PURPOSE OPERATION OPTIONS COMMAND LINES PROBLEMS RELATED PROGRAMS
Because Declasfy works at such a low level within the operating system, the user is cautioned that occasionally some problems may occur. These problems are most often the result of an incompatibility between the software and the hardware configuration of the computer. There is a problem section in this documentation. Please read and try to solve any problems using the hints there. If you cannot, don't hesitate to contact Mares and Company for assistance before you proceed.
The purpose of Declasfy is to wipe/declassify hard disks on IBM and IBM-compatible PCs.
The program is designed to meet Department of Defense standards (and is on the assessed products list) concerning wiping of hard disks and cleansing of floppy disks. Those standards require the following process: Write the entire disk with a character (generally hex 0’s) the its compliment (generall hex FF), then random characters or symbols. (This sequence is variable depending on the media and level of security needed. see the DOD matrix for full details). To fully comply with current DOD requirements there must be at least 3 overwrites.
However, there may be a change to the theory of last write being random characters. Since the process should be confirmed, by virtue of its randomness, the contents of the last pass cannot be confirmed if it is truly random. So the expected change would be to write A random character, and confirm its operation. Users are cautioned to review the logic and practicality of this procedure.
The current default for this program is to overwrite the drive 3 times. (Once with hex 00's, once with hex FF's, and the 3rd time with random values.) This default does not comply with DOD standards although it should be sufficient for most users. To fully comply you simply change the number of writes to 5 or more. The -w option allows the user to specify how many times he/she wishes the procedure to be done. Use this option if you want to increase or to decrease the number of overwrites. (exs., -w 1, or -w 9 )
ASSESSMENTS:
The original version of Declasfy (which is no longer distributed or supported by Mares and Company) was Version 2.05.12 and has been evaluated by the U. S. Air Force Cryptologic Support Center, Kelly AFB, San Antonio, Tx. and is listed under Project Assessment Report #92-502, 23 June 1992. It complies with DOD Green book standards for declassifying hard disks. This version is free, doesn't support current large size drives and is no longer supported by the author. The current version contains copyrighted material and is supported.
Earlier versions (the free ones) of the source code have been reviewed by NSA. The review process detected no problems and verified that the program code follows described operations.
You will find the current version of Declasfy on the DOD assessed products list.
The program provides the user with a list of all the hard drives it identified on the system and allows the user to pick which drive to wipe. (See the SCSI note at the end of this section.) Or the user can indicate which drive to wipe from the command line -d option. Entire physical drives only are supported at this time. However, if a portion (a logical partition) of the disk is required to be wiped, the -t and -T options are available to specify specific starting and ending tracks (cylinders). This is very tricky as the user must determine in advance what tracks the partition starts and ends on. If this option is used, it is highly recommended that the user predetermine the starting and ending tracks and proceed with caution.
The program default also OVERWRITES the Master Boot Record (Partition sector) of hard disks. This will require, at a minimum, an FDISK to be run to get the hard disk back in operation. On some older computers, however, it is not practical to do an FDISK, so the -b option is available. The -b option leaves only the MBR and boot record intact. Actually it leaves the entire cylinder 0, head 0 and 1, a total of about 126 sectors. It still wipes out the directory and FAT tables, so a FORMAT will have to be done.
The operation does take some time. On 5200 RPM drives the program averages about 1 1/2 minutes per GIG for a single write. SCSI drives are generally a little faster. Overwrite times are very much dependent on the speed of the drive, the speed of the CPU, and the type of drive( SCSI , IDE, etc.). Even on the same machine, in our tests with SCSI and IDE drives of the same size, we have seen as much as a 30% time difference. Bear these factors in mind when you estimate or compare overwrite times--be sure to consider all these variables.
