and then another
article mentioning seven passes and a law enforcement test system was
able to still read significant things off the drive after a two day deep
scan.


*******

Sufficiently modern drives, support the added "Secure Erase"
command added to the ATA command set. It does a one
pass erasure, done by the drive itself, and not by
external software. The "Enhanced Secure Erase" even erases
the re-allocated sectors. That flavor writes to every
possible sector on the platter.

I was thinking of this, but read that with USB 3 connected drives,
secure erase might make them inoperative. I wasn't even sure it could
be implemented in the USB 3 drives anyway. For future reference, I was
wondering just what would happen to internal ATA drives subjected to
secure erase, would Win or other programs still be able to install on them?


Doing a single pass with DBAN, is less work. You have to
find a copy of the Secure Erase program from CMRR, and set
a password on the drive, in order to do a Secure Erase.

*******

Note that, whether Secure Erase or DBAN, if an HPA
is set on a drive, this can interfere with erasure
and allow previously written information to be hidden.
But it's pretty hard to set an HPA after the fact and
shoot yourself in the foot.

Yes, I was also reading about hidden sectors and that was a slight
concern.


At least one brand of PC, used to "multiplex" five partitions
into a four partition MBR, by using an HPA to hide the
fifth partition, and a BIOS routine would edit the
MBR to make the sleigh-of-hand seamless. That would
be an example of your worst nightmare, in terms
of proper DBAN (or Secure Erase) cleanup of a
drive for resale. From an odds perspective, that's
not too likely to be the drive in your hand right now.
If you had such a drive, you remove it from the original
computer, move it to another machine, remove the HPA, and
erase all five partitions.

On my current machine, the Intel SATA ports are blocked
on HPA and cannot set or remove one. Only my Jmicron
chip has a hole in the BIOS code that allows HPA work.
And I've both set and cleared an HPA as an experiment.
I changed a 250GB drive into a 6GB drive, to accelerate
some "disk filling" experiments. That means 244GB of the
drive was hidden from view, for as long as the HPA
was asserted. If I were to DBAN the drive, only 6GB
would be erased, and the other 244GB would be untouched.
If you know for a fact some of the drive capacity is
"missing", then you check for an HPA before selling
the drive. And you need a port with the capability
for that (like the JMicron IDE chip, plus an IDE to
SATA adapter).

Well, the only thing I'm noticing is that a 500 GB drive comes up as 465
GB or so, but I read that was due to manufacturer advertising.

You brought up some good points here. Thanks.


Â*Â* Paul

JBI wrote:


Before I started, I researched this a bit and came up with inconclusive
results. I came away thinking in some cases, one pass and then another
article mentioning seven passes and a law enforcement test system was
able to still read significant things off the drive after a two day deep
scan.

The way I would interpret this, is the difference between "formatting"
and "erasure".

In 2018, drives no long "low level format". That 15 year old drive I
was referring to, would low level format (because it has a servo surface,
and the other surfaces can be redefined at will). Low level format is
different than a partition level format. Low level format is applied
to the whole disk (I used to do them at work, and if you messed with
the drive before completion, you could make luncheon meat out of the drive).

Modern drives format at the partition level. There's no low level format.

When you format, a new FAT or $MFT is written to the disk.

The Disk Management format routine is "Quick" or "Full". Obviously
"Quick" has no time to do anything, so we know it doesn't change the disk state.
There could be old information on the disk, which a law enforcement
two day scan could find. The quick format destroys the FAT, so easy peasy
pointers to the file are removed. But a Recuva or Photorec scan could
likely piece together a few files. This might be the kind of reference
you're reading about. it takes Photorec a long time to process a
disk in any case.

OK, so now we try the "Full" format. What happens ? It writes a new
FAT or a $MFT, then it "read verifies" (no writes involved!) the
entire partition. All it's doing is reads for two hours.
It does this to build a map of bad clusters.
Again, this does *nothing* to remove old information.
As in the Quick Format, law enforcement may profit by scanning.

*******

DBAN obviously works at the physical layer, writing sectors.
Now, the law enforcement scan gets nothing, because a pattern
has been written to all the data sectors. DBAN doesn't write
reallocated sectors. There could be some of those.

If the forensic expert gets hands on a WDC/Seagate "reset" software,
then the reallocated sectors (likely unreadable) would be mapped back
in. Can anything be recovered ? Probably not. The drive tried to
read the sector for 15 seconds times 120 rotations per second, which
is a hell of a lot of tries. More tries are not likely to help.

The ATA command "Secure Erase" does approximately as much writing
as DBAN.

