search

Kostassoid / lethe

Secure drive wipe
Apache License 2.0
136 stars 11 forks source link

Verification failed #28

Open Bofrostmann07 opened 2 years ago

Bofrostmann07 commented 2 years ago

Hey Kosta,

i´ve used your nice tool to wipa a 1,8TB HDD Seagate on Windows 10 v20H2 (Biuld 19042.1586). The disk got filled randomly twice, but verification failed.

C:\WINDOWS\system32>cmd /K D:/downloads/lethe.exe wipe --blocksize=4k \Device\Harddisk1\Partition2

Wiping: 

Device           \Device\Harddisk1\Partition2  

Size             1.82TB  

Scheme           Double random fill, 2 passes  

                 - random fill

                 - random fill

Block size       4.00KB

Verification     Last stage only

Are you sure? (type 'yes' to confirm): yes

Stage 1/2: Performing Random Fill ✔ Completed in 14 hours

Stage 2/2: Performing Random Fill ✔ Completed in 9 hours

Stage 2/2: Verifying Random Fill ❌ FAILED! Verification failed! Retrying previous stage at 2000263573504 in 3 seconds.

Stage 2/2: Performing Random Fill ✔ Completed in 0 seconds

Stage 2/2: Verifying Random Fill ❌ FAILED! Verification failed! Retrying previous stage at 2000263573504 in 3 seconds.

Stage 2/2: Performing Random Fill ✔ Completed in 0 seconds

Stage 2/2: Verifying Random Fill ❌ FAILED! Verification failed! Retrying previous stage at 2000263573504 in 3 seconds.

Stage 2/2: Performing Random Fill ✔ Completed in 0 seconds

Stage 2/2: Verifying Random Fill ❌ FAILED! Verification failed! Retrying previous stage at 2000263573504 in 3 seconds.

Stage 2/2: Performing Random Fill ✔ Completed in 0 seconds

Stage 2/2: Verifying Random Fill ❌ FAILED! Verification failed! Retrying previous stage at 2000263573504 in 3 seconds.

Stage 2/2: Performing Random Fill ✔ Completed in 0 seconds

Stage 2/2: Verifying Random Fill ❌ FAILED! Verification failed! Retrying previous stage at 2000263573504 in 3 seconds.

Stage 2/2: Performing Random Fill ✔ Completed in 0 seconds

Stage 2/2: Verifying Random Fill ❌ FAILED! Verification failed! Retrying previous stage at 2000263573504 in 3 seconds.

Stage 2/2: Performing Random Fill ✔ Completed in 0 seconds

Stage 2/2: Verifying Random Fill ❌ FAILED! Verification failed! Retrying previous stage at 2000263573504 in 3 seconds.

Stage 2/2: Performing Random Fill ✔ Completed in 0 seconds

Stage 2/2: Verifying Random Fill ❌ FAILED! Verification failed! ❌ Unexpected error: Verification failed!

C:\WINDOWS\system32> C:\WINDOWS\system32>

Kostassoid commented 2 years ago

Hey Romario! Thank you for reporting this. This looks interesting.

Judging by the log, there's something wrong with writing (or reading) the last block(s) of the partition. Doesn't look like an alignment issue considering the block size. Perhaps the size of the partition is detected incorrectly. I will try to investigate this but it's going to be tricky without reproducing the issue.

A couple of questions:

  1. Do you know if there's possibly a bad block there?
  2. Could you please run this and share the info about that particular disk/partition? 
    wmic partition get name,index,startingoffset,bootable,size,type,blocksize
Bofrostmann07 commented 2 years ago

Hey Kosta,

we can reproduce the issue, no problem. The disk is still mounted to the system. It´s a NTFS partition with 4k block size. I´ve checked the disk via CrystalDiskInfo. Seems to be good. grafik

WMIC: wmic partition get name,index,startingoffset,bootable,size,type,blocksize
BlockSize Bootable Index Name                                          Size                     StartingOffset     Type
512          FALSE       0     Datenträgernr. 1, Partitionsnr. 0 2000263577600 135266304        GPT: Basic Data

Do you have some debug commands i can use to get you more information?

Bofrostmann07 commented 2 years ago

Maybe it has something to do with this little extra partition, i can only see when running: grafik

PhysicalDrive1 has a small Partition1 with 128MB.

I can´t see this partition with WMIC or the DiskManager grafik grafik

Kostassoid commented 2 years ago

Thanks a lot for the extra details Romario!

What I see:

  1. The problem is with the last block, as I expected (the difference between total size and the retrying position is exactly 4096 bytes).
  2. There are some "Reallocated Sectors Count". Maybe that's the reason for failed write/read. Although I think accessing partition should be already isolated from reallocated sectors. Not 100% certain though. Will investigate.
  3. The drive is GPT, that's why there's this extra "invisible" partition, it's required for GPT. Shouldn't cause any issues. Although there could be some extra protection I don't know about yet. I will try to format one of the drives with GPT and try to wipe it like you did.

There's no extra debugging options for Lethe at the moment. Maybe I should add some.

I would definitely like to see what's actually there at that block. If you have time and would like to help even more, perhaps you could check that block yourself with something like HxD? That would be sectors from 3906764792 to 3906764800. If the data doesn't look random then that would already mean that there's something interesting going on, probably related to GPT.

Also, out of curiosity: since it's the only partition with data on the drive, why did you decide to wipe only that particular partition instead of the whole physical drive? I wonder if there's some extra use case I didn't think about.

Kostassoid commented 2 years ago

A small update: I was able to repro the issue locally and figured out the reason. The last sector of a partition is basically reserved as a boot sector and is not available for writes. How to properly find and exclude it is what I'm going to work on next. But, the good news is that there're no privacy concerns as far as I can see. And if it's important to hide the fact that there was ever an NTFS partition - wiping the whole physical drive should deal with that.

Bofrostmann07 commented 2 years ago

Thank you very much Kosta. I think reproducing is not necessary anymore?

Also, out of curiosity: since it's the only partition with data on the drive, why did you decide to wipe only that particular partition instead of the whole physical drive? I wonder if there's some extra use case I didn't think about. No special reason, I just didn´t know it better.

Kostassoid commented 2 years ago

Yes, there's no need for additional confirmation right now 👍🏻 I managed to reproduce this issue even with a much smaller partition so it's easy to investigate/test from my end. I will let you know once I have the fix ready.