I've been wiping a lot of media lately. Mostly these are USB devices that we've used to share evidence and other data during an investigation. I want to be sure that I don't accidentally disclose any data from my cases, and I also want to know when I reach into my bag for a USB stick that it's not going to be polluted with other data. And when I get new media (from a vendor, trade show, or whatever) I always have a strict policy of wiping the drive completely from my Linux box (which is specifically configured not to automount new media) before it gets near any Windows machines that might have autoruns enabled.
Happily, Linux makes this whole process quite straightforward with just a few simple command-line tools. First we need to figure out what drive letter the media has been assigned. I find that fdisk is the easiest way to get this information:
$ sudo fdisk -l Disk /dev/sda: 500.1 GB, 500107862016 bytes 255 heads, 63 sectors/track, 60801 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x0004342b Device Boot Start End Blocks Id System /dev/sda1 * 1 60770 488134993+ 83 Linux /dev/sda2 60771 60801 249007+ 5 Extended /dev/sda5 60771 60801 248976 83 Linux Disk /dev/sdd: 16.0 GB, 16049504256 bytes 5 heads, 32 sectors/track, 195916 cylinders Units = cylinders of 160 * 512 = 81920 bytes Disk identifier: 0x00000000 Device Boot Start End Blocks Id System /dev/sdd1 * 51 195917 15669312 c W95 FAT32 (LBA)
Here you can see my primary internal drive at /dev/sda and a 16GB thumb drive at /dev/sdd. The /dev/sdd device is the one I want to clean.
To sanitize the drive, I'm just going to completely overwrite it with zeroes using dd:
$ sudo dd if=/dev/zero of=/dev/sdd bs=1M dd: writing `/dev/sdd': No space left on device 15307+0 records in 15306+0 records out 16049504256 bytes (16 GB) copied, 2728.03 s, 5.9 MB/s
Here I'm just reading nulls from /dev/zero and writing them over the entire physical device. Of course this clobbers the partition table at the front of the drive:
$ sudo parted /dev/sdd print Error: /dev/sdd: unrecognised disk label
GNU parted is a useful command for interacting with disk labels at the command line. The general format of the command is "parted <device> <command> [options]". In this case I'm using the "print" command to try and print the partition label, but it's been eradicated by our dd command so we get an error.
We can also use parted to create a new disk label and even make a partition on the drive:
$ sudo parted /dev/sdd mklabel msdos Information: You may need to update /etc/fstab. $ sudo parted /dev/sdd mkpart primary NTFS 8s 17G Information: You may need to update /etc/fstab. $ sudo parted /dev/sdd print Model: Kingston DataTraveler 2.0 (scsi) Disk /dev/sdd: 16.0GB Sector size (logical/physical): 512B/512B Partition Table: msdos Number Start End Size Type File system Flags 1 4096B 16.0GB 16.0GB primary
First we use "mklabel" to create a new DOS-style partition table in the first sector of the drive (parted also makes GPT labels and even Mac, BSD, and Sun disk labels).
Then we use "mkpart" to create a new "primary" partition labeled as NTFS starting at sector 8. That will leave 7 unallocated sectors after the disk label, but start us out on a nice clean 4K boundary. Notice that I specify the partition size as 17G- slightly larger than the actual drive- just to make sure I consume all of the space on the device. parted will take care of sizing the partition to the physical media. We can confirm our settings with the "print" command.
Notice in the output of the "print" command that the "File system" column is empty. That's because we haven't actually formatted a file system into the partition. I want to make an NTFS partition for sharing data between my Linux box and my clients' Windows systems. On Linux you use the "mkntfs" command for this:
$ sudo mkntfs -Q /dev/sdd1 Cluster size has been automatically set to 4096 bytes. Creating NTFS volume structures. mkntfs completed successfully. Have a nice day.
Note that I'm calling "mkntfs" on the partition we created with parted- /dev/sdd1- and not on the entire drive. I'm also using the -Q ("quick") option to tell "mkntfs" not to waste time overwriting the drive with zeroes since we've already done that. And it's also pleasant that the command wishes us a nice day as it's exiting.
If you're not excited about NTFS, you could just as easily make a FAT or EXT partition on the drive. For these file systems, it's easiest just to use the "mkfs" command. Here's an example of creating an EXT2 file system on our drive:
$ sudo mkfs -t ext2 /dev/sdd1 mke2fs 1.41.9 (22-Aug-2009) [...]
I've never seen much point in bothering with EXT3 on a thumb drive, but it's just a matter of using "ext3" (or "ext4") instead of "ext2" in the command line shown above.
Making a FAT file system on the drive is only slightly more complicated:
$ sudo mkfs -t vfat -F 32 /dev/sdd1 mkfs.vfat 3.0.3 (18 May 2009)
Notice for the file system type we specify "vfat" and not just "fat". The -F option lets you specify the FAT type- here I'm making a FAT32 file system.
Of course the label on the partition is "NTFS", which is what we chose when we made the partition with parted. Unfortunately, parted doesn't seem to be able to re-label a partition without deleting it and re-creating. Happily, "fdsk" will allow us to change partition types on the fly:
$ sudo fdisk /dev/sdd [...] Command (m for help): t Selected partition 1 Hex code (type L to list codes): 83 Changed system type of partition 1 to 83 (Linux) Command (m for help): p Disk /dev/sdd: 16.0 GB, 16049504256 bytes 255 heads, 63 sectors/track, 1951 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x000705e4 Device Boot Start End Blocks Id System /dev/sdd1 1 1952 15673340 83 Linux Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks.
The "t" option can be used to interactively change the partition type. "p" prints the current partition table and "w" writes the modified table to the device and exits "fdisk".
So there you have it. Almost certainly more than you ever wanted to know about cleaning and formatting drives under Linux. While we were working with a relatively small USB device in this case, all of the commands that you see here apply equally well to all kinds of storage devices of any size you might encounter.
Hal Pomeranz is an Independent IT/Security Consultant, a SANS Institute Faculty Fellow, and a GCFA. He is considering getting a new set of business cards printed that read "Disk Janitor".
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
