PURPOSE OPERATION OPTIONS COMMAND LINES RELATED PROGRAMS
In order to run this program the user must be logged in as an NT Administrator.
The first thing you will notice about NTWIPE is that it has a new name. The older version was called NT_WIPE (notice the underscore) and is not currently supported.
NTWIPE is designed to run in a DOS box on an NT operating system and wipe (overwrite) physical drives on that system. It will only run under the NT Operating System. So don't even try it under WIN9X. (If you have need to wipe a drive under WIN9X, use the declasfy.exe program.)
Overwriting of hard drives is needed when an organization no longer needs the data on a disk, and wishes to reuse or in some cases deliver the disk to third parties. (i.e. donate the disk to schools or such). In any case, the owner of the disk would want to make certain there are no remnants of sensitive data remaining on the disk. This program is designed to do that.
Caution should be taken. In tests, NT will allow this program to overwrite the boot/system disk. This means it will allow NT to self destruct. There is no protection to keep the user from overwriting the boot disk and thus the operating system.
Because the NT operating system maintains such good control over the drives on the system, the program can also wipe ZIP and JAZZ disks providing they are of the SCSI variety and show up on the SCSI chain.
In fact, there is a possibility that any type of removable SCSI disk drive could be handled in this way. The user is encouraged to experiment and see just how far this program will go. (If you find it will wipe unusual SCSI devices please report back so others can be informed).
NT Operating System bug.
When using both SCSI and IDE drives in the same computer. If you have a mixture of IDE and SCSI drives in the same computer, it is suggested you use the NT DISK Administrator function to verify that NT is properly identifying the drive sizes. In some cases, NT 4.0 fails to report large IDE drives (>8GIG) as being correctly sized. This problem has been documented but it is hard to find the fix at the help site. To fix this problem, go to the SCSI devices and add an IDE ATAPI device driver to the SCSI devices. (That’s correct, add the IDE driver to the SCSI devices). This seems to work pretty good.
Another Microsoft anomaly:
In tests: The program performed as expected. However, two unusual situations occur. This is strange so read carefully.
First, when attempting to wipe the boot drive (ie self destruct), when the program is finished, you will notice what appears to be a valid boot record in tact.
Second, wiping an NTFS formatted drive (other than the boot device) it appeared that some of the MFT is still visible and was not wiped.
Both of these situations are anomalies caused by NT itself. What apparently happens, is that when the program finishes, and the OS takes control again, a new boot record, and/or new MFT is replaced on the drive. I guess NT is trying to do some housekeeping. Anyway, these are NEW items, and do not contain any remnants of the old information. If you choose to test this for yourself, interrupt the wipe process (pull the plug) just before the process completes. This will not allow NT to do its cleanup, and those areas are left in the wiped state. Again, this cleanup preformed by NT is done after the drive is wiped.
Here is an explanation of the basic default operations:
1. NTWIPE shows parameters of all the physical drives it can identify and asks the user to pick one to wipe. (Be careful. The physical drives as NT identifies them may not correspond to your own idea of their numbering system. This is especially true if the system is mixed SCSI and IDE). Also, remember that if a disk has multiple partitions, there may be a number of logical drive letters sitting on a single physical drive. The user is expected to know the physical setup of the system in order to eliminate accidental overwriting of drives.
When showing the physical drives, the program identifies the partitions listed in the Master Boot Record. (IT DOES NOT WALK THE PARITITIONS, so those partitions sitting in Extended Partitions are not shown). If more than one partition is identified in the MBR, the partition number is found in parenthesis in the display. (NOTE: ZIP and JAZZ disks generally populate partition number 4, but not always).
The program WILL NOT operate on logical drive letters. You can however test the program by running it against the A: floppy drive. That is the only logical drive letter allowed.
2. After showing the drives available and obtaining the users preference, NTWIPE asks the user to confirm (3 times as a default) the choice of drive selected. This is a safety factor.
3. NTWIPE then overwrites the drive three times. (Not the 7 times required by DOD). The three writes consist of: a pass of hex 00's, a pass of hex 01's, and a pass of random characters. Regardless of how many passes (writes) the user specifies, the final and last pass is ALWAYS the random character sequence. The random character, can be changed with command line options (-r #). Each pass is completed in its entirety before the next one is started. This is done so that the first pass is completed, and should the process be stopped, you have wiped the drive at least once.