ENTENDED BIOS (INT13) FUNCTIONS CAPABILITY
Most drives in use today can or do use extended INTerrupt 13 addressing (EXT13), also known as LBA (Logical Block Address) mode. Declasfy uses it when accessing a drive which indicates it is capable of using EXT INT13 (LBA). Regardless of size. If LBA mode is not available, then the MBR or BIOS is called upon to furnish traditional CHS (Cylinder Head Sector) information as to the size of the drive. If for any reason the system BIOS is not set correctly to accept LBA, or is not configured for the correct drive size then Declasfy may not be able to wipe the entire drive.
To determine if the extensions are on and working properly, when Declasfy is run with no options, it will show a list of all the drives it can see on the system and their probable geometries. A separate line indicating the drive parameters is listed for the Partition (MBR), BIOS, and LBA statistics reported by the drive. If LBA is available, it always takes priority.
The program will place an asterisk (*) on the line which indicates the parameters it will be using. In most cases it will be the LBA line. (you will see something like LBA*)
On some SCSI drives, the EXT INT 13 functions do no not always report the correct CHS values. In this case the program will display two asterisks (**) next to the LBA indicator (LBA**). This means that the drive did not report proper CHS values, but did report the total number of sectors found on the drive.
In all cases, the total number of sectors reported by the LBA are used to determine how much data to write to the drive.
NOTE: We have found that on some drives even the total number of sectors reported by the EXT INT13 functions is not totally accurate, and there are some extra sectors accessible on the drive. Declasfy always assumes this is the case, and always attempts to write "PAST" the end of the drive. It will report the approximate number of extra sectors it finds. These extra sectors are usually those sectors which are used to "pad" to the end of the track or end of the cylinder. Most Operating System software ignores these sectors and there will usually not be any data in them.
For simplicity the Host Protected Area (HPA) of a drive is that part of the drive (sectors) which may be isolated and set aside for maintenance purposes. Drive and computer manufacturers are generally the only ones with a reasonable use for the HPA. Generally a computer manufacturer's recovery programs are located in the HPA.
When the HPA is set up, the maximum number of sectors that the operating system or any user program can see is reduced. This means that access to the total number of sectors on the entire drive is limited to the restricted value which has been set. In most cases this is not of concern and it is a normal operation of the drive.
However, there is software available which would enable someone to place information on a drive, and then use the HPA capability to "lock" out that section of the drive, in effect hiding the information from everyone and every program (including Declasfy and other wiping programs).
If you wish to check for the HPA, and remove it from the drive, the -hH options are provided for that purpose. HPA options will work only on IDE drives; attempts to use them on a SCSI drive may result in damage. Once the HPA options are invoked and executed, all HPA sectors of the drive are opened up and visible. This means that if the manufacturer has placed sensitive diagnostic code in the HPA reserved area, and the -h options are used to open up the HPA reserved area, then that diagnostic code could be erased or damaged beyond repair and become unusable when Declasfy is run.
(NOTE: the HPA sectors which are opened up will only be available after a reboot). So it is recommended that a reboot be done after opening the HPA sectors. (The -H upper case H will do this automatically).
This (-[hH]) option should be used only if you are certain that you want the HPA reserved area to be removed prior to wiping a disk.
Remember: the HPA section is only available after a reboot. So if you tell Declasfy to remove the HPA section, and don't reboot before running Declasfy again, the reserved sectors which have been released will NOT be overwritten. A reboot is necessary to wipe the opened sectors.
Occasionally, when the program starts you may get a "Divide by Zero" error message from the system, and the program will not run. There are a number of technical explanations for this. This occurs more often on laptops than on desktops.
The easiest way to fix this problem is to reboot to DOS, and do an FDISK on the drive. This will put a clean partition table (MBR) back on the drive. After that is done re-run Declasfy, and the problem should be fixed. If not, call us, and we will walk you through some other possible fixes.
If the program immediately begins to give write errors at sector 1 and continues, this is because of a BIOS/Program/DISK incompatibility. In tests, it occurred on Maxtor drives about 1% of the time. There is actually no write error. However, the program will take a long time to complete as it thinks there are write errors and tries to correct them. To overcome this problem add the following two options to the command line: -Q -X
Before reading the following explanations, the user who is truly concerned about "bad" sectors should become totally familiar with the technical nature and terms relating to what constitutes a "bad" sector. The term' bad sector' is sometimes used inappropriately.
