Ceci est une ancienne révision du document !
1
Building a dedicated computer for wiping hard drives is not as complicated or expensive as you might imagine, thanks to the free software Darik's Boot And Nuke. With a minimal amount of hardware, you can build a machine dedicated to wiping both SATA and PATA hard drives. This article is intended for people who have a need to wipe a lot of hard drives, or just have a spare system lying around they don’t know what to do with. If you need audit-ready reporting for regulatory compliance, or SSD support, then you might want to check out Blancco software (they also make the free DBAN software). You might wonder “why build a dedicated machine when you can just pop a DVD into each machine and wipe the machine that way?” Several reasons: • Donated machines don't always function, so you might have to pull the hard drive and erase it outside of the donated machine. • Having 6 machines wiping hard drives takes up a lot more energy than using 1 machine to wipe 6 drives. • You develop a good workflow of removing and testing drives. • It gives volunteers (if you’re a refurbishing project) another task they can do without needing to know all the details of building a machine.
Assembler un ordinateur dédié à l'effacement des disques durs n'est ni aussi compliqué, ni aussi cher que vous pourriez supposer, grâce au logiciel gratuit Darik's Boot And Nuke (DBAN). Avec un matériel minimal, vous pouvez construire une machine dédiée à effacement des disques durs SATA et PATA.
Cet article est destiné aux gens qui ont besoin d'effacer beaucoup de disques durs, ou pour ceux qui ont un système de rab dont ils ne savent pas quoi faire. Si vous avez besoin de rapports prêts à subir un audit pour se conformer à la réglementation, ou la prise en charge des SSD, vous voudriez peut-être regarder les logiciels Blancco (qui produit également le logiciel gratuit DBAN ).
Vous pourriez vous demander, « pourquoi construire une machine dédiée quand il suffirait d'insérer un DVD dans chaque machine et l'effacer ? ». Il y en a plusieurs raisons : • Les machines données ne fonctionnent pas toujours et ainsi vous pourriez devoir enlever le disque dur et l'effacer à l'extérieur de la machine donnée. • Six machines qui effacent des disques nécessitent beaucoup plus d'énergie qu'une machine qui efface 6 disques. • Vous développez un bon flux de travail pour ce qui concerne retirer et essayer des disques. • Cela donne au bénévoles (si vous faites du reconditionnement) une autre taches qu'ils peuvent faire sans devoir connaître tous les détails de l'assemblage d'une machine.
2
Materials you'll need The materials you'll need will vary depending on what you have available, whether you're doing this solo or have volunteers helping you, and how multi-purpose you want to make your machine. This list is by no means exhaustive, but I'm including a bit more than you need to start with: • a motherboard with SATA and PATA headers (you can use one with just SATA or PATA but having both onboard simplifies things). • PCI/PCIe SATA/PATA expansion card (if you want to add more SATA/PATA headers, you can get cards with more connectors than the card linked to here, this was a cheap card) (optional). • a good power supply unit (500W or better recommended). • a SCSI controller card if you want to wipe older 50/68 pin SCSI drives (optional). • DBAN (Darik's Boot and Nuke). • SATA data cables. • PATA data cables (finding one in a store might be tough but you can find lots of old machines with them). • Molex to SATA Y power cable (optional, for expansion if you have an older power supply). • DVD-ROM drive (to boot DBAN from). • Docking module for IDE (optional).
Ce dont vous aurez besoin
Le matériel dont vous aurez besoin est différent selon ce qui est disponible, si vous le faites seul ou avec des bénévoles pour vous aider et jusqu'à quel point vous voudrez que la machine soit polyvalent. Cette liste n'est en aucun cas exhaustive, mais j'y inclus un peu plus que nécessaire pour commencer : • une carte-mère avec des connecteurs SATA et PATA (une avec un seul type de connecteur peut être utilisée, mais avoir les deux simplifie les choses). • une carte d'expansion PCI/PCIe SATA/PATA (si vous voulez ajouter d'autres connecteurs SATA/PATA, des cartes avec plus de connecteurs que la carte indiquée sont disponible, celle-ci était très bon marché) (optionnelle). • une bonne alimentation (500 W ou plus recommandé). • une carte contrôleur SCSI si vous voulez effacer des vieux disques SCSI avec 50/68 broches (optionnelle). • DBAN (Darik's Boot and Nuke). • des câbles SATA. • des câbles PATA (il pourrait être difficile d'en trouver un dans un magasin, mais vous trouverez plein de vieilles machines qui en ont). • câble d'alimentation Molex vers SATA Y (optionnel, pour expansion si votre alimentation est vieille). • lecteur DVD-ROM (pour pouvoir démarrer sur DBAN). • un module d'amarrage pour IDE (optionnel).