When command line options are used:
The user can modify the operation of the program by using command line options.
Some of the more useful options are:
Use an option (-G) or (-g #) to merely identify the drives and show their geometry. These options do not do any writing or any destructive operation. They are informational only. Use these options to confirm the choice of drive to overwrite before actually wiping the drive.
Use the option (-d #) to explicitly tell the program which drive to use. This eliminates the program showing all the drives it finds and does not ask for the user to pick one. Using this option tells the program the user is positive which drive is to be wiped.
Use an option (-w #) to increase or decrease the number of writes to the drive. Normally, a single pass of random values will suffice for most wiping requirements. Keeping in mind, that no matter how many passes, the LAST pass is always considered the random pass. So if you wiped 4 times, (-w 4) the following would be the passes: 00's, 01's, randoms, randoms. Notice you would end up with 2 random passes, because both the 3rd, and 4th (last) would be random.
Use the option (-r #) to alter the contents of the random writing buffer. The user can specify a final single value to write to the drive. Some use this to place a specific character on the drive, so it is easy to identify and determine if the program has written to all sectors.
Use the option (-f filename) to alter the contents of the random writing buffer. The user can specify an external text file that contains text to write to the drive. Every sector of the drive will have this text written to it. The maximum size of this text file is 16K. The contents of a text file might be: (Drive Wiped June 6, 2000, by Joe Jones, IT Staff.) This information would be replicated as needed to every sector of the drive.
Use the option (-S 0) which will immediately start the process and not require the user to confirm the drive selected. This is useful if you have a system set up which is designed as a wiping station. The drive to be wiped is merely replaced for each run. Once the drive number is properly identified, successive drives can be wiped in a more automated fashion. You can also set up a batch file to wipe each drive in the system one after the other without user intervention.
Bad Sectors: Since in testing we could not find a drive with "hardware" bad sectors, it is not possible to comment on the program operation. Future tests will be conducted and reported.
Here are some possible command lines and their expected results:
If left to default, the program will overwrite one pass with 0's, 1's, randoms.
c:>NTWIPE
/* default operation */
c:>NTWIPE -d 0 -w 1 -r 0
To write 1 pass of 0's
c:>NTWIPE -d 0 -w 2 -r
To write 1 pass of 0's and 1's
>c:>NTWIPE -d 0 -w 2 -r 7
To write 1 pass of 0's and 7's
C:>NTWIPE -d 0 -S 0 -w 1
To begin immediately without prompting:
-?: display the help message
-E: Eject a SCSI removable disk (zip or jazz) after finishing.
-g + #: shows disk geometry of drive number #. DO NOT USE for JAZ or ZIP drives (-g 1)
-G: shows disk geometry of all physical drives and their partitions. Should identify Zip and Jazz drive sizes. (-G)
-d + #: Wipe physical drive number #. If this option is not used, the user is asked to supply a drive number. (-d 2)
-w + #: Write this many passes to the disk. The default is 3 passes. First hex 00's, then 01's, then random values. (-w 1)
-r #: Replace the random buffer with this decimal character. Valid range from 0-255. (-r 9)
-f + filename: Use the contents of this text file to fill the random buffer. The drive will then be overwritten with this information. The file size limit of this file is 16K. Its contents are replicated or truncated as necessary. Users might find this option useful in putting in some text to positively identify the writing operation. Something like: This disk property of XYZ corporation, Overwritten on June 6, 2000 by Joe Jones. (-f text.fle)
-S #: The user is asked by default to confirm 3 times that the write is to take place. The user MUST enter in upper case the word YES. Anything but this will abort the program. For safety sake, the number of times the user must confirm can be changed. (up or down). If the value of 0, is used, then the user is NOT prompted at all, and the program will begin in 10 seconds after initiation. The 10 second delay is to allow for finger errors, and allow a user to abort if necessary. This -S 0 option is very useful if a batch file is to be used to wipe many drives. (-S 0 )
DECLASFY For overwriting from a DOS boot.
RMD For clearing formatted drives and free space.