Securely Erase A Hard Drive – DBAN May Not Be Sufficient

I have previously reviewed how to securely erase a hard drive using DBAN (Darik’s Boot And Nuke).

It is important to destroy data properly before disposing of a computer by selling it, giving it away or taking it to the dump – formatting a hard drive does not securely erase all files stored on it.

Reinstalling Windows might overwrite a few of the old files (making them unreadable) but with the huge sizes of modern hard drives there is a good chance that many of the old files will not be overwritten – so they could be retrieved later.

Issues With DBAN

While DBAN has been a ‘go to’ product to securely erase hard drives for many years, it does have some drawbacks.

Although it is simple to use and is probably ‘good enough’ for personal use (unless security is paramount), not all parts of the drive are securely erased:

1. HPA (Host Protected Area)

DBAN does not erase the HPA – this is a hidden and protected area of the drive that is not normally accessible i.e. you can’t see it from within Windows.

The HPA has been used by theft recovery services like Computrace (to prevent removal of the tracker by normal erasing utilities) and could be used by rootkits (to avoid detection by antivirus software).

Some vendors also use the HPA to store the original operating system for recovery purposes – instead of providing rescue media.

The reason DBAN gives for ignoring the HPA is that erasing it would prevent future ‘restore to factory settings’ operations – which could come as an unwelcome surprise to a user who planned to restore Windows before selling the computer ;-)

In terms of risk, it’s very unlikely that your personal data could ever have found its way into the HPA area of the drive because it can’t easily be accessed from Windows.

And it doesn’t really matter if the original factory restore data (before you even bought the computer) is left on the drive.

However, there is a very minor risk if rootkits were stored in the HPA – in theory they might have been able to copy some of your data there. Or they could reinfect the computer after reinstalling Windows – not great if you are giving the computer to a friend or charity…

2. DCO (Device Configuration Overlay)

DBAN does not erase the DCO either. This is another hidden and protected area of the drive. Like the HPA, it is not normally accessible to Windows or the user.

In theory, the DCO could be used to make a hard drive look smaller than it is e.g. make a 500GB hard drive appear as a 400GB hard drive to both Windows and the BIOS, thereby creating an area of hidden space in which to store data privately.

Like the HPA, this hidden area could theoretically be used to store data outside of Windows – and outside the scope of standard erasing utilities like DBAN. Again though, it is very unlikely to contain any of your personal data.

3. Remapped (bad) Sectors

DBAN does not erase remapped sectors. These are sectors on a hard drive that can no longer be used by Windows, often because of permanent physical damage to the sector.

Windows programs (e.g. Chkdsk) may find such sectors and mark them as unusable so they are skipped in future. The bad sector is then remapped to a free sector and the unreadable data in the bad sector is ‘lost’ – at least as far as Windows is concerned.

Data in such bad sectors may include your private data. But it is not actually lost – it is simply outside the scope of the Windows file system to read it.

More advanced recovery techniques might be able to recover that data – but it may take expensive forensic recovery to do it.

Hard drive erase with DBAN
A hard drive – uncovered

DBAN Alternative

The following alternatives to DBAN are recommended for advanced users who want the most secure erasing possible – the average user probably doesn’t need to worry too much about the potential risks.

Read all the information/FAQs prior to using.

1. Secure Erase (HDDErase) by CMRR

HDDErase is a free utility that uses the ‘Secure Erase’ feature built into the firmware of all modern hard drives. The Secure Erase feature shreds all data on the hard drive – including HPA, DCO and bad sectors.

The HDDErase utility is available from the Center For Memory And Recording Research (CMRR) here as a zip file (labelled as ‘Freeware Secure Erase Facility’) – unzip it then burn the ISO file to CD/USB drive.

Boot from this CD/USB drive and follow the instructions – see the Tutorial, Readme and Q&A documents on the download page for more details.

Tip: HDDErase is one of the programs included in the Ultimate Boot CD (UBCD) available here.

2. Parted Magic Secure Erase

Parted Magic used to be a free suite of programs and is most commonly used as a live Linux CD, no install required.

The suite includes (under the System Tools menu) an Erase Disk program which also uses the hard drive firmware’s Secure Erase feature – like HDDErase above.

The last free version of Parted Magic is available from MajorGeeks here as an ISO file – burn to CD/USB drive. But note that it is a 2013 version and is known to cause problems on certain computers so I can’t recommend it.

The current 2019 version of Parted Magic (which includes the secure erase program) from the official website here costs $11. But as HDDErase is free, I can’t recommend buying Parted Magic for this purpose.

It only makes sense if you want to use the other features of the Parted Magic suite as well, not just for securely erasing a hard drive.

Note: both these alternatives to DBAN use the drive firmware’s Secure Erase feature. This is a low level technique – there is a slight possibility of a BIOS conflict or an error within the firmware itself which might result in the drive becoming totally unusable (even more advanced techniques may be required to fix).

While that risk may be acceptable if you are throwing the computer away anyway, it may not be so welcome if you planned to reinstall Windows afterwards…

Conclusion

For most home users, DBAN is still a low risk, simple and effective tool to securely erase data on a hard drive.

While it doesn’t erase hidden areas and bad sectors, the risks of personal data leakage there are relatively low – and powerful forensic techniques may be required to recover any such data.

However, if you are a business or a touch paranoid about law enforcement quality methods of recovery, then you may have more to worry about – use a DBAN alternative such as Secure Erase by CMRR instead and (ideally) physically destroy the drive afterwards.

5 thoughts on “Securely Erase A Hard Drive – DBAN May Not Be Sufficient”

  1. DBAN runs from a bootable Linux kernel, so it will not care about any partitions created by Windows, even hidden ones.
    It wipes the entire drive.

    I have been using it for years on home computers, and never once has anything been lifted from them.

    If you have a bad hard drive or bad sectors, then removing and physically destroying the drive will keep anyone from messing with it.

    • @Bob – the first 2 areas mentioned in the article are not Windows partitions, they’re special (hidden) areas built into drives at manufacture.

      DBAN does not wipe them so, technically, it doesn’t actually wipe the entire drive. But, as stated, the risk is low – DBAN should still be sufficient for most users and is a nice easy program to use.

      Of course physical destruction is the safest way – and can be more satisfying ;-)

  2. Another option for comprehensive disk wiping is WipeDrive. It is the only software that has a NIAP EAL 4+ Certification and wipes HPAs, DCOs and remapped sectors. It’s used by the Department of Defense.

    • @Sam – thanks for the info, I haven’t used WipeDrive but the listed awards and certs do look good.

      At $20 though it is probably more suited to major corporations – home users without mission critical data should be ok with free utilities (and preferably destroy the drive for good measure)

Comments are closed.