3
You can put DBAN on a multi-boot USB key, but since USB keys tend to be writeable, you risk overwriting your USB key when you run DBAN. Using a CD/DVD to boot DBAN eliminates the potential of overwriting your media. If you want to get really fancy, you can set up a server and PXE boot (network boot) DBAN, but this is beyond the scope of this article. The idea here is to get you started as fast as possible. Steps • Build your drive wiping machine (hardware side). • Burn the DBAN ISO to a CD/DVD. • Set your DBAN machine BIOS to boot from CD/DVD first. • Connect your drives and run DBAN. Build your drive-wiping machine (hardware side) We started our build with a MSI 945GZM3 (MS-7267) motherboard. This motherboard was one of many motherboards sitting around the shop which we had fixed capacitors for. We picked this motherboard for a few reasons: • It supported a dual core processor. • It used DDR2 RAM. • It had 4 SATA headers on the motherboard and 1 PATA header (which we didn't use). • It already had a dual-core processor and heatsink+fan installed. • It had easy to read headers on the front panel.
Vous pouvez mettre DBAN sur une clé USB multi-boot, mais, puisque vous pouvez écrire sur des clés USB dans la plupart de cas, le risque est d'écraser les données sur la clé USB quand vous exécuter DBAN. L'utilisation d'un CD/DVD pour démarrer DBAN élimine cette possibilité. Si vous voulez quelque chose de vraiment sophistiqué, vous pouvez configurer un serveur et démarrer DBAN par PXE (démarrage sur le réseau), mais cela dépasse la portée de cet article. Mon but est de vous permettre de commencer aussi rapidement que possible.
Les étapes • Construire la machine qui effacera les disques (le matériel). • Graver l'ISO de DBAN sur un CD/DVD • Configurer le BIOS de la machine DBAN de démarrer sur le CD/DVD en premier. • Connecter les disques et exécuter DBAN.
Construire la machine qui effacera les disques (le matériel
Nous avons commencé notre assemblage avec une carte-mère MSI 945GZM3 (MS-7267. Cette carte mère se trouvait parmi beaucoup d'autres carte-mère dans notre atelier pour lesquelles on avait des condensateurs. Nous l'avons choisie pour plusieurs raisons : • Elle gérait un processeur à double cœur. • Sa RAM était du DDR2. • Elle avait 4 connecteurs SATA et 1 connecteur PATA (que nous n'avons pas utilisé). • Le processeur à double cœur et le ventilateur/dissipateur étaient déjà installés. • Les informations sur le panneau de devant étaient faciles à lire.
4
We had motherboards that supported more PCI slots which are handy if you want to use a lot of PCI controller cards for more IDE/SATA ports, but in our experience we usually don't DBAN more than 6 hard drives at once. (Both because of power, and because, if one drive is bad, the rest slow down too). We had a couple of 1GB DDR2 RAM sticks around which we put into the 2 RAM slots. The case we chose was an empty non-branded mid-tower ATX silver case. We used zip ties to hide the front panel sound and USB connectors behind the ridge of the case because we don't use the front ports in our DBAN machine. Our power supply's motherboard molex connectors were so short that we had to use a zip tie to keep it from falling into the CPU fan. Two molex Y to SATA power connectors were used to provide extra SATA power headers. Then we added all the SATA cables and a SATA controller card plus two more SATA cables for a total of 6 SATA data ports. If you have more controller cards, you can add more cables but remember you're going to have to power all those hard drives! According to Superuser.com, each hard drive uses approximately 25 watts. Because we've been around awhile, we have lots of other controller cards and useful adapters. We added a PCI IDE controller card for an extra 2 cables (4 IDE drives). As a rule, we don't DBAN PATA and SATA together; doing so tends to create issues.