Some disks have sectors/tracks that are identified in the FAT table as "bad." (Do not confuse this with an actual physically damaged disk sector.) Many commercially available programs have the capability of marking sectors as bad. Or someone could use a disk editor and intentionally enter into the FAT a bad sector (cluster) indicator. Because Declasfy works on a physical level, it totally ignores any indicators in the FAT or other pointer tables (ex., NT's MFT, etc.) and will write to the sector if it is not physically damaged.
A second type of write error may occur if there is physical damage to the drive itself and the drive controller/electronics cannot cause the sector to be written to. If Declasfy encounters an area of the disk that cannot be written to, it attempts to write to the sectors one at a time. When it determines which sector is damaged and is not writable, it puts a message on the screen (and to the logfile if one was initiated) as to what sector was not available, and the program continues. This inability to write to the sector is governed by the physical access to the drive itself and by the heads' inability to physically write to the particular sector. Generally if this situation occurs, there is very little which can be done to write to the sector. The disk drive is physically damaged and should be destroyed.
HOWEVER: In some cases where it is physically impossible for the controller to accomplish a write, it still may be possible to read the "old" data that is still at that location. (This assumes that the sector was capable of being written to in the past.) Considering that we have a physically damaged area of the drive, any attempts to read or write to the drive are slim. At this point, Declasfy has determined that the drive controller/electronics cannot cause the heads to write to the sector. Declasfy attempts to read the bad sector. Since it is easier to read a sector than to write to a sector, the attempted read might be successful. If the read is successful, the sector is analysed for printable (ascii) characters. Declasfy then reports either the percent of printable characters or the fact that the sector is not readable at all. If the sector is reported as not readable, the user can be fairly confident that the disk controller is neither able to read or write to the sector, and that all data that MIGHT have been there at one time will be out of reach of all but very sophisticated electron microscope analysis. If the data is readable, the program reports that. The user should then examine the sector, bearing in mind that it is a damaged part of the disk; and, therefore, that the next time you try to access it, it may not be available.
This analysis (of sectors not able to be written to) only occurs for a maximum of 100 bad sectors. After that, the user must make a decision to either physically destroy the disk, or to take other measures to determine how many bad areas there are. If the disk exhibits read and write errors, regardless of the data on the disk, it would be prudent to destroy it rather than to reuse it.
Some older systems with SCSI hard drives and older SCSI controller boards used the ASPIxDOS.SYS and ASPIDISK.SYS drivers to allow the OS to recognize the hard drive. In some cases, (and this is not a common occurrence, and is generally for older SCSI setups) this driver configuration did not go through the normal BIOS configurations, and therefore the drive was not always recognized by the BIOS. If such a setup exists, the Declasfy program may also fail to recognize that a drive is present, and fail to list it. If you know for certain that a SCSI drive is being accessed with the ASPI drivers, and it doesn't show in the drive list provided by Declasfy, then you should do the following: move the SCSI hard drive to a newer computer which has a SCSI card capable of accessing the drive without specific drivers present. Declasfy should then be able to see and wipe the drive.
The NTWIPE program is a version of Declasfy that is specifically designed to run under the NT operating system. Because NT is truly multitasking, it is possible to wipe more than one drive at a time with NTWIPE.
COMMAND LINE SYNTAX:
declasfy [options, -b -d # -h -r # -t # -T # -w #]
The options follow unix option format so each must be preceded by a minus sign.
-1 + filename (that's a one, not ell) The filename here is a file which will contain accounting/log information about the run. It is always appended to. It contains the command line and statistics about how many files and time of run. The file can later be used as a batch file for duplicating the runs. The ACCT environment variable can also be set. (SET ACCT=logfilename). Or use the .INI option [ACCT=filename]. The order of priority is: Environment; INI file; Command Line option. To explicity turn it off use a +1.
