1

I found on the Internet that if you use Diskpart with clean all command you can erase disk so that the data won't be recoverable.

And from my experience it is true, because having done this with my USB flash drive, I used Disk Drill to scan it and nothing was found.

However, on the Microsoft forum someone wrote that you can use EaseUS Data Recovery Wizard to recover data after executing this command. My question: Is clean all in Diskpart totally secure erasure method for SSD, HDD, USB flash drives and other storage device?

Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
Maciaz99
  • 139
  • 2
  • 9
  • Good background information: https://superuser.com/a/1154060/29943 – Ben Voigt Oct 18 '22 at 23:07
  • @Giacomo1968 sorry, I did not think it is relevant. Here is link where it is claimed that EaseUS can be used: https://www.easeus.com/resource/recover-deleted-or-lost-data-partition-by-diskpart-clean-command.html#:~:text=Sometimes%2C%20users%20may%20execute%20a,and%20partitions%20after%20DiskPart%20clean. – Maciaz99 Oct 19 '22 at 06:49
  • @Giacomo1968 here is the post where someone wrote that data are not recoverable: https://learn.microsoft.com/en-us/answers/questions/359872/diskpart-34clean-all34-command-can-remove-or-repai.html – Maciaz99 Oct 19 '22 at 06:50

1 Answers1

1

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clean

"all - Specifies that each and every sector on the disk is set to zero, which completely deletes all data contained on the disk."

One could quibble about the term 'deletion' as what actually happens is that data is overwritten. Despite popular (?) belief, overwritten data can not be recovered.

I guess that person was confusing 'clean' without parameters.

I should add that on SSD's, SD Cards, USB flash drives and also SMR hard drives not all memory can be overwritten (or zeroed) as some portion is outside LBA user space. Such space can not be addressed as access to it is blocked by the firmware.

Depending on if an SSD is intended for end user use or professional use, some 7 - 20+ % may be reserved for overprovisioning which leaves this space with potentially recoverable data. Also, this for example is low level information obtained from a 8 TB Seagate SMR drive:

User Partition
LBAs 000000000000-0000756080F9
PBAs 000000000000-000076893477
System Partition
LBAs 000000000000-00000013497F
PBAs 000000000000-000000146F3F
Media Cache Partition
LBAs 000074702556-0000756080F9
PBAs 0000759486D0-000076893477
Spare pool
PBAs: 00007578F548-00007586BDF5 RST Available: 8000 SCT Available: EF
Spare pool (Multi-IOEDC Region)
PBAs: 00007687B32C-0000768872C1 RST Available: 400 SCT Available: 1A

The media cache partition is outside LBA user space and is approximately 60 GB in size. Zero filling this drive potentially leaves 60 GB recoverable data (using Acelab PC3000 for example).

Joep van Steen
  • 4,730
  • 1
  • 17
  • 34
  • 1
    Unfortunately setting all logical sectors to zero doesn't mean that the data is no longer physically stored. It's especially true for solid state storage which tries to avoid write amplification -- all the competent SSD controllers will, and the best of "flash sticks" also. Even HDD had "spare sector" remapping. – Ben Voigt Oct 18 '22 at 22:51
  • True, so spare sectors and those reserved for overprovisioning are not zeroed. Also they can not be recovered using Easeus Data Recovery Wizard. I will edit answer. – Joep van Steen Oct 18 '22 at 22:53
  • 1
    One really needs to trigger the "Secure Erase" command, which is standard in SCSI and SATA, and may exist as manufacturer extension in other bus protocols. Works best with FDE, as it doesn't need to rewrite the entire drive, only replace the encryption key. – Ben Voigt Oct 18 '22 at 22:53
  • And I agree with your subsequent point that "Easeus Data Recovery Wizard" will only see zeroes, since it's going through the disk controller where the remapping takes place. But "totally secure erasure method" to me implies that even connecting to specialized data recovery circuitry cannot discover the original data, so "zeroed in the software layer" falls short of that. – Ben Voigt Oct 18 '22 at 22:56
  • Agreed, secure erase or enhanced secure erase (often 2 commands that accomplish the same) is the way to go. – Joep van Steen Oct 18 '22 at 23:01
  • That is the answer that appeals to me very much. So clean all in diskpart can erase data on every storage device so that they will be unrecoverable. The exeception is SSD where some space is locked and cannot be accessed. Am I right? P.S. I think that pendrive's or SD cards does not have such overprovisioned memory. – Maciaz99 Oct 19 '22 at 06:58
  • @Maciaz99, as suggested SATA and NVMe offer built-in secure erase options. On SED type drives it means 'erasing' is matter of seconds so lots quicker than diskpart. On any flash based drive it's likely there's space that's not LBA addressable. Pendrives etc. are a rabbit hole in this respect, any 'idiot' can buy reference boards, slap on some NAND and configure it however he likes. You simply have no way of telling. – Joep van Steen Oct 19 '22 at 10:57