Nous avions des carte-mère avec davantage de ports PCI, qui sont utiles si vous voulez utiliser beaucoup de cartes contrôleur PCI pour davantage de ports IDE/SATA, mais, pour ce qui nous concerne, en général, nous n'effaçons pas plus de 6 disques durs à la fois. (À cause de l'alimentation et parce que, si un disque est mauvais, les autres ralentissent aussi). On avait plusieurs barrettes de RAM DDR2 à 1 Go que nous avons inséré dans les 2 emplacements de RAM. Le boîtier que nous avons choisi était une tour moyenne vide aluminium d'ATX. Nous avons utilisé des attaches en plastique pour cacher les connecteurs son et USB du panneau devant derrière l'arrête du boîtier, car nous n'utilisons pas les ports de devant de notre machine DBAN.
5
On the first dban machine we ever built, we used docking modules, but we found that over time, even with training, the modules would get misplaced or ruined. Some docking modules had to be locked for a drive to be recognized (we got around this by soldering the two wires leading to the locking mechanism together so they were always locked), but perhaps the most annoying problem was that it just took too much time to put the drives in the docks. If a PATA drive wasn’t jumpered correctly, we’d have to pull it out of the dock and reinsert it. Drives hanging out the side of the machine aren’t pretty, but it’s simple for volunteers to connect and disconnect drives. Burn the DBAN ISO to a CD/DVD When you download DBAN, you get DBAN in an ISO format. You won't be able to just copy the file to a DVD, you need special software like Nero (Windows), K3B (Linux), or Brasero (Linux) to burn the ISO to CD/DVD. Nero, K3B and Brasero know how to handle ISO files so they get properly unpacked to the CD/DVD. DBAN is small so it can easily fit on a CD.
6
Set your DBAN machine BIOS to boot from CD/DVD first Setting your machine to boot from CD/DVD first might seem like a simple task, and if you’re used to a particular machine, it is. But there are a lot of motherboards out there and manufacturers often do things differently from one another. Just getting into the BIOS can be tricky, especially if the computer is fast and the manufacturer has chosen to display a splash screen instead of the hotkeys for booting to another device or entering the BIOS. In general: • Dell tends to use F2, Del, or Enter, • IBM tends to use F1 or Enter, • HP/Compaq tend to use F10, • Just about everyone else uses the Del key. Hitting the right key before the operating system loads is… key. Once you’re in the BIOS, most systems just let you change the boot order to make CD/DVD the first device. A few BIOSes also require that you set another setting in another spot (which can vary) to enable booting from devices other than the hard drive. If you’ve set your system to boot from CD/DVD first, and it isn’t booting, check first to see the BIOS recognizes the drive, then look through some of your other BIOS menus to make sure there isn’t another option you need to set to boot from CD/DVD. These special cases are most often on business-class systems where manufacturers recognize that system administrators don’t want just anyone rebooting the machines with a CD/DVD/USB key in them.
7
If you can boot to your DBAN CD/DVD, you’re set. If not, check the DVD. If you see only the ISO file on the DVD, it hasn’t been burned correctly; re-burn with K3b or Brasero. The DVD should contain many files. Connect your drives and run DBAN Serial ATA drives are straightforward, 1 SATA hard drive per cable. PATA or IDE drives are a bit more complicated because you can have more than one drive on a cable and the drives need to be “jumpered” correctly. With 2 drives on a cable you have 2 options: Master/Slave or both drives set to Cable Select. We found the simplest method that worked when training new volunteers was just to instruct them to set all hard drives to cable select, and let the cable determine which was master and slave. Again, for SATA drives this isn’t an issue. Darilk’s Boot And Nuke has several options for wiping. If you simply want to wipe all the drives attached using a standard 3-pass solution, type: autonuke. The F3 key displays other methods of wiping including dod (Department of Defence 5220.22-M), dodshort (the default method, 3 passes), ops2 (RCMP TSSIT OPS-II method, 8 passes), gutmann (35 passes), prng (PRNG stream), or a quick (1 pass).