-b (boot)When declassifying hard disks, use this option to LEAVE cylinder 0, head 0 and 1 in place. This includes the MBR (partition sector) and Boot record (if a DOS formatted disk). Not available for LBA drives. However, the -t option can be used to leave -t # sectors in place.
-p + filename Include the filename of a file which will contain the Partition sector (MBR) of the drive. This file is a 512 byte file which can be replaced easily using a disk editor. That way the FDISK program will not be needed. This is a little more restrictive than the -b (boot) option.
-B Print some debugging information during operation. Each prompt waits for a return key before proceeding.
-d + # (drive to use) Where the # is replaced by one of the following: A:, B:, 0, 1, 2, etc.; these representing which physical drive to declassify. If you are wiping a floppy, provide the drive letter: A: or B:. If you are wiping a physical hard drive, provide the number. First hard drive is 0, second is1, etc. If this option is not used, the user is further prompted for a drive. You can choose the drive from the list provided by the program. For testing purposes and to see how the program operates, logical drives A: and B: are supported for test purposes. Logical drives over B: are not supported.
-h XX Host Protected Area (HPA) processing. Replace the XX with the adapter/device identifier referencing the appropriate IDE hard drive you wish to check and remove the HPA of. The valid XX values are: 00, 01, 10, 11. Do NOT place any spaces between the numbers. The IDE drive will be checked to see if there are any sectors set aside as an HPA. If there are, it will ask if you want to remove the HPA area and release these sectors. If you answer affirmatively (that's a Yes), then the HPA reserved sectors are released and the entire drive is again visible. However, before Declasfy or any program can see these newly released sectors the computer must be rebooted. The -h option suggests to the user to reboot the computer and rerun the Declasfy program to wipe the entire drive. If the computer is not rebooted, the HPA sectors will not be overwritten, and they will be visible when the computer is next booted. If no HPA sectors are found, the program continues as it normally does without the -h options.
-H XX Same operation as the -h XX option except with one major change. After the HPA area is released, the computer is automatically rebooted. The disk is not wiped and Declasfy needs to be run again. However, if the Declasfy command line was placed in the autoexec.bat file (ie: C:>declasfy -d 1 -w 1 -r 0 -H 10), then if any HPA sectors were found, they would automatically be freed up. Then the computer would reboot, and run autoexec upon rebooting. At that point, there would be no HPA sectors, and Declasfy would wipe the drive. So the suggestion is to use this option in an autoexec.bat file and let it run.
-t + # (begin track) If you want to begin on a track other than the 1st (which is track 0), you can identify the track to begin on by using the -t option followed by the preferred track number to begin with. Since LBA drives really don't count by tracks, if the -t or -T is used on an LBA drive, the value provided is assumed to be a sector number not a track number
-T + # (ending track) If you want to tell the program to STOP at a designated track you use the upper case T followed by that track number. You can use the -t # -T # to bracket tracks that you want to declassify. (A possible use for the -t and -T options is for testing the program).
If you use the -T # option by itself, without the -t, the partition information will normally be removed. This is because an implied -t 1 is in effect. If you want the partition information to be left alone you must use the -b option.
WARNING: Use of this option (-T) is not in compliance with DOD standards!!
-w + # (overwrite #) The # is replaced by the number of times you want the procedure to overwrite. The initial default is 3 writes. First with 0’s, then 1’s (hex ff), then random characters. The last write is always written with the random character sequences. If the -r option has altered the random character to a specific one, then that character will be what is finally written to the disk.
WARNING: Use of this option (-w) with anything less that -w 7 may not be in compliance with DOD standards!!
-s # Program default is to begin operation after a 10 second delay. This is so Declasfy can be run from a batch file unattended. It makes it somewhat dangerous, but also makes it automatic. If the user wants the program to ask for confirmation as to whether to continue or not, replace the # with a number which indicates the number of confirms necessary. A -s 0 means immediate start (after 10 second count down) with no confirmation. To require user confirmation, use some value other than 0 with the -s option.
-r + # When overwriting the disk, the last pass consists of a write of “RANDOM” characters to the disk. If, for whatever reason, you want that random pass to write a specific character you can use the -r option followed by the DECIMAL equivalent of the ASCII character you want the program to write. For instance, the decimal for an upper case ‘A’ is 65, and the Greek Beta symbol is 225. The option for an ‘A’ would look like this: “-r 65".
WARNING: Use of this option (-r) is not in compliance with DOD standards!!
-f + filename If you have specific text (ex., a company name) which you want to write to the disk as a final pass, place it in the text file identified by the filename. Declasfy will replicate the contents of the file throughout the entire disk.
-F During the "RANDOM" phase, replace the random sequence with the current date and time. This could be used to indicate when the drive was overwritten.
-X If you continually get errors when the program is in the "confirming LBA status mode", then use this option to bypass this step. This option bypasses or eXcludes the check for EXTRA sectors on the drive.
-Q If the program exhibits immediate write errors on the drive (and you suspect there is really no problem) add this option to cause the program to Quiet down when it finds errors. (It is recommended that if this option is used, you also use the -X option since the two operations may have an effect on each other.)
Because Declasfy can be so destructive, we recommend that you not test it on any drive you can’t afford to. In addition, we recommend that you familiarize yourself thoroughly with its operation before using Declasfy on any drives of value. Please call us with any questions.
WARNING * WARNING * WARNING
BECAUSE THIS PROGRAM IS POTENTIALLY SO DESTRUCTIVE, THE AUTHOR CANNOT ASSUME ANY RESPONSIBILITY FOR DATA LOSS DUE TO ITS USE. THE USER(S) OF THIS PROGRAM ASSUMES ALL RESPONSIBILITY FOR ANY DATA LOSS. IT IS RECOMMENDED THAT USERS FAMILIARIZE THEMSELVES FULLY WITH ITS CAPABILITY BEFORE ATTEMPTING USE OF THIS PROGRAM.
WARNING * WARNING * WARNING
C:> declasfy
default running, no options, DO NOT meet DOD mequirements.
C:> declasfy -d 0 -w 1
declasfy first physical drive (0), and overwrite only 1 time.
C:> declasfy -b
Clears the entire disk but leaves the MBR and boot heads on hard disks.
C:> declasfy -t 10
Clears tracks 10 thru the last, and by default leaves the boot partition.
C:> declasfy -T 5
Clears tracks 0-5 (this means it ends at track 5).
C:> declasfy -t 5 -T 30
clears tracks 5-30; leaves boot partition.
C:> declasfy -r 65
Clears the disk and uses an ‘A’ as the final random character.
C:> declasfy -f textfile
Clears the disk and uses contents of textfile in place of final random character.
C:> declasfy -F -s 3
Clears the disk and uses current date and time in place of final random character.
Also, forces user to confirm 3 times that operation is correct.
Here are some of the more common problems that may be encountered when running Declasfy, and some suggested fixes.
Problem: Program "locks" when performing the LBA consistency test.
Solution: Use the -8 option.
Problem: Program doesn't appear to properly identify drive size(s).
Solution: Use FDISK and lay down a new partition table for the drive.
(This should take only about 5 minutes.)
Problem: Immediately after an aborted run, the program doesn't seem to be able to detect the proper disks.
Solution: Use FDISK and repartition the drive. This lays down a "clean"
partition table which the program can see.
Problem: The program generally doesn't seem to be seeing the proper drive, or at some point appears to "lock" up. Solution: Try moving the hard drive to another hardware setup (another computer) and see what happens on that platform. Occasionally, the hardware/software configuation just isn't compatible at this level of access.
ALSO: It is very important to be certain you booted from a DOS bootable floppy disk. Merely going to a DOS window from within Windows 98 will often cause many problems to occur.
DriveSpy from Digital Intelligence