How To Securely Wipe Your Hard Drive Using DBAN

In this article I will walk you through the steps you should take in order to securely and effectively wipe all data from your hard drives. By hard drives I mean anything from the internal drive that your operating system runs on (eg. Windows) to an external HDD or USB thumb drive. If you are looking for a way to only wipe folders and files on your computer whilst keeping the rest of the system intact, then please use Heidi Eraser instead.

This is a fairly in-depth article as I wanted to make sure that you understood how the program works and what some of the other wiping methods and options are available.

Note: Do not use DBAN on your SSD (Solid State Drive) as it is not good for the drive, nor will it work effectively. Instead please use Partition Magic (it’s free) and use the Erase Disk feature. Here is an article that explains how to do this. Partition Magic can also be booted via CD or USB. Also DBAN is unsupported and often incompatible with RAID hardware, so disable your RAID volumes before using DBAN. When you open DBAN please check F4 for the disclaimer. For those wondering how many hard drives can I run DBAN on at once, then the most that has been tested is 100. SCSI hard disks. There are no artificial limits in DBAN, but PCI bus bandwidth is usually the limiting factor in practical application.

The best practice for securing an SSD is to encrypt the whole drive first from day one with a program like TrueCrypt which would render the drive unreadable unless the encryption password is known, and the only recoverable data would be the original OS data and any Admin (if created) password you had one. In simplest terms, this means that to use TrueCrypt effectively on an SSD, you should first install the OS, then use TrueCrypts’ full-disk (known as System Encryption) encryption and then start to use the drive. This way any personal information that you add to the disk after it has been encrypted, will be encrypted on the fly. Please read this article regarding wear-leveling and how to use TrueCrypt securely on an SSD. If you need Plausible Deniability then do not use TrueCrypt on any device that utilizes wear-leveling. If you would like to use TrueCrypt to secure your data, then please read my article here.

Please be warned though that when using DBAN to wipe data from your drive will make data recovery impossible, so please make sure that you have backed up any data you want somewhere else first. Also, make sure that only the drive that you wish to wipe is attached to the computer you wish to wipe as DBAN will attempt to wipe any drive that it finds when run via the autonuke (default) mode. You can of course wipe an external HDD/USB stick using DBAN when attached to a computer without affecting the main drive which contains your OS, which I will explain shortly. As to how long it takes for DBAN to complete the wiping process depends on the data sanitation method you choose, the size of your hard drive you wish to wipe and the

First you will require a copy of DBAN which can be downloaded here. DBAN is free to use for personal and commercial use.

Next you will need to burn the DBAN.iso to a blank CD/DVD. To do this you can use any CD authoring software like the built-in Windows software or Imgburn. (my personal choice) If you would like to instead create a bootable USB device for DBAN then you can go ahead and download the Universal USB-Installer (direct download link) and follow the  instructions here.

Once you have created your bootable CD/DVD/USB containing DBAN you will need to boot to it. This means that you will need to access your BIOS (normally you will press F2 or DEL, but if in doubt check your computer’s manual) to change the boot preferences and make either the CD or USB as the first boot device. Please note that older motherboards may not support booting from USB, so please find out first.

Once you have restarted the computer and booted to the CD/DVD/USB you will be presented with the main DBAN window. It may take a short while to get to this window as DBAN has some operations to perform first although this should only take about 5-15 seconds. Please note that DBAN will not work correctly, and may stop mid-wipe or before if the hard drive that you are wiping is defective.

MAIN SCREEN

The first thing you will notice is that there are multiple options available to you using DBAN, as we dig deeper into the program you will find that there are various different kinds of data sanitation methods you can use depending on how securely you wish to wipe your drive.

Autonuke (this method will be suitable for most people)

Now if you just want to wipe your drive completely and you are absolutely sure that no other hard drives/CD/DVD/USB/floppy drives are attached to the computer except the drive that you are going to wipe, the you can simply type autonuke at the prompt and hit Enter.

type autonuke

This will automatically start DBAN, seek out any drive that it can find and start to wipe it. The default data sanitization method that the latest version of DBAN (v.2.27) uses is the DoD Short method. This method is good enough to prevent software based programs from recovering any data on your drive, but it may (although highly unlikely) still be possible for a hardware based recovery firm to get some data back. The likelihood of the data that could be recovered being usable is very remote and can involve thousands of pounds for a specialist company to attempt a recovery. The default method if perfectly fine for all but the most paranoid users.