The "diskpart" program and its "clean all" option, does as much erasing
as DBAN and uses zeros for erasure. It's a tool I've used a number of
times, to remove GPT info from large disks so that utilities stop
finding the GPT info and acting upon it. I also use "clean all" to remove
RAID metadata (change hardware boxes, plug RAID drives into box that
doesn't have the same brand of chips).

So "format" isn't a good option at all, either "Quick" or "Full".

Secure Erase is good.

Clean All is good.

If all you have is a chance to do "one pass", you want that
pass to be as complete as possible, and no HPA or DCO to prevent
accessing every (visible) sector. Doing "Enhanced Secure Erase"
protects against a skilled adversary, versus just some guy on
Ebay who bought your drive. I've not read of any accounts of
people having "disk reset" software. If the factory has any
secrets, it's doing a good job of containing them. With
USB flash sticks, the factory leaks like a sieve, and there
are utilities in circulation for messing with the controller
on those. I suspect the Seagate and WDC lawyers are too good
at whacking former employees, for the employees to take a chance.

Paul

In message , JBI writes:
[]
Well, the only thing I'm noticing is that a 500 GB drive comes up as
465 GB or so, but I read that was due to manufacturer advertising.

You brought up some good points here. Thanks.

** Paul

That's the discrepancy because 2^10 only _approximates_ to 10^3 - i. e.
1024 rather than 1000. Manufacturers would say that a G is 1000000000;
Microsoft use 1073741824. Those 2.4% differences accumulate: my
nominally 1 TB drive only shows as about 931G in "Properties".

(There has been some attempt to use "kibi", "Gibi" and so on -
abbreviations ki, Gi - for the binary ones, as opposed to kilo, giga -
but it hasn't caught on widely.)

I'm surprised: I'd have thought that the extra effort involved in
programming disc controllers, etc. to handle non-binary sizes of disc
would have been more effort than the saving was worth, at least in the
early days of few-megabyte drives; however, the practice did stick, and
now that the saving is up to about 7% for "terabyte" drives, I guess it
_is_ starting to become significant.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Veni Vidi Vacuum [I came, I saw, It sucked] - , 1998

J. P. Gilliver (John) wrote:
In message , JBI writes:
[]
Well, the only thing I'm noticing is that a 500 GB drive comes up as
465 GB or so, but I read that was due to manufacturer advertising.

You brought up some good points here. Thanks.

Paul

That's the discrepancy because 2^10 only _approximates_ to 10^3 - i. e.
1024 rather than 1000. Manufacturers would say that a G is 1000000000;
Microsoft use 1073741824. Those 2.4% differences accumulate: my
nominally 1 TB drive only shows as about 931G in "Properties".

(There has been some attempt to use "kibi", "Gibi" and so on -
abbreviations ki, Gi - for the binary ones, as opposed to kilo, giga -
but it hasn't caught on widely.)

I'm surprised: I'd have thought that the extra effort involved in
programming disc controllers, etc. to handle non-binary sizes of disc
would have been more effort than the saving was worth, at least in the
early days of few-megabyte drives; however, the practice did stick, and
now that the saving is up to about 7% for "terabyte" drives, I guess it
_is_ starting to become significant.

"programming disc controllers"

I hope this isn't about to turn into a Calvin and Hobbes cartoon.

The "end-LBA" has to be programmed in any case. You can't be
banging the heads against the hub :-) I don't even know if
they still have limit-switches for this stuff, like the big
drives had.

Whether the end-LBA value is 12345 or 12346 makes no difference
in the big scheme of things. In the following examples, the capacity
is set up to suit the marketing department and is slightly bigger
than "the value on the tin".

1000204886016 my 1TB drive (divisible by 63)

2000398934016 my 2TB drive (divisible by 63)

The mapping of LBA to physical position is pretty weird in any case,
due to zoned recording. It's already pretty hard to figure out
where exactly the heads are supposed to go.

The relationship between CHS or LBA value and voice coil position
isn't easy to determine, and may actually use a table lookup
for speed reasons. The table would get you to the right zone,
then add some kind of offset to get the rest of the way into
the zone.

For a 1TB drive, all Seagate or WDC have to do is
"make a number slightly bigger than 1TB value"
and "make the number divisible by 63". For fun,
you can check the number from your drive and
see if it's divisible by 63. Where that comes from,
is the fake CHS has 63 sectors per track or something,
and they *do* want the drive to look like it has
a fully formed CHS address space. Even though no
modern application actually cares. It's a pretense
to suit history, and not trigger any legacy code
somewhere that *is* checking.

Paul