Date: Fri, 29 Mar 2024 01:56:14 +0000 (UTC)
Message-ID: <1144833498.8406.1711677374068@support.blancco.com>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_8405_807702285.1711677374068"
------=_Part_8405_807702285.1711677374068
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Created date |
Updated date |
Affects version |
Fix version |
|
|
|
|
In some occasions, a verification of a drive using Blancco Drive=
Verifier or via a hex/disk editor (for example the Blancco Drive Eraser He=
x Viewer), after a successful erasure, shows that there are unexpect=
ed patterns on the drive. For example a non-zero pattern or random data. Th=
ere can be several reasons for that:
- Some erasure standards include ap=
eriodic random or periodic/pseudo-random overwriting steps that write rando=
m data throughout the whole drive. Some standards include firmware based er=
asure steps and the execution and result of those steps depend purely on dr=
ive firmware. Some drives write a non-zero pattern or non-periodic (random)=
data during firmware-based erasure.
- Check the used erasure standard f=
rom the erasure report.
- See the list of erasure standards=
and the execution steps from the Drive Eraser user manual.
- For example, Seagate ST1000LM035-=
1RK172 1TB SATA HDD is known to write a repeating '33 CC 55 AA' pattern wit=
h NIST 800-88 Purge standard. The erasure method calls a NIST specified fir=
mware erasure command which triggers the special pattern. The execution of =
the firmware based erasure command is out of software's control and it depe=
nds on how the drive firmware works.
- Check if the erasure process has =
written a Fingerprint onto the drive. The Fingerprint is a summary of the e=
rasure report that is written in one of the sectors (sector 200 by default)=
of the drive.
- To check if you had this feature =
on, you can load the image (used for the erasure) in Blancco Drive Eraser C=
onfiguration Tool and check if the setting in question is enabled or not.=
span>
- By default, the Fingerprint is wr=
itten on sector 200, and it contains following data separated by spaces and=
semicolons:
- Blancco software license owner / =
customer name
- Date & time of wipe finish (y=
yyy-mm-dd hh:mm)
- Blancco software version=
li>
- Hard drive serial number=
li>
- Erasure status (Erased, Erased wi=
th exceptions or Not Erased)
- Unique report ID
- Digital signature
- For more information about the Fi=
ngerprint*, see the Drive Eraser user manual.
- Check if the erasure process has =
written a Bootable Asset Report onto the drive. The Bootable Asset Report i=
s a short asset report visible as a splash screen when the machine is =
rebooted.
- The Bootable Asset Report informa=
tion is typically written on sectors 0 and 2-53 or 2-130 of the drive, depe=
nding on the size of the report information.
- Sector 0 (MBR) contains the parti=
tion table information and Blancco's "tool" to read the Asset Report image =
file when the computer starts.
- Sectors 2-130 contain the image f=
ile for the Bootable Asset Report. This image file data typically looks "ra=
ndom".
- To check if you had this feature =
on, you can either boot the machine/drive without any CD/USB/PXE (the Boota=
ble Asset Report should be displayed) or load the image (used for the erasu=
re) in Blancco Drive Eraser Configuration Tool and check if the setting in =
question is enabled or not
- For more information about the Bo=
otable Asset Report*, see the Drive Eraser user manual.
- Check if the erasure process has formatted the erased drive. Blancco=
Drive Eraser can be configured to format a drive, after erasing it, w=
ith the exFAT, FAT32 or NTFS file systems. Formatting a drive leaves some d=
ata in some sectors, and this data can fail a subsequent verification.
- In server environments, some RAID=
controllers write metadata onto the drive after the erasure has complete. =
This can also cause verification failures (more info=
rmation in this article).
- Check if the erasure has (or has =
not) erased the remapped sectors and/or the hidden areas of the drive. If t=
hese sectors have not been erased, some tools may find some data there.
- Check the erasure report for more=
information.
- Check if the erasure has been a f=
ull erasure or a partial one. Partial erasures are possible in case the sof=
tware is configured to automatically preserve Windows recovery partitions o=
r in case the user has erased individual drive partitions only. Check the e=
rasure report for more information, a partial erasure is accompanied with a=
disclaimer.
- Some 3rd party software used to a=
udit erased drives (or attempt to recover data from them) can write data in=
it during its validation process, especially if such tools restore the fil=
e system (e.g. NTFS) of the drive (via formatting). If such tools are=
used for erasure validation or recovery, please be aware of the data that =
can be left.
If you are still unsure about the =
erasure result, please contact the Technical Support team=
. Make sure that you include, at least, the erasure report in XML format an=
d detailed information description of the case (issue report is also helpful/necessary =
;in many cases).
* Note: Whenever Blancco Dr=
ive Eraser writes this information, it does it on a drive that has been era=
sed and that does not contain any data anymore. When data is written in a d=
rive, it cannot be written in small amounts: the minimum amount that is wri=
tten is a sector of the drive (usually 512 or 4096 bytes). Then, the drive =
(especially SSDs) can put this information within a page (usually 16KB or 6=
4KB in size i.e. several sectors) which is the one written in the end. So, =
when Blancco Drive Eraser writes a Bootable Asset Report or a Fingerprint i=
n a drive, many adjacent sectors can also be written during the operation: =
internally, the drive has to fill those sectors with something (e.g. the pa=
ttern 0xB5). Therefore it should not be a surprise if some sectors contiguo=
us to the Bootable Asset Report or a Fingerprint sector(s) contain some une=
xpected patterns (patterns that depend entirely on the drive controller). I=
n order to check how the drive behaves, run a Blancco Drive Eraser erasure =
with the Bootable Asset Report or the Fingerprint enabled and check the pat=
terns of the adjacent sectors. Then, run a new erasure with the Bootable As=
set Report and the Fingerprint disabled: those adjacent sectors should cont=
ain this time the patterns corresponding to your chosen erasure standard.=
span>
------=_Part_8405_807702285.1711677374068--