Securely Erase A Hard Drive – DBAN May Not Be Sufficient

Last year I reviewed how to securely erase a hard drive using DBAN (Darik’s Boot And Nuke).

It is important to destroy data properly before disposing of a computer by selling it, giving it away or taking it to the dump – formatting a hard drive does not securely erase all files stored on it.

Reinstalling Windows might overwrite a few of the old files (making them unreadable) but with the huge sizes of modern hard drives there is a good chance that many of the old files will not be overwritten – so they could be retrieved later.

Whilst DBAN has been a ‘go to’ product to securely erase hard drives for many years, it does have some drawbacks – although it is simple to use and may be ‘good enough’ for personal use (unless security is paramount), DBAN does have weaknesses – not all parts of the drive are securely erased:

1. HPA (Host Protected Area) – DBAN does not erase the HPA – this is a hidden and protected area of the drive that is not normally accessible i.e. you can’t see it from within Windows. The HPA has been used by theft recovery services like Computrace (to prevent removal of the tracker by normal erasing utilities) and could be used by rootkits (to avoid detection by antivirus software).

Some vendors also use the HPA to store the original operating system for recovery purposes – instead of providing rescue media. Risk – Low

The reason DBAN gives for ignoring the HPA is that erasing it would prevent future ‘restore to factory settings’ operations – which could come as an unwelcome surprise to a user who planned to restore Windows before selling the computer…

In terns of risk, it is very unlikely that your personal data could have found its way into the HPA because it can’t easily be accessed from Windows. It doesn’t really matter if the original factory restore data (before you even bought the computer) is left on the drive…

However, there is a risk if rootkits were stored in the HPA which, in theory, might be able to copy some of your data there and/or reinfect the computer after reinstalling Windows.

2. DCO (Device Configuration Overlay) – DBAN does not erase the DCO either. This is another hidden and protected area of the drive. Like the HPA it is not normally accessible to Windows or the user.

In theory, the DCO could be used to make a hard drive look smaller than it is e.g. make a 160GB hard drive appear as a 120GB hard drive to both Windows and the BIOS, thereby creating an area of hidden space in which to store data privately. Risk – Low

Like the HPA, this hidden area could be used to store data outside of Windows – and outside the scope of standard erasing utilities. Again though, it is unlikely to be any of your personal data.

3. Remapped (bad) Sectors – DBAN does not erase bad sectors. These are sectors on a hard drive that can no longer be used, often because of permanent damage.

Windows programs (e.g. Chkdsk) may find such sectors and mark them as unusable so they are skipped in future. The bad sector is remapped to a free sector and the unreadable data in the bad sector is ‘lost’. Risk – medium.

Data in such bad sectors may well include your private data. It is not actually lost – it is simply outside the scope of the Windows file system to read it. More advanced recovery techniques may be able to recover that data – but it could take expensive forensic recovery to do it.

hard drive

A hard drive – uncovered

Better Alternatives To DBAN?

The following alternatives are recommended for advanced users who want the most secure erasing possible. Read all the information/FAQs prior to using.

1. HDDEraseWeb

HDDEraseWeb is a free utility that uses the ‘Secure Erase’ feature built into the firmware of all modern hard drives.

The Secure Erase feature shreds all data on the hard drive – including HPA, DCO and bad sectors.

The HDDEraseWeb utility is available from CMRR here as a zip file (labelled as ‘Freeware Secure Erase Facility’) – unzip it then burn the ISO file to CD/USB drive.

Boot from this CD/USB drive and follow the instructions – see the Readme and Q&A documents on the download page for more details.

Tip: HDDErase is one of the programs included in the Ultimate Boot CD (UBCD) available here.

2. Parted Magic

Parted Magic used to be a free suite of programs and is most commonly used as a live Linux CD, no install required.

The suite includes (under the System Tools menu) an Erase Disk program which also uses the hard drive firmware’s Secure Erase feature – like HDDEraseWeb above.

The last free version of Parted Magic is available from MajorGeeks here as an ISO file – burn to CD/USB drive. The current version from the official site here costs $9.

Warning – Both these alternatives to DBAN use the drive firmware’s Secure Erase feature. This is a low level technique – there is a possibility of a conflicting BIOS or an error within the firmware itself which might result in a drive becoming totally unusable (even more advanced techniques may be required to fix).

Whilst that may be acceptable if you are throwing the computer away, it may not be so welcome if you planned to reinstall Windows afterwards…


For most home users, DBAN is still a simple and effective tool to securely erase data on a hard drive. Whilst it doesn’t erase hidden areas and bad sectors, the risks of personal data leakage there are relatively low – and powerful forensic techniques may be required to recover any such data.

However, if you are a business or a touch paranoid about law enforcement-quality types of recovery, then you do have more to worry about – use one of the alternative methods and (ideally) physically destroy the drive afterwards.

Share this:

5 Responses to: "Securely Erase A Hard Drive – DBAN May Not Be Sufficient"

  1. Bob says:

    DBAN runs from a bootable Linux kernel, so it will not care about any partitions created by Windows, even hidden ones.
    It wipes the entire drive.

    I have been using it for years on home computers, and never once has anything been lifted from them.

    If you have a bad hard drive or bad sectors, then removing and physically destroying the drive will keep anyone from messing with it.

    • Roy says:

      @Bob – the first 2 areas mentioned in the article are not Windows partitions, they’re special (hidden) areas built into drives at manufacture.

      DBAN does not wipe them so, technically, it doesn’t actually wipe the entire drive. But, as stated, the risk is low – DBAN should still be sufficient for most users and is a nice easy program to use.

      Of course physical destruction is the safest way – and can be more satisfying ;-)

  2. Sam says:

    Another option for comprehensive disk wiping is WipeDrive. It is the only software that has a NIAP EAL 4+ Certification and wipes HPAs, DCOs and remapped sectors. It’s used by the Department of Defense.

    • Roy says:

      @Sam – thanks for the info, I haven’t used WipeDrive but the listed awards and certs do look good.

      At $20 though it is probably more suited to major corporations – home users without mission critical data should be ok with free utilities (and preferably destroy the drive for good measure)

  3. govindswamy says: