This is a method to erase data from a hard disk.
The DoD5220.22-M (U.S. Department of Defense) method
This is a method to write 0, 1, and random numbers to the entire HDD. A total of three writes are performed.
This is the initial version of DoD5220.22-M, and a different guideline has been created now.
History
In , the first version was issued. This version specified a procedure to overwrite data on a hard disk drive (HDD) with zero and one patterns three times. This became known as the DoD 5220.22-M sanitization method.
In , the Department of Defense designated the DoD 5220.22-M ECE sanitization method as an extension of DoD 5220.22-M. This method required seven overwrite passes.
In , the latest version of DoD 5220.22-M was issued. In this version, the overwrite pattern was no longer specified as a data erasure method for HDDs. Instead, other sanitization methods such as erasure, degaussing, and physical destruction were recommended.
In , DoD 5220.22-M was revised. In this version, the sanitization method guidelines were updated to accommodate new technologies such as flash-based storage and mobile devices.
In , the Department of Defense stopped referring to DoD 5220.22-M and instead complied with the media sanitization guidelines of the National Institute of Standards and Technology (NIST SP 800-88).
Commands
In Linux, you can use the dd
command to delete data.
Write 0
1 2 |
dd if=/dev/zero of=/dev/sdb bs=4096 |
dd
is a command to copy data¹.if=/dev/zero
specifies/dev/zero
as the input file./dev/zero
is a special file that outputs zeros indefinitely.of=/dev/sdb
specifies/dev/sdb
as the output file./dev/sdb
is a device file for hard disks, USB memory, etc.¹.bs=4096
specifies 4096 bytes as the block size. The block size is the unit of data to read and write at a time.
This command copies zeros from /dev/zero
to /dev/sdb
in 4096-byte increments, overwriting and erasing the data on /dev/sdb
.
Confirm
Check the beginning of the disk
1 2 |
dd if=/dev/sdb bs=512 count=1 | hexdump -C |
Displays the first 512 bytes of the device such as a hard disk or USB memory in hexadecimal.
dd
is a command to copy data.if=/dev/sdb
specifies/dev/sdb
as the input file.bs=512
specifies 512 bytes as the block size.count=1
specifies 1 as the number of blocks to read. This reads only the first 512 bytes.hexdump -C
is a command to display the data received by the pipe in hexadecimal and ASCII code.-C
is an option to display the hexadecimal and ASCII code in columns.
From this result, you can see that the beginning of the hard disk is filled with zeros.
If you specify of=output.bin
or something like that as a parameter of the dd
command, you can write the first 512 bytes to the output.bin
file.
Check the end of the disk
1 |
dd if=/dev/sdb bs=512 skip=(((blockdev --getsz /dev/sdb) - 1)) | hexdump -C |
Displays the last 512 bytes of the device such as a hard disk or USB memory in hexadecimal. This command passes the value obtained by subtracting 1 from the total number of sectors of the hard disk to
skip
and reads only the last one block.
- As mentioned earlier,
dd
is a command to copy data. if=/dev/sdb
specifies/dev/sdb
as the input file.bs=512
specifies 512 bytes as the block size.-
skip=(((blockdev --getsz /dev/sdb) - 1))
specifies the number of blocks to skipblockdev --getsz /dev/sdb
is a command to get the total number of sectors of the hard disk.$(())
is a notation for arithmetic operations.
Write 1
1 |
tr '\0' '\377' < /dev/zero > /dev/sdb |
tr
is a command that converts characters.-
'0'
,'377'
convert the input characters from\0
(0 in octal) to\377
(255 in octal). This converts 0 bits to 1 bits.- ((3 x 8) + 7) x 8 + 7 = 255
< /dev/zero
specifies/dev/zero
as the standard input source.> /dev/sdb
specifies/dev/sdb
as the standard output destination.
This command reads 0 from /dev/zero
, converts it to 1 in tr
, and converts it to 1 in /dev/sdb
By continuing to write , the data in /dev/sdb
will be overwritten and erased.
Confirm
I checked it just like when I wrote 0.
Check the beginning of the disc
1 |
dd if=/dev/sdb bs=512 count=1 | hexdump -C |
Check the end of the disk
1 |
dd if=/dev/sdb bs=512 skip=$(($(blockdev --getsz /dev/sdb) - 1)) | hexdump -C |
Write random numbers
1 |
dd if=/dev/urandom of=/dev/sdb bs=4096 |
Reads random data from the device /dev/urandom
and writes it to /dev/sdb
.
Using /dev/urandom
takes longer than using /dev/zero
. This is simply because generating random numbers takes time. /dev/urandom
generates random numbers from environmental noise (device related
conditions such as mouse, keyboard, etc.).
Confirm
I checked it just like when I wrote 0.
Check the beginning of the disc
1 |
dd if=/dev/sdb bs=512 count=1 | hexdump -C |
Check the end of the disk
1 |
dd if=/dev/sdb bs=512 skip=$(($(blockdev --getsz /dev/sdb) - 1)) | hexdump -C |