diskutil command line secureErase options

| No Comments | No TrackBacks
When I need to decommission a hard drive, it's necessary for me to to securely wipe the data prior to disposal. Stanford's data wiping policy is publicly accessible from the internet (though woefully out of date with the product recommendations—Mac OS 8 anyone?). It's usually not enough just to delete the files using the Finder or the rm command, since that action merely hides your files and makes their blocks eligible for possible future write-overs. Inexpensive file recovery software can usually return data when you simply delete files this way, to say nothing of real forensics software.
You may know that your Mac's Disk Utility program has the "Secure Erase" option, where you can choose from three degrees of security. You can zero-out the data, which means the computer erases your data and writes over the drive with zeros. This is a minimal, but sometimes acceptable, data sanitization effort. You can also choose the seven-pass Department of Defense wipe, which takes longer, but makes data recovery nearly impossible. Then there's the 35-pass wipe, for the hyper vigilant and possibly neurotic.

Here is Apple's KB article on securely erasing a disk: http://support.apple.com/kb/TA24002

What you may not know is that the diskutil command line tool has two additional options. In addition to the single-pass zero-out, you can choose a single-pass write over with random numbers. I would expect that process to take as long as a zero-out effort with Disk Utility. I'm not sure exactly sure what the benefit here is, except that it would remove the known delta between the state prior to the zero-out and the zeros. That is, if you used forensic analysis to examine a drive and it's all zeros, and your sophisticated tools detect prior states, it's reasonable to understand that that prior state is likely true (since we know that the new state will always be a zero).

The other option with diskutil is what Apple labels a "DoE [Department of Energy] three-pass secure erase". I don't know much about this option.  

Here is the man page for diskutil and the secureErase option; you can also just type diskutil secureErase at the prompt for the associated help.

No TrackBacks

TrackBack URL: http://www.stanford.edu/group/macosxsig/cgi-bin/mt/mt-tb.cgi/101

Leave a comment

About this Entry

This page contains a single entry by Noah Abrahamson published on November 16, 2010 1:03 PM.

Retrieving the password for Server Admin-generated Keys was the previous entry in this blog.

Flipped mouse buttons, plist and MS Remote Desktop Connection is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.