So what about the other wiping methods that DBAN has?

Well, DBAN comes with 6 data sanitization methods  to choose from and depending on which one you choose will also depend on how long it will take and how secure the wipe will be. To access the more advanced functions of DBAN, hit Enter and let the program load. It will check for devices as well as gather information on them, but won’t execute a wipe. Once it has finished (15 seconds) you will be presented with a window similar to the one below. Please note that I am running DBAN using VirtualBox for the purposes of this article, so ignore the 500MB ATA disk you can see. I will instead be wiping the SCSI USB stick.

Decide which HDD you are going to wipe DBAN

Now as you can see from the screenshot above, DBAN has found 2 drives that it can wipe on my computer. In this article I am wiping my 4GB USB stick, so using the up and down keys I select the drive I wish to wipe. The other one as I have explained is the virtual drive used for this article, but if you are running DBAN on your machine, and only wish to wipe certain drives, and not the drive that has your OS on, then this is how you can select individual drives. To select a drive/s simply use the up/down keys, select the drive and hit the Space Bar (or Enter) to select it. Once you do that you will notice that it will add the [WIPE] command to the selected device. (to unselect it, just hit the Space bar/Enter again)

wipe select

Now you have selected the drive/s that you are going to wipe, lets take a quick look at the various methods you can use. To find these hit the M key and use the up/down keys to find information on each method. Once you have decided on the wiping method, just use the Space Bar to select it.

Quick Erase

This method should be used for when you are re-allocating a device internally within your company or just wish to wipe the device before reinstalling an OS. It will only complete one round using the Write Zero sanitation method and therefore has a low security rating. Use this is you are going to re-use the device yourself. If you are concerned that data can be recovered after wiping with this method, then you should instead use one of the other sanitation methods listed below

Quick Erase

RCMP TSSIT OPS-II

This is the advised sanitation method that has been certified by the Royal Canadian Mounted Police department as a secure method of wiping data from a device, although their new standard for wiping data is to use the CSEC ITSG-06 method even though most wiping tools still use the older (and still adept) OPS-II method. The TSSIT stands for the Technical Security Standard for Information Technology.  This method is very effective at wiping all traces from a drive rendering recovery impossible using either a software  or hardware recovery process. It uses 8 passes in total, with the first 7 passes writing different characters (0 on first pass, 1 on 2nd pass, 0 on third pass, 1 on 4th pass etc) and then on the 8th pass will write a random character and verify the write.

RCMP

DoD Short

This uses the same method as the DoD 5220.22-M standard method below, but instead of the full 7 passes it will instead use 3 passes consisting on pass 1,2 & 7 of the standard DoD 5220.22-M sanitation method. Pass 1 – write 0, Pass 2 – write 1, Pass 3 – Write random character and verify the write.

DoD short

DoD 5220.22-M

As stated above this is the standard method approved by the DoD (US Department of Defence) and uses the full 7 passes, with the final one being a verification of the write as well as writing a random character.

DoD 5220_22_m

Gutman Wipe

This method used to be the go-to method for the most paranoid of people and was originally created for older drives encoded using MFM/RLL and was designed to flip the bits on the drives, using 35 passes in total. Newer drives are encoded differently meaning that this method is no longer necessary and considered pointless to some. The author of this method, Peter Gutman, has previously stated that for most modern drives, a few passes using random data is the best you can do. Please read this paper for more information regarding his comments. (towards the bottom under the Epilogue heading)

The Gutman Method uses 35 passes consisting of various patterns for MFM/RLL encoded drives, and you can find a detailed description of what is written to the drive by reading this article. ATA IDE and SATA drives that were manufactured after 2001 now support the Secure Erase function (it’s a built-in feature) to completely wipe the device, although the BIOS in many motherboards will have disabled this feature to protect users.