8
In our region of Ontario, Canada, our refurbishing certification body, the Ontario Electronic Stewardship, mandates that drives we wipe for reuse be wiped with at least the dodshort (3-pass DoD 5220.22-M) method. Some donors may request a stronger method. At least a couple of donors have asked us to use the ops2 (8-pass method) on donated drives. If you’re an individual or small organization repairing computers, you may want to consider using a quick method if you’re just wiping malware in addition to the OS off a drive. One pass is much shorter than three. The amount of time dban takes to wipe a drive depends on the method chosen, the size of the hard drive, and if the drive contains any bad sectors or other errors. Drives with bad sectors can take a lot longer to wipe. A 1TB hard drive took us several days to wipe using the ops2 (RCMP 8-pass wipe). A 3-pass wipe on the 1TB took us a full 8-hour shift. If you’re dealing with a lot of large drives you may want to check to make sure they don’t have bad sectors first. To determine whether a drive has bad sectors or not, you can use a manufacturer’s tool like Seagate’s SeaTools, or an open source solution like Gsmartcontrol. We prefer using open source tools – both for licensing reasons and because they tend to be simple to set up on our PXE boot server. Any Ubuntu DVD/USB key can be used to test drives with gsmartcontrol, but you’ll have to install gsmartcontrol in the live environment: sudo apt-get install gsmartcontrol
9
When gsmartcontrol loads, all drives attached will be displayed (including DVD drives). To see the smart information about any drive, double-click on the hard drive. A new window opens with 6 tabs: Identity, Attributes, Capabilities, Error Log, Self-test Logs, and Perform Tests. Click the Perform Tests tab to run a test on a drive. You can perform 3 different tests: a Short Self-test (one-minute to two-minute test) designed to show most errors without running a complete surface scan, an Extended Self-Test (86 minutes+) which runs a complete surface scan and runs different routines built-in to the drive, and a Conveyance Self-test (approximately 2 minutes) designed to indicate if there was any damage during transportation of a hard drive. The short test isn’t comprehensive, but it’s usually the best test to run to determine if the drive has any serious errors. All of the tests write to the Self-test Logs tab once the test is complete. Any errors show in the Error Log and Attributes tab. If an error appears it’s important to read the complete text of the error on the Attributes tab. If you hover over an attribute in pink/red, a text pop-up appears explaining the error. It might take some sleuthing to determine how serious the error is. Generally, any errors in red are serious failures. Pink attributes: you’ll probably want to get more information about these to determine whether they’re serious or not. Some attributes are quite handy to look at when building systems (Airflow Temperature for example).
10
Our project’s process is to run the short test. If a drive fails the short test, it’s physically destroyed. If it passes the short test but displays errors, we examine the errors to determine if the errors are non-serious (e.g. the computer was shut down improperly and didn’t completely write to the drive) or serious. Depending on the size of the hard drive, we might perform an extended test (on a 500GB-1TB we might run a longer test if we’re not sure the drive has a more serious issue). When wiping hard drives, it’s normally a good idea to try to wipe drives that are the same size to keep the wiping time down. An 80GB hard drive will wipe much faster than a 500GB hard drive. Successfully wiped drives show SUCCESS both on the wiping screen (while a larger/slower drive is still wiping), and on the completed screen (when all drives finish). Drive model and serial numbers are displayed on both screens, so, if a drive fails, it’s easy to determine which drive has failed provided you can read the serial number and model on the drive’s physical label. In the screenshot, the first drive is a Seagate (we know from the ST380815AS model number) hard drive with a serial number of 6RA2G57W. For particular donors, I normally create a spreadsheet with the drive model, size, serial number, and method used to wipe the drive, along with our project’s information and my name and signature to state that I’ve been present to see the drive’s wiped.
11
Building a dedicated wiping machine can be as simple as using an existing machine and booting from a DBAN CD, or as complicated as a system with several expansion cards (IDE, SATA, SCSI), molex power splitters, and docking modules. We used what was on hand and we found that simplicity is often best, especially because we have a lot of different volunteers and have a lot of drives to wipe. Darik’s Boot and Nuke can wipe drives using a number of different methods, but the default 3-pass DoD method is thorough enough that it satisfies some waste/refurbishing governing bodies (of course you should always check for your area if you’re professionally refurbishing computers). We’ve used tools like foremost (created by the NSA) and Recuva (a Windows tool from Piriform, the same company that makes the popular CCleaner tool) to check wiped drives, and neither have been successful recovering any data. Dban - http://www.dban.org/