Gutman 35 pass

PRNG Stream

This uses the Mersenne Twister or ISAAC Psuedo-Random Number Generator (PRNG) method and by default will run for one round although it is advisable to use at least 4 rounds. Using either the Mersenne Twister or ISAAC PRNG methods is good. To select the PRNG method, hit Enter. This will then take you back to the screen that showed you which device you had specified to wipe. To change the PRNG method from Mersenne Twister to ISAAC, hit the P key to see the options. Use the up/down key to change PRNG and enter to save the choice. To add additional Rounds (default is just 1 round) hit the R key. Use the back space key to delete the default number 1 and type 4 (or how many rounds you wish to run for) and then Enter/Space Bar to save the choice.

PRNG

Changing from Mersenne Twister to ISAAC

if p pressed ISAAC

Increasing the amount of rounds (4 is a security level of medium and 8 is considered a high security wipe

if press R

Do you wish to Verify the wipe?

Once you have decided on which data sanitation method to wipe the drive with, you can also verify that  the device is empty after the last pass has finished or verify on every pass. Verifying on every pass will add to the amount of time that DBAN take to complete, so bear that in mind.

Verification Off

The wipe will not be verified and will be a write-only operation

Verification Off

Verify Last Pass (default)

This checks to see whether the device is actually empty after performing the operations, but after the last pass has completed filling the device with zero’s

Verify Last Pass

Verify All Passes

After every pass it will read back the pattern and check to see if it is correct. This will add a lot of hours to the amount of time DBAN takes to finish. If you are using a decent wipe method like the DoD 5220.22-M standard, then instead use the default choice of Verify Last Pass instead.

Verify All Passes

Once you have chosen you Verification method, hit Enter/Space Bar to save the choice which will return you back to the main screen with your device, sanitation method and verification level chosen. When ready hit F10 for DBAN to automatically start. Once DBAN begins, it will give you an ETA of when it will complete, any errors that it has, the wall time (running time) and % done as well as other information. In the example below, I was running it on my other 16GB stick. The longest time that I have had DBAN running on a HDD (1TB) is about 28hrs, all tough that was probably over kill.

DBAN Running

When DBAN finishes it will present you with a success screen as shown below. Ignore the Error in red, this is just where I nuked the Virtual Drive when testing out some of the options earlier. Now just hit any key (eg. Space Bar) and remove the CD/USB that contained the DBAN program. If you wish to use the disk after wiping with DBAN then you will need to format it again. If you are installing Windows back on to it after having wiped it, then this will be done for you during the initial install process.

Done

As I have said before, this process can take a long time to complete so it is best to run over night or on a machine that you won’t need for at 4 to 24hrs depending on the size of the HDD and sanitation method chosen. If you are running DBAN on a laptop, make sure that you have the charging cable plugged in as the process may well out last your battery even if fully charged.

I hope that this has been of help to you in deciding how to go about using DBAN and the various options that are available to you when using the program. I know that it was a bit long compared to some of my other articles, but it is quite an important program and shouldn’t be used lightly if you are concerned about data recovery being made. If you do have any questions, then please ask in the comments below and I will try to answer them for you. I would though advise that you check out the official FAQ over at the DBAN site or search their forums.

Comments

  1. You can also use ErAce. Works great and over writes hard drive 1-100 times. Dowloadable from sourceforge or erace.it

  2. can I run the down loaded dbam from cd-r, and do this with out being online.

    • Yep, you can run it from a CD and do it offline. If you look on the DBAN site you will find the downloadable executable you need. I normally use the USB version, but running it via CD is just as good.

    • I use Rufus to to load the DBan ISO to create a bootable usb key and then set it up for Zero prompts with nousb so it doesn’t wipe the usb key.

Trackbacks

  1. […] How To Securely Wipe Your Hard Drive Using DBAN […]

  2. […] If you want to know more about fully encrypting your computer, then please see my tutorial for Truecrypt here. If you are looking for a simpler way of just encrypting a folder containing your wallet backup, then please see my tutorial on how to use AxCrypt here. Also, if you are currently storing any wallet backups from other coins (Bitcoin/Litecoin etc) and are planning on selling your computer, then it is very worth making sure that those wallet.dat files won’t be able to be recovered by erasing the HDD securely first before selling it on using DBAN. Please see my article here for DBAN. […]

  3. How To Get Rid of Acne Scars In 10 Minutes

    How To Securely Wipe Your Hard Drive Using DBAN

Leave a Reply

%d bloggers like this: