KillDisk

USER MANUAL

ver. 13
Updated: 11 Nov 2020
 | Contents | ii

Contents

Legal Statement.............................................................................................. 4

Introduction.....................................................................................................4
Data Recovery......................................................................................................................................................................................4
Erasing Confidential Data............................................................................................................................................................... 5
Wiping Confidential Data............................................................................................................................................................... 6
International Standards....................................................................................................................................................................6

Overview.........................................................................................................6
System Requirements....................................................................................................................................................................... 7
Software Licensing............................................................................................................................................................................. 8
Registering the Software (Online).......................................................................................................................................... 8
Registering the Software (Offline)........................................................................................................................................10
Deactivating a Registration.....................................................................................................................................................12
Software Updates.............................................................................................................................................................................12

Getting Started............................................................................................. 13
Installation and Distribution......................................................................................................................................................14
Active@ Boot Disk Creator..........................................................................................................................................................15
Navigating...........................................................................................................................................................................................17
Disk Explorer...................................................................................................................................................................................... 18

Usage Scenarios............................................................................................ 19
Disk Erase............................................................................................................................................................................................ 19
Selecting Disk Area to Erase.................................................................................................................................................. 23
Disk Wipe............................................................................................................................................................................................ 24
Resume Erase.....................................................................................................................................................................................27
Secure Erase....................................................................................................................................................................................... 28
Processing Summary...................................................................................................................................................................... 32
Certificates, Labels and Reports................................................................................................................................................ 35
Erase Certificates......................................................................................................................................................................... 35
Disk Labels..................................................................................................................................................................................... 40
Reports (XML)............................................................................................................................................................................... 42
Command Line and Batch Modes............................................................................................................................................44
Command Line Mode............................................................................................................................................................... 44
Batch Mode................................................................................................................................................................................... 48

Advanced Tools............................................................................................. 48
File Browser........................................................................................................................................................................................ 48
Disk Viewer.........................................................................................................................................................................................50

Application Settings..................................................................................... 54

© 1999 - 2020 LSoft Technologies Inc.

 | Contents | iii

Preferences.................................................................................................... 58
General Settings............................................................................................................................................................................... 59
Disk Erase............................................................................................................................................................................................ 63
Secure Erase....................................................................................................................................................................................... 65
Disk Wipe............................................................................................................................................................................................ 67
Erase Certificate................................................................................................................................................................................68
Company Information.................................................................................................................................................................... 72
Technician Information.................................................................................................................................................................. 72
Processing Report............................................................................................................................................................................73
Disk Label Presets............................................................................................................................................................................76
Disk Viewer.........................................................................................................................................................................................81
Error Handling...................................................................................................................................................................................82
E-mail Notifications.........................................................................................................................................................................83

Troubleshooting............................................................................................ 84
Common Troubleshooting Tips................................................................................................................................................. 84
Application Log.................................................................................................................................................................................85
Hardware Diagnostic File..............................................................................................................................................................87

Appendix........................................................................................................88
Glossary................................................................................................................................................................................................88
How Fast Erasing Occurs?............................................................................................................................................................96
Erase Disk Concepts.....................................................................................................................................................................100
Wipe Disk Concepts.....................................................................................................................................................................103
Erase Methods (Sanitation Standards)................................................................................................................................. 108
Using KillDisk in PXE environment.........................................................................................................................................110
Customizing Boot Disk................................................................................................................................................................117
Name Tags........................................................................................................................................................................................120
Disk Hidden Zones (HPA/DCO)............................................................................................................................................... 121

© 1999 - 2020 LSoft Technologies Inc.

 | Legal Statement | 4

Legal Statement
Copyright © 2020, LSOFT TECHNOLOGIES INC. All rights reserved. No part of this documentation may
be reproduced in any form or by any means or used to make any derivative work (such as translation,
transformation, or adaptation) without written permission from LSOFT TECHNOLOGIES INC.
LSOFT TECHNOLOGIES INC reserves the right to revise this documentation and to make changes in content
from time to time without obligation on the part of LSOFT TECHNOLOGIES INC. to provide notification of
such revision or change.
LSOFT TECHNOLOGIES INC provides this documentation without warranty of any kind, either implied
or expressed, including, but not limited to, the implied warranties of merchantability and fitness for a
particular purpose. LSOFT may make improvements or changes in the product(s) and/or the program(s)
described in this documentation at any time.
All technical data and computer software is commercial in nature and developed solely at private expense.
As the User, or Installer/Administrator of this software, you agree not to remove or deface any portion
of any legend provided on any licensed program or documentation contained in, or delivered to you in
conjunction with, this User Guide.
Active@ KillDisk, the Active@ KillDisk logo, KillDisk, KillDisk for Industrial Systems, KillDisk Desktop
are trademarks of LSOFT TECHNOLOGIES INC.
LSOFT.NET logo is a trademark of LSOFT TECHNOLOGIES INC.
Other brand and product names may be registered trademarks or trademarks of their respective holders.

Introduction
As a relatively new technology an overwhelming majority of people, businesses and organizations do not
understand the importance of security in digital data storage. The average hard drive stores thousands of
files written on it and many of them contain sensitive information. Over the course of a hard drives lifetime
the likelihood for recoverable remnants of sensitive information left on a hard drive at its end of life is very
high. To see this just try out KillDisk's File Browser on page 48 on your system drive. You'll be surprised
to see what you find!
Note:
Additionally, try formatting a USB drive with files on it and browse it with KillDisk's File Browser on
page 48 as well. Data leakages are not limited to hard drives!

Related information
File Browser on page 48

Data Recovery
Advances in data recovery have been made such that data can be reclaimed in many cases from hard drives
that have been wiped and disassembled. Security agencies use advanced applications to find cybercrime
related evidence. Also there are established industrial spy agencies using sophisticated channel coding
techniques such as PRML (Partial Response Maximum Likelihood), a technique used to reconstruct the data
on magnetic disks. Other methods include the use of magnetic force microscopy and recovery of data
based on patterns in erase bands.

© 1999 - 2020 LSoft Technologies Inc.

 | Introduction | 5

Although there are very sophisticated data recovery systems available at a high price. Almost all the data
can also be easily restored with an off-the-shelf data recovery utility like Active@ File Recovery, making
your erased confidential data quite accessible.
Using KillDisk all data on your hard drive or removable device can be destroyed without the possibility
of future recovery. After using KillDisk the process of disposal, recycling, selling or donating your storage
device can be done with peace of mind.
Related information
Getting Started on page 13
Usage Scenarios on page 19
Erase Disk Concepts on page 100

Erasing Confidential Data

Modern methods of data encryption are deterring network attackers from extracting sensitive data from
stored database files.
Attackers (who want to retrieve confidential data) become more resourceful and look for places where
data might be stored temporarily. For example, the Windows DELETE command merely changes the files
attributes and location so that the operating system will not look for the file. The situation with NTFS is
similar.
One avenue of attack is the recovery of data from residual data on a discarded hard drive. When deleting
confidential data from hard drives, removable disks or USB devices, it is important to extract all traces of the
data so that recovery is not possible.
Most official guidelines regarding the disposal of confidential magnetic data do not take into account the
depth of today's recording densities nor the methods used by the OS when removing data.
Removal of confidential personal information or company trade secrets in the past might have been
performed using the FORMAT command or the FDISK command. Using these procedures gives users a
sense of confidence that the data has been completely removed.
When using the FORMAT command Windows displays a message like this:
Important:
Formatting a disk removes all information from the disk.

The FORMAT utility actually creates new FAT and ROOT tables, leaving all previous data on the disk
untouched. Moreover, an image of the replaced FAT and ROOT tables is stored so that the UNFORMAT
command can be used to restore them.
FDISK merely cleans the Partition Table (located in the drive's first sector) and does not touch anything else.
Moreover, most of hard disks contain hidden zones (disk areas that cannot be accessed and addressed on a
logical access level). KillDisk is able to detect and reset these zones, cleaning up the information inside.
Related tasks
Disk Erase
Related information
Disk Erase on page 63
Erase Disk Concepts on page 100
Disk Hidden Zones (HPA/DCO) on page 121

© 1999 - 2020 LSoft Technologies Inc.

 | Overview | 6

Wiping Confidential Data

You may have some confidential data on your hard drive in spaces where the data is stored temporarily.
You may also have deleted files by using the Windows Recycle Bin and then emptying it. While you are still
using your local hard drive there may be confidential information available in these unoccupied spaces.
Wiping the logical drive's deleted data does not delete existing files and folders. It processes all unoccupied
drive space so that recovery of previously deleted files becomes impossible. Installed applications and
existing data are not touched by this process.
When you wipe unoccupied drive space on the system disk, the process must be run under operating
system booted from CD/DVD/USB disk. As a result the wipe or erase process uses an operating system that
is outside the local hard drive and is not impeded by Windows system caching. This means that deleted
Windows system records can be wiped clean.
KillDisk wipes unused data residue from file slack space, unused sectors and unused space in system
records or directory records.
Wiping drive space can take a long time, so do this when the system is not being actively used. For
example, this can be done overnight.
Related tasks
Disk Wipe on page 24
Related information
Disk Wipe on page 67
Wipe Disk Concepts on page 103

International Standards in Data Destruction

KillDisk works with dozens of international standards for clearing and sanitizing data including the US DoD
5220.22-M and NIST 800-88 standards. You can be sure that once you erase a disk with KillDisk all the
sensitive information is destroyed forever.
KillDisk is a professional security application that destroys data permanently from any computer that can
be started using a boot USB or CD/DVD. Access to the drive's data is made on the physical level via the
BIOS (Basic Input-Output Subsystem) bypassing the operating system’s logical drive structure organization.
Regardless of the operating system, file systems or machine types, this utility can destroy all data on all
storage devices. It does not matter which operating systems or file systems are located on the machine.
Related information
Erase Methods (Sanitation Standards) on page 108

Overview
KillDisk 13
KillDisk 13 is the most powerful consumer edition released to date. With the development and release
of KillDisk Industrial, KillDisk 13 gets benefits from industrial stability, improved disk handling, interface
layouts and advanced features including:
• Enhanced visualization of physical disks and erase processes
• Improved handling of disks with controller malfunctions
• Stable handling of hot-swappable and dynamic disks
• Sound notifications for completed erase jobs with different results
• Auto hibernate or shutdown the system after all jobs are completed

© 1999 - 2020 LSoft Technologies Inc.

 | Overview | 7

• Enhanced certificates and reports for disk erase and wipe

• Advanced Disk Viewer with flexible Search for low-level disk inspection
• Customizable file names for certificates & XML reports
• Unique Computer ID can be displayed in certificates/reports
• Disk health - S.M.A.R.T. information can be displayed and monitored
• Customizable look & feel: four different application styles included
• ATA Secure Erase option for SSDs
New features for version 13 include:
• Resume Disk erase action to continue interrupted disk erase due to disk malfunction or errors
• Digitally signed PDF certificate with optional encryption and visual signature presentation
• Secure Erase (ATA command) implementation for Solid State Drives (SSD)
• Enhanced faulty disks detection and handling
• Bug fixes and major performance improvements
New features for version 12 include:
• Customizable Printable Labels
• Customizable Sound Notifications
• Redesigned and improved printable Certificates and Reports
• Disk Serial Number can be properly detected for most scenarios, including disks connected via USB
• Many other enhancements and stability improvements while working with unstable disks
This release is available as an executable to run in your desktop environment, or in a bootable environment
with the help of the Active@ Boot Disk Creator - the bootable disk creation tool included in the
installation package.
Related information
Erase Methods (Sanitation Standards) on page 108

System Requirements
KillDisk runs on Linux and Windows operating systems with the following minimum requirements:
Workstation:
• PC: x64 (64-bit) or x86 (32-bit)
• CPU: Intel or AMD
• RAM: 512 Mb (Windows), 1 Gb (Linux)
• Disk: 100Mb of disk space
Video:
• VGA (800x600) or better resolution
Operating System:
• Windows XP to Windows 10, Server 2003 to 2016 (Windows version)
• Linux Kernel 2.x and higher (Linux version)

© 1999 - 2020 LSoft Technologies Inc.

 | Overview | 8

Drive Storage:
• CD/DVD/Blu-Ray optical drive (for applicable boot disk features)
• USB 1.0 / 2.0 / 3.0 storage device (for applicable boot disk features)
• Disk types supported:
• HDD via IDE, ATA, SATA I, SATA II, SATA III, SAS
• SSD via SATA I, SATA II, SATA III, SAS
• External eSATA & USB disks
• SCSI & iSCSI devices
• Onboard NVMe M.2 (SATA & PCI-E types)
• Removable media (USB drive, MemoryStick, SD card, Compact Flash, Floppy Disk, Zip Drive)
KillDisk supports all drives seen by the OS with read/write access, additional drivers can be loaded onto the
boot disk for drivers not included by default in the bootable environment.
Related information
Installation and Distribution on page 14

Software Licensing
KillDisk is licensed per concurrent use of the software and for each concurrent disk being erased or
wiped outlined in the EULA. The maximum number of disks erased in parallel corresponds to the number
of purchased licenses.
One Corporate license grants you an ability to run the software on one machine and erase one disk at any
given time. To run on several machines in an office or multiple drives in parallel on one machine you
require the corresponding number of licenses.
Site and Enterprise licenses grant the license holder unlimited use of the software in a geographical location
and worldwide respectively.
This licensing is maintained through software registration and activation. Once the full version of KillDisk is
purchased the license holder will receive an email with their Registered Name and Registration Key . Every
machine that needs to use the full version of the software needs to be activated with this key.
Activations are limited to the number of licenses held. To transfer from one machine to another they must
be deactivated from decommissioned hardware first.
For boot disks to be created the Active@ Boot Disk Creator must be registered with an active registration
key.

Registering the Software (Online)

For this task you require an active internet connection on the machine you wish to register the product on.
After installation Active@ KillDisk still starts as FREE version (unregistered). You need to register it first
to have all the pro-features activated. To register the software with an active Internet connection do the
following:

© 1999 - 2020 LSoft Technologies Inc.

 | Overview | 9

1. Select Register or Upgrade Software in the initial Registration & Licensing dialog launched on
application start up or click Registration… from the Help menu to access it from the application.

Figure 1: Accessing the registration window

2. Select the Register or Upgrade Software radio button
3. Read the License agreement and activate the check box to agree to the Terms and Conditions of the
license
4. Click Next to proceed with the registration

Figure 2: Registration window

5. Copy & Paste your 30-digit registration key into the Registration Key: field

© 1999 - 2020 LSoft Technologies Inc.

 | Overview | 10

6. You should receive a response that the software has been registered. The registration is now complete.
You may click Next and exit the registration window

Figure 3: Completed registration

You now have access to the full features of the application.
Note: If your registration key is too long you are using the key for an earlier version. Ensure you
update to the latest version by making sure your support and updates are active and use the key to
this latest version. This can be done through your client profile.

Note: You can also load registration information from a text file (.INI or .TXT) where the first line is
the name and second line is the key.

Registering the Software (Offline)

For this method of activation, you need any computer with a web browser and active Internet connection
and a USB. Use this method only if the computer you are activating does not have Internet access.
In some cases such as security reasons or lack of access you may not have access to an Internet connection
on the machine you wish to install the software on. For offline activation:
1. Select Register or Upgrade Software in the initial Registration & Licensing dialog launched on
application start up or click Registration… from the Help menu to access it from the application.
2. Select the Register or Upgrade Software radio button
3. Read the license agreement and activate the check box to agree to the Terms and Conditions of the
license
4. Click Next to proceed with the registration

© 1999 - 2020 LSoft Technologies Inc.

 | Overview | 11

5. Copy & Paste your 30-digit registration key into the Registration Key: field. The Activation Request and
Activation Response boxes will appear

Figure 4: Offline activation boxes appearing

6. Click Save... to generate a registration request file. Copy this file to a USB drive.
7. Bring the USB drive to a computer with an active Internet connection
8. Open the Web browser and navigate to lsoft.net/act
9. Import the request file using the Choose File button and click Load
10.Click Process! to generate the Activation Response
11.Save the response to your USB drive by clicking Save to *.licenseActivated

Figure 5: Generating an offline activation

© 1999 - 2020 LSoft Technologies Inc.

 | Overview | 12

12.Bring the USB drive to the machine with KillDisk installed

13.Import the activation response in the registration window and click Activate
You have now activated the software on your offline machine.

Deactivating a Registration
To transfer licenses from one machine to another you need to free up (remove) your activation on the
licensed machine. You may do this by deactivating the registration from within the KillDisk application:
1. Click Help > Remove License in the file menu bar
2. Click Deactivate Registration in the pop-up licensing window

Figure 6: Deactivating a registration

Your active license is now revoked from your machine and may be used to activate a different computer.
Note: Uninstalling the application from the computer using the uninstaller will also deactivate your
license.

Software Updates
KillDisk has a built-in update client to ensure you always have an access to the latest version of the
application. To check for update, use the file menu bar to navigate to Help > Check for Updates

© 1999 - 2020 LSoft Technologies Inc.

 | Getting Started | 13

Figure 7: Checking for updates

Update dialog contains history of previously installed versions and updates.

If a new version or update is detected it can be downloaded and installed on the next wizard steps.
Note:
KillDisk stores your previously installed versions so you may roll back to any of your older versions
at any time.

Getting Started
This section describes the key features of KillDisk and explains basic functionality.

© 1999 - 2020 LSoft Technologies Inc.

 | Getting Started | 14

Figure 8: KillDisk Main View and Erase Certificate

Installation and Distribution

After purchasing Active@ KillDisk a registration key will be emailed to you as well as a download link to
installation package named KILLDISK-<VERSION>-SETUP.EXE. This file contains everything you need to get
started - just double click the file and installation wizard will take you through the setup process.
Note: If you purchased the Ultimate version you receive installation executable file to
run on Windows. To access the Linux installation files install KillDisk on your Windows
machine and navigate to the application directory. In Linux subfolder you will find the
Linux installation files. The path to the Linux application will look something like: C:
\Program Files\LSoft Technologies\Active@ KillDisk Ultimate 11\Linux
\KillDisk_Linux_Installer.tar.gz
After installation Active@ KillDisk still starts as a FREE (unregistered) version. You need to register it first to
have all professional features activated.

Windows versions:
In order to install the application double click KILLDISK-<VERSION>-SETUP.EXE file and follow the
instructions in the installation wizard.
The installed package contains two main applications:
• Active@ KillDisk for Windows (KillDisk.exe) - Run this application from your Windows operating
system to inspect local disks and erase/wipe your data
• Active@ Boot Disk Creator (BootDiskCreator.exe) - Create a bootable WinPE-based CD/DVD/BD/
USB disk to boot from and run Active@ KillDisk for Windows. Using Active@ KillDisk this way

© 1999 - 2020 LSoft Technologies Inc.

 | Getting Started | 15

allows you to wipe out confidential data from the system volumes while gaining exclusive use to
partitions because the operating system runs outside the partition that you are securing

Linux versions:
In order to install KillDisk on Linux make sure you found the Linux installation file as mentioned in the note
above. Double click KillDisk_Linux_Installer.tar.gz in your Linux environment and unpack the archive to a
proper location. To start installation simply run the following command in the directory where the archive
was unpacked:

sudo ./KillDisk_Linux_Installer.run

Active@ Boot Disk Creator

Active@ Boot Disk Creator helps you to prepare a bootable CD, DVD, Blu-ray or USB mass storage device
that you may use to start a machine and repair security access issues or destroy all data on the hard drives.
To prepare a bootable device:
1. Run Bootable Disk Creator from the Windows Start menu (Windows platform).
The Boot Disk Creator Wizard appears:

Figure 9: Boot Disk Creator Wizard

2. Optional step: if software hasn't been registered yet, you need to register software first. Click Register in
the bottom-right corner
3. Select the desired bootable media: CD/DVD/Blu-ray , USB Flash Drive or ISO Image file to be burned
later on. If several media drives are inserted click the ellipsis button (…) and choose a particular device.
Click Next
Note: If your USB bootable disk does not appear in the drop-down list click Initialize Disk . You
should be able to find the device in the setup menu and initialize it to make compatible with the
application. This process will erase all data on the selected device.

© 1999 - 2020 LSoft Technologies Inc.

 | Getting Started | 16

4. Select the target platform for booting up. Depending on version purchased one or more target
platforms are available for selection (Windows-based, Linux-based or Console Boot Disk)

Figure 10: Creating Windows-based Boot Disk

5. At this step you can specify additional boot disk options:
a) To customize boot options click the System Boot Settings tab. You can change the default settings to
be used: Time Zone, Additional Language Support, Default Application Start and Auto-Start Delay.
You can also change these options in the Active@ Boot Disk initialization screen while booting
(Windows version). Additional Network and Security sub-tabs allow to configure static IP & Firewall
settings as well as to protect your Boot Disk with a password
b) To add your custom files to the bootable media click the User’s Files tab. Add files or folders using
the related buttons at the right side. Added items will be placed in the User_Files root folder
c) To add specific drivers to be loaded automatically click the Add Drivers tab. Add all files for the
particular driver (*.INF, *.SYS, …). Added items will be placed in the BootDisk_Drivers root folder. At
boot time all *.INF files located in this folder will be used for installation
d) To add specific scripts to be launched after Active@ Boot Disk is loaded click the Add Scripts tab.
Add your scripts (*.CMD files). Added files will be placed in the BootDisk_Scripts root folder. At boot
time all *.CMD files located in this folder will be executed
e) To add command line parameters for KillDisk startup after the boot, click Application Startup tab
and type desired parameters. This tab is available only if Default Application Start option is turned
"ON" on the System Boot Settings tab
6. Click Next . Verify selected media and boot up environment
7. Click Create . A progress bar appears while the media is being prepared
Note: Not all the additional boot disk options are accessible for all platforms. For example, Add
Drivers section applies only to Windows OS and is available for Windows only.

Note: A USB Drive or blank CD/DVD/BD must be inserted and explicitly chosen on the first step
before you can proceed further.

Note: If you’ve created an ISO Image file you can burn it to a disk later on by using any utility of
your choice.

© 1999 - 2020 LSoft Technologies Inc.

 | Getting Started | 17

Related information
Software Licensing on page 8
Common Troubleshooting Tips on page 84

Navigating
Once the KillDisk application is launched the main application's dashboard appears. From here you can use
any of KillDisk's tools on your system. This section describes the main components of the application. The
full functionality and features of these components are discussed in their corresponding sections later.
Where:

Figure 11: KillDisk Dashboard

File menu bar

The file menu bar contains actions to perform nearly any operation in KillDisk such as accessing
Settings and Help sections, changing Views and what is visible in the dashboard, opening tools as well as
navigating between KillDisk's windows.
Command Toolbar
The command toolbar is a dynamic toolbar that allows the user to perform Tabbed Window-specific
actions (depending on the context).
Windowed view
Contains the window that is currently active. By default you can see here all HDD/SSD/USB disks attached
to the workstation.
Output window
Contains the log of operations KillDisk has performed.
Advanced tool tabs
These tabs allow to navigate between the different Advanced Tool windows.
Advanced tool window
This window shows the data for the Advanced Tool selected. The window can be moved, popped out and
re-sized.

© 1999 - 2020 LSoft Technologies Inc.

 | Getting Started | 18

To browse through each of these Views click on the appropriate tab. You may also open a View from the
View menu.

To open any closed View just select it from the View menu.
The status bar at the bottom of the workspace shows the current status of the application or status of the
activity in progress.
Related information
Usage Scenarios on page 19
Property Views

Disk Explorer
The Disk Explorer is a default View for the KillDisk application. All the attached HDD/SSD/USB disks are
visualized can be selected and manipulated here. New procedures like erasure can be initiated from here as
well as displaying statuses and progress for actions performed with disks.

Figure 12: Disk Explorer View

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 19

An additional toolbar helps to execute frequently performed tasks. It contains the following buttons with
drop-down menus:
View
The disk explorer supports a range of different Views to use when performing KillDisk actions, each
with their own customizable settings for different use cases.

Related information
Preferences on page 58

Usage Scenarios
KillDisk is a powerful tool to provide disk erasure solutions for personal and corporate use. This section
describes the key features of KillDisk and how to use this software's many features. The software is highly
customizable and this guide will help get you started with configuring KillDisk for your system and using it
to the full potential.

Disk Erase
KillDisk is an extremely powerful tool for disk erasure. Individual disks can be erased according to any
desired standard with just a few clicks. The process is described below.
1. Select disks for erasure
Use Disk Explorer on page 18 to select one or more physical disks or logical volumes. For multiple
selection use Ctrl+Left Mouse click
2. Open Disk Erase dialog using one of the following methods:
• Click Erase Disk command on the action toolbar
• Click Actions > Erase Disk command from main menu
• Click Erase Disk command from context menu

Figure 13: Initiating the Erase operation

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 20

3. Confirm erasure options

Disk Erase options dialog pops up:

Figure 14: Disk Erase Options

Use tabbed Views to adjust disk erasure options if necessary. Options available are:
• Disk Erase on page 63
• Erase Certificate on page 68
• Processing Report on page 73
• Error Handling on page 82
If single disk is selected by Erase Disk command a disk area to be erased can be specified:

Figure 15: Erase Disk - Area Selection

Select all disk space

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 21

Entire surface of the disk will be erased

Select all volumes

Select for erase the only disk space where the live volumes located

Select all unallocated space

Select for erase the only disk unallocated area (the space where no live volumes exist)

Select exact disk area

Allows you to use sliders on the visualization of your disk to select a particular range of sectors for
erasure.

You may also click on individual partitions and the selected partitions will be erased.
Click Start button to go to the final confirmation dialog:

Figure 16: Disk Erase Confirmation

Click OK button to begin disk erase process.

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 22

4. Observe erase process

When the Erase Disk procedure begins you see the disk area representation as a progress bar as well as
an erase method and its progress. The progress bar represents the percentage of disk space processed.
As the procedure progresses the percentage increases and estimated time recalculated.
User can Stop erase process at any time (via action toolbar, main menu or context menu) :
After Erase is complete for the particular disk, its status is displayed:

Figure 17: Erase Completed

When erase is completed user is able to review results (logs, processing reports and attributes), print Erase
Certificates and Disk Labels for processed disks.

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 23

Figure 18: Disk Erase Summary

Related information
Erase Methods (Sanitation Standards) on page 108
Processing Summary on page 32
Certificates, Labels and Reports on page 35

Selecting Disk Area to Erase

In KillDisk you have the option to specify the area on the disk to erase. To access this feature you have to
select the disk first. From Actions menu initiate the Erase Disk operation. The default option is Select all
disk space which applies the selected operation to the entire disk.

If you're interested in specific areas of the disk (specific partitions), you may use the Select exact disk area
option. This allows you to use sliders on the disk visualization in order to select a particular range of sectors.
You may also click on individual partitions and they will be selected for erasure.

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 24

Figure 19: Erasing a specific partition

Disk Wipe
When you select a physical device the Wipe command processes all logical drives consecutively erasing
data in unoccupied areas (free clusters and system areas) and leaving existing data intact. Unallocated
space (where no partition exists) has been erased as well.
Note:
If you want to erase ALL data (existing and deleted) from the hard drive device permanently, see
Disk Erase on page 19.

If KillDisk detects that a partition has been damaged or it is not safe to proceed KillDisk does not wipe
data in that area. The reason it does not proceed: partition might contain an important data.
There are some cases where partitions on a device cannot be wiped. Some examples: an unknown or
unsupported file system, a system volume or an application start up drive. In these cases the Wipe
command is disabled. If you select a device and the Wipe button is disabled select individual partitions
(drives) and wipe them separately.
1. Select a disk or volume to wipe out in Disk Explorer > Local Devices View
You may select multiple disks/volumes to be wiped out simultaneously

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 25

2. Execute Wipe Disk command from Actions menu (or use the context menu)

Figure 20: Initiating Wipe

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 26

3. Confirm Wipe Options

Use tabbed views to adjust Disk Wipe options if necessary. Available options are:
• Disk Wipe on page 67
• Erase Certificate on page 68
• Processing Report on page 73
• Error Handling on page 82

Figure 21: Selecting Wipe Options

4. Select the areas of the disks to be wiped. For each disk you can select individual partitions
5. Click Start to reach the final step before erasing data. Confirm Wipe action and process starts

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 27

6. The progress of the wiping procedure will be monitored

To stop the process at any time click the Stop button for a particular disk. Click the Stop All button to
cancel wiping for all selected disks. Please note that all the existing applications and data will not be
touched. The data that has been wiped from unoccupied sectors is not recoverable.

Figure 22: Disk Wipe Progress

7. Optional: Select the wiped partition click File Browser toolbar button to inspect the work that has been
done
KillDisk scans the system/root records of the partition. The Browser tab appears. Existing file/folder
names appear with a multicolor icon and deleted file/folder names appear with a gray-colored icon.
If the wiping process completed correctly the data residue in these deleted file clusters and the place
these files hold in the directory/system records has been removed. You should not see any gray-colored
file names or folder names in the wiped partition.
You will see a confirmation dialog when the process is complete. Now you may print Erase Certificates on
page 35.
Note:
If there are any errors, for example due to bad clusters, they will be reported on the interactive
screen and in the Log. If such a message appears you may cancel the operation or continue wiping
data.

Related information
Disk Wipe on page 67
Processing Summary on page 32
Certificates, Labels and Reports on page 35

Resume Stopped or Interrupted Erase

Disk erase can be a time consuming task. Operations with larger disks (10TB+) being erased with sanitizing
standards including several overwrite passes could last for hours. If something happened in a middle of
erase (user stopped an action, failing disk just turned off, computer re-booted, etc.) user has options:
• Start Erase for the disk all over again

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 28

• Resume previous Erase from the point it stopped on a disk (time saving option)
After application start all detected disks being analyzed for previously interrupted erases, and if stopped/
interrupted erases detected on one or more disks, Resume Erase button become active. Disks with an erase
interrupted are marked with a red label Interrupted Erase
Note:
If disks with interrupted erase being detected after program start, pop up dialog appears
automatically suggesting you to Resume Erase. You can run Resume Erase from here, or select the
only disks you need later on.

To Resume Erase:
1. Select a Disk or group of disks to Resume Erase for
2. Click Resume Erase button on a toolbar
Resume Erase Disk dialog appears. In the list will be displayed all disks where Resume Erase option is
available. You can select more disks for resume erase (if any available) or deselect some selected disks

3. Confirm Resume Erase action

Verify selected disks, Certificate and Report options and click Start button to resume interrupted erase
and wait until erase is complete
When resumed erase is completed user is able to review results (logs, processing reports and attributes) for
processed disks and print Certificates and Disk Labels.

Secure Erase
Most of Solid State Drives (SSD) support Secure Erase and use it for the physical deletion of all memory
blocks on the media. KillDisk Industrial is able use SSD SATA Secure Erase feature and perform fast
unrecoverable erasure. By doing this, you can increase the performance of frequently used SSDs for future
use. All of the data will be lost. Before using this feature make sure user fully understands the concepts of
the feature.
Warning:
100% FATAL DAMAGE GUARANTEED TO MEDIA IF THE PROCESS INTERRUPTED (POWER
OUTAGE, UNAUTHORIZED SSD EXTRACTION, ETC.)
Make sure your hardware setup is safe from sudden lost of power.
Do not interrupt the process of Secure Erase in any manner.

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 29

Note:
If there is a need to erase ALL data (existing and deleted) from the hard drive device permanently
with sanitation standards (US DoD 5220.22-M, Canadian OPS-II, NSA 130-2 etc.), use Disk Erase on
page 19 feature.

Important:
Secure Erase function is not available in Windows package of KillDisk, including applications
running under Active@ Boot Disk (which is based on WinPE). For security reasons Microsoft
intentionally blocked IOCTL_ATA_PASS_THROUGH function in all the latest Windows editions
starting from Windows 8.

In order to use Secure Erase to erase Solid State Drives:

1. Select a disk for Secure Erase

Select disks marked as in Disk Explorer > Local Devices View. You may select multiple disks to be
erased simultaneously
2. Execute Secure Erase command from Actions menu or use context menu:

Figure 23: Initiating Secure Erase

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 30

3. Confirm Secure Erase Options:

Use tabbed views to adjust Secure Erase preferences if necessary. Available options are:
• Secure Erase on page 65
• Erase Certificate on page 68
• Processing Report on page 73
• Error Handling on page 82
• Selected Disks (Disk selection for Secure Erase). Only NOT frozen SSDs can be selected for Secure
Erasing

Note:
In case of a frozen SSD drive has been selected for erasing the following message appears in
Disk Secure Erase tab:

Figure 24: Frozen disks

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 31

4. Click Start to reach the final step before erasing disk data
Confirm Secure Erase action by typing a predefined keyphrase and the process starts

Figure 25: Secure Erase confirmation

Note:
There is no progress indicator available for Secure Erase. The feature is implemented inside SSD
controller. There is only "elapsed" time available:

After Secure Erase process is completed the Processing Summary on page 32 dialog appears

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 32

Figure 26: Processing Summary

Now you may Print , Browse or Open Secure Erase Certificate and Reports (XML) on page 42. If there
are any errors they will be reported on the interactive screen and in Erase History Disk Processing Results.
Related information
Secure Erase on page 65
Processing Summary on page 32
Certificates, Labels and Reports on page 35
Secure Erase (SSD) on page 94
Secure Erase Concepts on page 101
Secure Erase (ANSI ATA, SE) on page 109

Processing Summary
Once KillDisk finishes processing any task such as Disk Erase on page 19, Secure Erase on page 28
or Disk Wipe on page 24, a summary dialog appears. It contains all of the information regarding to
the operation(s). For example, it includes information like disks operated on, status of erasure, logs and all
associated certificates and reports.

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 33

Figure 27: Example of Processing Summary

Results Overview window contains the options for the successful erasure:
Title
All the devices processed are displayed with their success/failure status in a tree list
Status
An actual status (success/fail)
Label
Volume or partition description
Method
Erase/Wipe sanitizing method being used
Erase Passes
Number of overwriting passes performed
Started at
Time & date of operation's start
Duration
Duration of the operation
Processing Attributes window contains all the status and attributes of the operations (as more detailed
View):

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 34

Figure 28: Processing Attributes Sample

Log window shows an actual Log file:

Figure 29: Log Sample

Note:
The Wipe operation will produce a similar processing summary for the Disk Wipe

Additional options are:

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 35

Disk Certificate
Specifies the path to the saved erasure PDF certificate. Allows user to examine the certificate by pressing
the Open button
Print Labels
Allows user to examine, customize, change options and print Disk Labels on page 40 by pressing the
Print Labels button
Disk Processing Report
Specifies the path to the saved Disk Processing Report. Allows user to examine the .xml disk processing
report by pressing the Browse (to navigate to the containing folder) or Open buttons
Related information
Certificates, Labels and Reports on page 35

Certificates, Labels and Reports

KillDisk maintains the highest standards in disk erasure and provides extensive documentation options for
its operations through Reports , Labels and Certificates
Related information
Erase Certificates on page 35
Reports (XML) on page 42
Disk Labels on page 40

Erase Certificates
KillDisk provides PDF-certificates upon the completion of disk Erase , Secure Erase or Wipe operations.
These certificates may be customized to include company-specific information and hardware/procedure
description. Configuring these custom settings is described in the Certificate Preferences section of this
guide.

Certificate Elements
Company Logo
Custom company's logo can be placed to the certificate instead of the default KillDisk's logo at the top
right corner
Company Information
Displays all company information provided in the preferences. The user in the sample above only
provided a business name. But other company information may also be included in the certificate
Technician Information
Displays the technician information provided in the preferences. This section is for the name of the
operator and any notes they may want to include in the certificate report
Erasure Results Information
Displays information pertaining to the erasure procedure conducted on the hard drive(s). Type of erasure
algorithm, custom settings, date and time started and duration of the erasure are all listed here
Disk Information
Uniquely identifies the disk that was operated on by the KillDisk application. Includes information like
Name, Serial Number, Size and Partitioning Scheme
System Information
Provides details on the system used to run KillDisk such as the OS and processor type
Note:
The system information here only applies to the system running KillDisk, not the system that was
erased by the application! Provided KillDisk remains on one workstation.
Hardware Information
Provides details on the hardware used to run KillDisk such as Manufacturer, logical processors etc.

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 36

Storing Certificate to PDF

There are options for storing a certificate to file in PDF format as well as encrypting with passwords and
digitally signing output PDFs. You can re-print stored to PDF certificates later on as well as you can validate
their integrity and validity.
Certificate location
Use this option to save erase certificate as a file in PDF format to the selected location

File name template

Here user specifies the template for the Erase Certificate. See the tags available in Appendix tags
section

Encrypt with password

If password field is not empty, output certificate (PDF) will be encrypted and protected with specified
password. This password needs to be typed in any PDF Viewer next time user opens a certificate for
printing

Sign Certificate with Digital Signature

Certificate file (PDF) can be signed with a default Digital Signature (supplied KillDisk.pfx certificate)
or with your custom Digital Signature (*.PFX) and can be verified later on. If Adobe Reader
successfully verified PDF document, it is guaranteed that its content hasn't been modified since
issue.
If custom Digital Signature is required, please issue a certificate and specify full path to the custom
certificate (*.PFX file) as well as its open password in the related fields below ( Digital Signature and
Use password to open )

Display Digital Signature

Digital Signature can be displayed as an overlay text on the first page of certificate. After you turn on
this option, you can specify overlay text using tags (see tags section), its position on the first page,
rectangle dimensions and text size

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 37

Sample of Disk Processing Certificate

Figure 30: Disk Processing Certificate - 1-st Page

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 38

Figure 31: Disk Processing Certificate - 2-nd Page

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 39

Figure 32: Disk Processing Certificate - 3-rd Page

Figure 33: Disk Processing Certificate - Last Page

Sample of Secure Erase Certificate

Related information
Disk Labels on page 40

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 40

Reports (XML) on page 42

Disk Labels
Along with the PDF certificate KillDisk allows you to print Disk Labels to place on erased disks with its Print
Label features. Disk Labels with process results and essential disk information could be issued for any disk
processing (such as Disk Erase, Secure Erase or Disk Wipe). These labels may be completely customizable
to print on any sized sheet with any dimension. Simply specify the parameters and KillDisk will prepare the
printable labels for you.

Accessing the Print Labels Option

Upon the completion of a major KillDisk operation you will see a report dialog. In the list of completed
tasks you will see the Print Labels button. Click it to enter the Print Label Dialog .

Figure 34: Opening Print Label Dialog

Print Label Dialog

This dialog allows you to configure the labels and prepare them for printing. The top of the dialog shows a
list of the drives that will have labels generated for them. At any point in the operation a sample of the label
is shown in the Preview window on the left side. The right side of the dialog has the styling and template
configuration options.

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 41

Figure 35: Print Label Dialog

Page template options

The print label dialog gives you an access to a number of predefined standard presets and custom
templates you may create. These templates may be easily selected without opening any additional dialogs.
All the details of the selected template will be displayed below the selection box

Print Start Position

The print start position section of the dialogue allows you to select what label on the page start printing
from. The labels won't always start from the 1x1 position so you can adjust this setting accordingly

Print Preview and Printing

Once all the settings are configured you may see the Print Preview by clicking the Continue button. The
Preview displays what the print is going to look like and from here the print job can be sent to a printer that
is configured in the system
Skip Print Preview
Disable system Print Preview dialog and print labels immediately

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 42

Figure 36: Example of Print Preview

Related information
Erase Certificates on page 35
Disk Label Presets on page 76

Reports (XML)
KillDisk gives you the option to save XML reports for any major operation it performs on a disk (such as
Disk Erase, Secure Erase or Disk Wipe ) .
In order to get the reports generated, simply select and configure them in Processing Report Preferences.
These reports may include (selected by user) all the information regarding to the KillDisk procedures, such
as:

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 43

Company Information Disks

• Name • Device Size
• License • Device Type
• Location • Serial Number
• Phone • Revision
• Disclaimer • Product Number
Technician Information • Name
• Name • Geometric Information
• Comments • Partitioning Scheme
System & Hardware Info Batches

• OS version • Name
• Architecture • Disks
• Kernel • Time
• Processors Additional Attributes
• Manufacturer • Fingerprint Information
Erase Attributes • Initialization
• Erase verify Erase Result
• Passes • Bay
• Method • Time and Date Started
• Verification passes • Disk Information
Error Handling Attributes • Status
• Errors terminate • Result
• Skip interval • Time Elapsed
• Number of Retries • Errors
• Source Lock • Name of operation
• Ignore Write Error
• Ignore Read Error
• Ignore Lock Error

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 44

Figure 37: XML Report Sample

Command Line and Batch Modes

KillDisk can be executed with some predefined settings when started from a command prompt with
specific command line parameters.
KillDisk can be also launched in fully automated mode (Batch mode) which requires no user interaction.
KillDisk execution behavior depends on either command line parameters (highest priority), settings
configured in interactive mode and stored in the KILLDISK.INI file (lower priority), or default values (lowest
priority).

Command Line Mode

To run KillDisk in command line mode just open a command prompt and go to installation directory.
At the command prompt start KillDisk for Windows by typing:

KILLDISK.EXE -?

In Linux environment, type:

./KillDisk -?

A list of parameters appears. The description of them is in the table below:

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 45

Table 1: Command Line Parameters

Parameter Short Default Options

no parameter With no parameter an Interactive screen will appear
-erasemethod=[0-23] -em= 2 0 - One pass zeroes (quick, low security)
1 - One pass random (quick, low security)
2 - US DoD 5220.22-M (slow, high security)
3 - US DoD 5220.22-M (ECE) (slow, high security)
4 - Canadian OPS-II (slow, high security)
5 - British HMG IS5 Baseline (1 pass, quick)
6 - British HMG IS5 Enhanced (slow, high security)
7 - Russian GOST p50739-95(slow, high security)
8 - US Army AR380-19 (slow, high security)
9 - US Air Force 5020 (slow, high security)
10 - NAVSO P-5329-26 RL (slow, high security)
11 - NAVSO P-5329-26 MFM (slow, high security)
12 - NCSC-TG-025 (slow, high security)
13 - NSA 130-2 (slow, high security)
14 - German VSITR (slow, high security)
15 - Bruce Schneier (slow, high security)
16 - Peter Gutmann (very slow, highest security)
17 - User Defined Method. Number of passes and
overwrite pattern supplied separately
18 - NIST 800-88 (1 pass zeroes, quick)
19 - NIST 800-88 (1 pass random, quick)
20 - NIST 800-88 (3 pass zeroes, slow, high security)
21 - Canadian CSEC ITSG-06 (3 passes, verify, slow, high
security)
22 - US DoE M205.1-2 (3 passes, verify)
23 - Australian ISM-6.2.93 (1 pass random, quick)
-passes=[1 - 99] -p= 3 Number of times the write heads will pass over a disk area
to overwrite data with User Defined Pattern. Valid for User
Defined Method only
-verification=[1 - 100] -v= 10 Set the amount of area the utility reads to verify that the
actions performed by the write head comply with the
chosen erase method (reading 10% of the area by default).
Verification is a long process. Set the verification to the
level that works best for you

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 46

Parameter Short Default Options

-retryattempts=[1 - -ra= 2 Set the number of times that the utility will try to rewrite in
99] the sector when the drive write head encounters an error
-erasehdd=[0,1..63] -eh= Number in BIOS of the disk to be erased. First physical disk
has a zero number. In Linux first disk usually named /dev/
sda. In Windows Disk Manager first disk is usually named
Disk 0. On older systems (DOS, Windows 9x) first disk is
usually named 80h (obsolete syntax is still supported in the
parameter)
-eraseallhdds -ea Erase all detected disks
-excluderemovable -xr Exclude all removable disks from erasing when erase all
disks selected
-excludefixed -xf Exclude all fixed disks from erasing when erase all disks
option selected
-excludedisk=[0,1..63] -xd= Exclude disk from erasing when erase all disks option
selected
-ignoreerrors -ie Do not stop erasing each time a disk error is encountered.
When you use this parameter, all errors are ignored and
just placed to the application log
-initdisk -id Initialize disk(s) after erase
-fingerprint -fp Initialize disk(s) and write fingerprint to the disk’s first
sector
-computerid -ci 1 - Display BIOS ID on the certificate
2 - Display Motherboard ID on the certificate
-clearlog -cl Use this parameter to clear the log file before recording
new activity. When a drive is erased, a log file is kept. By
default, new data is appended to this log for each erasing
process. By default the log file is stored in the same folder
where the software is located
-exportlog -el Export a log file as XML report
-logpath=[“fullpath”] -lp= Path to save application log file. Can be either directory
name or full file name. Use quotes if full path contains
spaces
-certpath=[“fullpath”] -cp= Path to save erase/wipe certificate. Can be either directory
name or full file name. Use quotes if full path contains
spaces
-inipath=[“fullpath”] -ip= Path to the configuration file (KILLDISK.INI) for loading the
advanced settings. See table below
-noconfirmation -nc Skip confirmation steps before erasing starts. By default,
confirmation steps will appear in command line mode for
each hard drive as follows: Are you sure?
-beep -bp Beep after erasing is complete
-wipeallhdds -wa Wipe out unallocated space on all recognized volumes
located on all detected disks

© 1999 - 2020 LSoft Technologies Inc.

 | Usage Scenarios | 47

Parameter Short Default Options

-wipehdd = [0,1…63] -wh= Wipe out unallocated space on the disk specified by BIOS
number
-test=["fullpath"] If you are having difficulty with Active@ KillDisk use this
parameter to create a hardware information file to be sent
to our technical support specialists. You must specify the
name of the file where to store technical information
-batchmode -bm Execute in batch mode based on command line parameters
and INI file settings (without user interaction, all operations
being stored to log file)
- -u File to get user-defined pattern from. Applied to User
userpattern=[“fullpath”] Defined erase method. Each line in the file corresponds to
the particular pass pattern
-shutdown -sd Save log file and shutdown PC after completion
-nostop -ns Prevent erase/wipe stop action
-help or -? Display this list of parameters

Note: Parameters -test and -help must be used alone. They cannot be used with other parameters.

Note: Commands –erasehdd, -eraseallhdds, -wipehdd and -wipeallhdds cannot be combined.

Type the command and parameters into the command prompt console screen at the prompt. Here is a
Windows example:

killdisk.exe -eh=80h -bm

The same in Linux:

./KillDisk -eh=0 -bm

In this example data on device 80h will be erased using the default method (US DoD 5220.22-M) without
confirmation and returning to the command prompt screen when complete.
Here is another Windows example:

killdisk.exe -eh=80h -nc -em=2

The same in Linux:

./KillDisk -eh=0 -nc -em=2

In this example all data on the first detected disk (which has 'zero' number or 80h) will be erased using US
DoD 5220.22-M method without confirmation and showing a report at the end of the process.
Note: In Linux environment to detect and work with physical disks properly Active@ KillDisk must
be launched under Super User account. So, if you are not a Super User, you should type a prefix
sudo , or su (for different Linux versions) before each command.

After you have typed KillDisk and added command line parameters press Enter to complete the command
and start the process.
Information on how drives have been erased is displayed on the screen when the operation has completed
successfully. KillDisk execution behavior depends on either command line parameters (highest priority),
settings configured in interactive mode and stored in the KILLDISK.INI file (lower priority), or default values
(lowest priority).

© 1999 - 2020 LSoft Technologies Inc.

 | Advanced Tools | 48

Batch Mode
Note: This feature is intended for advanced users only
Batch mode allows KillDisk to be executed in fully automated mode without any user interaction. All events
and errors (if any) are placed to the log file. This allows system administrators and technicians to automate
erase/wipe tasks by creating scripts (*.CMD, *.BAT files) for different scenarios that can be executed later in
different environments.
To start KillDisk in batch mode just add the –bm (or -batchmode) command line parameter to the other
parameters and execute KillDisk either from the command prompt or by running a script.
Here is an example of Batch mode execution with the wipe command:

KillDisk -wa -bm -em=16

This command will wipe all deleted data and unused clusters on all attached physical disks without any
confirmations using most secure Peter Gutmann's method and returning to the command prompt when
complete.
If –ns (-nostop) command line parameter is specified no user interaction is possible after erase/wipe
action started. So user cannot cancel the command being executed.
After execution application returns exit codes to the OS environment: 0 (zero) if all disks being erased
successfully, 1 (one) if errors occurred or nothing erased/wiped, and 2 (two) if minor warnings
occurred.
Related information
Command Line Mode on page 44

Advanced Tools
KillDisk offers a number of advanced tools to work in conjunction with the software to make operations
easier to perform and the disks easier to navigate. KillDisk makes it possible to browse through disks on
both: a file level and a low, hexadecimal (HEX) level. Disk health analysis with its S.M.A.R.T. monitor as well
as logs/reports export to the external databases fully supported in KillDisk Industrial version. This section
describes each of these features:
• File Browser
• Hexadecimal Viewer

File Browser
KillDisk includes a built-in File Browser for examining the contents of disks for verification purposes, for
hard drives' selection control or for erased files validation after erase . Details on using this feature are
discussed in this section.

Opening the Browsing View

To browse the contents of a specific disk simply select the disk and click File Browser in toolbar button or
select the related command from the context menu.

© 1999 - 2020 LSoft Technologies Inc.

 | Advanced Tools | 49

Figure 38: Launching the File Browser

This will open the File Browser tab:

Figure 39: File Browser Window

The File Browser tab displays files and folders on the disk being selected.

Figure 40: Deleted Files in the File Browser

Grey files indicate deleted files have not been sanitized. These files are recoverable. Running KillDisk's Wipe
operation ensures these files are unrecoverable and make these gray files disappear from the File Browser.
Note:

© 1999 - 2020 LSoft Technologies Inc.

 | Advanced Tools | 50

Found deleted files appear in their original directory (before they were deleted). The ! Lost &
Found ! folder is a virtual directory created for found deleted files with not discovered directory
information.

Disk Viewer
Disk Viewer allows users to view the contents of connected drives on a sector's level in a hexadecimal, ASCII
and Unicode representations. User is able to launch Disk Viewer from the main view as well as through the
main menu bar. Shortcut is Ctrl-H .

Figure 41: Starting a Disk Viewer

© 1999 - 2020 LSoft Technologies Inc.

 | Advanced Tools | 51

Figure 42: NTFS Volume is opened in Disk Viewer

KillDisk also offers a list of templates to help display the organization of the sectors on the disk by colored
sections. Example above displays what happens when NTFS Volume is opened in the Disk Viewer. In this
case NTFS Boot Sector template has been attached automatically, and below is NTFS Boot Sector template
details in Templates View.

Figure 43: NTFS Boot Sector Template Details

The Disk Viewer also includes a Find feature for locating specific data in the low-level disk View
Find what

© 1999 - 2020 LSoft Technologies Inc.

 | Advanced Tools | 52

Input the characters you are searching for in ANSI, Hex or Unicode

Search Direction
If you have an idea of where the data may be located specify where to search

Not
Search for characters that do not correspond to the Find what parameter

Ignore case
Disables case-sensitivity in the search

Use
Select between Regular Expressions and Wildcards

Per block search

To speed up the search process (if you are familiar with the location of the data in the data block)
you may specify a search with an offset of the object

© 1999 - 2020 LSoft Technologies Inc.

 | Advanced Tools | 53

Figure 44: Finding Data

Disk Viewer's Navigate feature allows:

Go to Offset
Jumps to the particular offset that needs to be entered manually in a decimal or hexadecimal format

Go to Sector
Jumps to the particular sector or cluster on the disk

Partition Table
Jumps to the sector where partition table is located

Particular Partition
Lists all partitions and allows to jump to the boot sectors, to the beginning and to the end of any
available partition

© 1999 - 2020 LSoft Technologies Inc.

 | Application Settings | 54

Figure 45: Disk Viewer Navigation Options

Application Settings
When you start KillDisk change its settings (erase method, certificate options, etc…) and close the
application. All the current settings are saved to the KILLDISK.INI file in the location of the KillDisk
executable. These settings will be used as default values the next time KillDisk is run.
KILLDISK.INI is a standard text file with the list of possessing sections, parameter names and values. All
KillDisk settings are stored in the [General] section.
For parameter storage the syntax being used is:
Parameter=value
Here is an example of an INI file:
[General]
excludeSystemDisk=false
initHD=true
initRD=true
initCD=false
initFD=false
defaultSerialDetectionMethod=2
clearLog=false
logPath=C:\\Program Files\\LSoft Technologies\\Active@ KillDisk Ultimate 11\\
logName=killdisk.log
logging=0
shutDown=false
saveToRemovable=false
showCert=true

© 1999 - 2020 LSoft Technologies Inc.

 | Application Settings | 55

killMethod=0
killVerification=false
killVerificationPercent=10
initDevice=true
fingerPrint=false
autoEject=false
skipConfirmation=false
wipeMethod=0
wipeVerification=false
wipeVerificationPercent=10
wipeUnusedCluster=true
wipeUnusedBlocks=false
wipeFileSlackSpace=false
wipeInHex=false
wipeUserPattern=Erased by Active@ KillDisk
wipeUserPasses=3
eraseInHex=false
killUserPattern=Erased by Active@ KillDisk
killUserPasses=3
accessDeniedCount=10
retryAtt=3
ignoreErrors=true
saveCert=true
certPath=C:\\Users\\Mikhail\\certificates\\
hideDefaultLogo=false
computerIDSource=0
showLogo=false
logoFile=
clientName=
companyName=
companyAddress=
companyPhone=
logComments=I hereby state that the data erasure has been carried out in
accordance with the instructions given by software provider.
technicianName=Technician
sendSMTP=false
attachCert=true
useDefaultAccount=true

© 1999 - 2020 LSoft Technologies Inc.

 | Application Settings | 56

fromSMTP=
toSMTP=
nameSMTP=
portSMTP=2525
authorizeSMTP=false
usernameSMTP= password
SMTP=
mapName=
mapPath=
mapUser=
mapPass=
When KillDisk is running in interactive mode all these parameters can be configured from settings dialog
accessed by clicking the Settings toolbar button. They also can be changed manually by editing the
KILLDISK.INI file in any text editor (such as Notepad etc.).
Here is an explanation of all settings:

Parameter Default Options

defaultSerialDetectionMethod= 2 1 - use operating system’s DeviceIOControl method
2 - use S.M.A.R.T. information, if device supports it
3 – use Windows Management Instrumentation (WMI), if
operating system supports it
showCert= true true/false – option of displaying the Erase/Wipe Certificate for
printing after completion
saveCert= false true/false – option of saving the Erase/Wipe Certificate after
completion
certPath= Full path to the location where Erase/Wipe Certificate will be
saved. This is a directory name
logPath= Full path to the location where log file will be saved. This is a
directory name
logName= Name of the log file where event log will be saved to
skipConfirmation= false true/false – whether to display or skip Erase/Wipe confirmation
dialog
ignoreErrors= false true/false – whether to display disk writing errors (bad sectors),
or ignore them (just place them to the log file)
clearLog= false true/false – whether to truncate log file content before writing
new sessions or not (append to existing content)
initDevice= true true/false – whether to initialize disks after erasing complete or
no
fingerPrint= false true/false – whether to initialize disk(s) and write fingerprint to
the disk’s first sector or no
hideDefaultLogo false true/false – whether to hide default KillDisk logo at the top-left
corner of the certificate or no

© 1999 - 2020 LSoft Technologies Inc.

 | Application Settings | 57

Parameter Default Options

computerIDSource= 0 0 - Disables showing the computer ID on the certificate
1 - Shows BIOS ID in the certificate
2 - Shows Motherboard ID in the certificate
shutDown= false true/false – whether to shutdown PC after Erase/Wipe
execution complete or no
sendSMTP= false true/false – to send e-mail report by email via SMTP
attachCert= false true/false – to attach a PDF certificate to e-mail report being
sent
useDefaultAccount= true true/false – use pre-defined Free SMTP account for sending e-
mail reports
fromSMTP= E-mail address you’ll get a report from, for example:
[email protected]
toSMTP= E-mail address the report will be sent to
nameSMTP= SMTP server (relay service) being used for sending e-mail
reports, for example: www.smtp-server.com
portSMTP= 25 TCP/IP port SMTP service will be connected on. The standard
SMTP port is 25. Some internet providers block it on a firewall
authorizeSMTP= false true/false – use SMTP authorization for sending e-mail reports
(Username and Password must be defined as well)
usernameSMTP= In case if SMTP service requires authorization, this is SMTP
Username
passwordSMTP= In case if SMTP service requires authorization, this is SMTP
Password
showLogo= false true/false – whether to display custom Logo (image) on a
Certificate or no
logoFile= Full path to the file location where Logo image is stored
clientName= Client Name - custom text to be displayed on a Certificate
technicianName= Technician Name - custom text to be displayed on a Certificate
companyName= Company Name - custom text to be displayed on a Certificate
companyAddress= Company Address - custom text to be displayed on a
Certificate
companyPhone= Company Phone - custom text to be displayed on a Certificate
logComments= Any Comments - custom text to be displayed on a Certificate
killMethod= 2 [0-23] – Erase method to use for disk/volume erasing. See table
of Erase Methods available. DoD 5220.22-M by default
killVerification= true true/false – whether to use data verification after erase or no
killVerificationPercent= 10 [1-100] – verification percent, in case if data verification is used
killUserPattern= ASCII text to be used for User Defined erase method as a
custom pattern

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 58

Parameter Default Options

killUserPasses= [1-99] – number of overwrites to be used for User Defined
erase method
wipeMethod= 2 [0-23] – Wipe method to use for volume wiping. See table of
Erase Methods available. DoD 5220.22-M by default
wipeVerification= true true/false – whether to use data verification after wipe or no
wipeVerificationPercent= 10 [1-100] – verification percent, in case if data verification is used
wipeUserPattern= ASCII text to be used for User Defined wipe method as a
custom pattern
wipeUserPasses= [1-99] – number of overwrites to be used for User Defined
wipe method
wipeUnusedCluster= True true/false – whether to wipe out all unused clusters on a
volume or no
wipeUnusedBlocks= False rue/false – whether to wipe out all unused blocks in system
records or no
wipeFileSlackSpace= False true/false – whether to wipe out all file slack space (in last file
cluster) or no

When you start KillDisk with or without command line parameters its execution behavior depends on
either command line settings (highest priority), settings configured in interactive mode and stored in the
KILLDISK.INI file (lower priority), or default values (lowest priority).
Default value means that if the KILLDISK.INI file is absent or exists, but contains no required parameter, the
predefined (default) value is used.
The latest version of KillDisk still supports settings stored by previous versions in INI file. However, on first
run it exports all settings to SETTINGS.XML file and work with this file thereafter.
Related information
Preferences on page 58

Preferences
KillDisk Preferences window is the central location where KillDisk features can be configured. These
features are divided into several tabs.
To open Preferences dialog:
• From main menu choose Tools > Preferences... or
• Use F10 keyboard shortcut at any time
Preferences dialog could be open from other task dialogs to change related settings:
• General Settings on page 59
• Environment
• Sound Notifications
• Action Triggers
• Disk Erase
• Disk Wipe
• Erase Certificate

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 59

• Company Information
• Technical Information
• Processing Report
• Disk Label Presets
• Disk Label Templates
• Disk Viewer
• Error Handling
• E-Mail Notifications
• SMTP Server Setting
Preferences allow users to configure all the global settings for the application.

General Settings
The General Settings tab allows to configure general application settings as well as the visual
representation.
These are configurable options pertaining to the applications functionality.

Device Control Layout

These settings control visual disk behavior in Disk Explorer on page 18 and allow to Show or Hide a
System Disk and devices which are not ready (offline)
Default Serial Number detection method
Select how KillDisk retrieves the disk serial number by default. Values are: SMART , IOControl &
WMI

Local Devices Initialization

Select which types of devices appear in KillDisk by default: Fixed disks , Removable disks , CD/DVD/
BD and Floppies

Computer ID

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 60

Configure how the KillDisk workstation is identified in logs & reports. Values are: None , BIOS Serial
Number , Motherboard Serial Number

Application Log File Settings

These settings apply to the log file generated by the application. All operations performed in a KillDisk
session will be saved in this log.
Log file location
Allows the user to specify where the application log file is saved. By default this is set to a KillDisk
installation directory

Application log detail level

Manipulate the amount of details included in the logs. Options are: Minimum and Maximum

Initialize application log when application starts

This setting configures whether KillDisk generates a new log file for every session (erasing the log
of the previous session) or appends new sessions to one log file. Moreover, logs can be placed to the
files being named using naming pattern specified

Environment
These are configurable options pertaining to the applications user interface and user experience.

Application style
Configures the color scheme used in the application. Values are: Blue , Olive , None (Use OS default)
and Silver

Default toolbars style

Configures how icons are shown in the toolbar. Values are: Large icons, no text ; Large icons, with text
beside icon ; Large icons, with text under icon ; Small icons, with text beside icon; Small icons, no text

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 61

Figure 46: Large icons, no text

Figure 47: Large icons, with text beside icon

Figure 48: Large icons, with text under icon

Figure 49: Small icons, with text beside icon

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 62

Figure 50: Small icons, no text

Default help source

If available, user can select help documentation source to be addressed when requested. Values are:
PDF , CHM and On-line web help

Reset All Dialogs

Pressing the button resets all the changes to default state

Sound Notifications
These are configurable options related to application sounds: you can use either predefined values or
assign your own sounds (User defined sound file)

Use Sound Notifications

Toggles sound tones being used for notifying the user of the completion of a task, errors and
notification during an operation: Success/With Warnings/With Errors/Failures

Action Triggers
Configure actions performed while application is running

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 63

Automatically check for software updates

If this option set, application will check for a new updates during every start

Action after all processes complete

Select either None , Hibernate , Shutdown or Restart system after all processes have been finished
CAUTION:
You will have 30 seconds to abort system hibernation, restart or shutdown.

Export erase certificates and application log to all detected removable media
Upon erase completion all certificates and logs will be automatically exported to attached USB disks
(all detected media of removable type)

Disk Erase
The Disk Erase tab provides settings' configuration for the KillDisk erase procedures.

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 64

Erase method
Choose one of more than 20 sanitizing methods including many international standards and custom
patterns

Erase verification
Percentage of disk to be verified after disk erasure
Note:
In some erase methods such as the US DoD 5220.22-M this option is mandatory. After the
erase operation has completed this feature will scan the entire drive evenly and verify the
integrity of the erase operation. This option is the percent of the sectors to check across the
disk. Most standards specify 10% as an accurate sample size for the verification.

Eject disk(s) after erase

Ejects the drive after erase (disables write caching on the device for safe hardware remove)

Initialize disk(s) after erase

Writes proper MBR to disk's first sector after erasure complete. This is needed for disk to be visible
and accessible by Operating System

Write fingerprint to first sector

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 65

This feature writes the specified fingerprint to the first sector of the erased drive. If erased disk
is plugged into the system and system boots from this disk the user will see this fingerprint as a
message on the screen

Print Erase Labels

This feature prints erase label automatically after erase completion using specific Disk Label Preset
configuration

Erase confirmation
As a safety precaution to prevent accidental destruction of hard drives KillDisk uses the user-
typed keyphrase mechanism just before the erase procedure is initiated (see below). By default this
precaution mechanism is initialized with the key phrase ERASE-ALL-DATA . The key phrase can be
modified, configured as a randomly generated set of characters or disabled. The keyphrase should
be entered correctly in order to start the erase procedure

Figure 51: Action confirmation dialog

Related information
Erase Methods (Sanitation Standards) on page 108
Erase Disk Concepts on page 100
Disk Label Presets on page 76

Secure Erase
The Secure Erase tab provides settings' configuration for the Solid State Drive (SSD) specific erase
procedures.

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 66

Verify erasure
Percentage of disk to be verified after Secure Erase completes

Initialize disk(s) after erase

Writes proper MBR to disk's first sector after erasure complete. This is needed for disk to be visible
and accessible by Operating System

Write fingerprint to first sector

This feature writes the specified fingerprint to the first sector of the erased drive. If erased disk
is plugged into the system and system boots from this disk the user will see this fingerprint as a
message on the screen

Erase confirmation
As a safety precaution to prevent accidental destruction of hard drives KillDisk Industrial uses the
user-typed keyphrase mechanism just before the erase procedure is initiated (see below). By default
this precaution mechanism is initialized with the key phrase ERASE-ALL-DATA . The key phrase can be
modified, configured as a randomly generated set of characters or disabled. The keyphrase should
be entered correctly in order to start the erase procedure.

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 67

Figure 52: Secure Erase confirmation dialog

Related tasks
Secure Erase on page 28
Related information
Secure Erase (SSD) on page 94
Secure Erase Concepts on page 101
Secure Erase (ANSI ATA, SE) on page 109

Disk Wipe
The Disk Wipe tab provides settings' configuration for Wipe procedure (like the erase procedure) allows you
to specify the erase method to use as well as a few additional wipe-specific options.

Erase method
Choose one of more than 20 sanitizing methods including many international standards and custom
patterns

Verify erasure

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 68

Percentage of disk to be verified after wiping out unused clusters

Wipe unused clusters

Erase areas of the hard drive that are not formatted and not currently used by the OS (data has not
been recently written there unless this is a recently deleted partition)

Wipe metadata and system files area

Erase areas of the disk containing information about previous files on the volume and prevents
recovery of files using their remained records

Wipe slack space in file clusters

Erase slack space within files. Because files are usually never exactly the size of the space allocated to
them there may be unused space within a file that may contain traces of data. This algorithm wipes
that space to remove these data traces

Print wipe labels

This feature prints wipe label automatically after wipe is completed using a specific Disk Label Preset
configuration

Related information
Erase Methods (Sanitation Standards) on page 108
Wipe Disk Concepts on page 103
Disk Label Presets on page 76

Erase Certificate
By selecting Use Erase Certificate check box the user is able to add and customize the erasure certificates
with Company Information on page 72, Technician Information on page 72 and other certificate
options.

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 69

Figure 53: Certificate Options

Include company information

Use this option to include all company's information

Include technician information

Use this option to include all technician's information

Include system info

Ensures that the Operating System specific information is saved, such as:
• Operating system
• Kernel version
• Architecture

Include hardware info

Ensures that the Chassis-specific information is saved. Such as:
• Motherboard manufacturer
• Motherboard description
• Number of processors

Include disk SMART information

Use this option to include S.M.A.R.T. information for the disk

Use Computer ID on certificate

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 70

This option includes the Hardware ID of the machine being erased on the certificate. It may be taken
from the BIOS or the Motherboard (these values may differ from each other).

Print Options
Always print certificate after disk erase
Prints erase certificate after erase completion automatically

Skip print preview

Prints erase certificate skipping certificate preview step

Default printer
Select a default printer for printing erase certificates

Barcode
By selecting Include Barcode check box user is able to add a barcode in desired format.
Barcode data
Is a string of available tags and attributes concatenated by ^ (CARET) delimiter. User is able to
compose a custom string with selected values from drop-down list or by simple typing

Preview
Shows the composed data representation. This data is encoded to the actual barcode

Barcode Format
There is a drop-down list of available barcode formats

Encoding (if available for the Barcode Format selected)

There is a drop-down list with available encoding schemes. The selected one is used to encode the
barcode data

Error correction level (0-8) (if available for the Barcode Format selected)
Affects a size of the barcode. Increasing the level value provides a better scanner readability

Note:
Barcodes and QR Codes embedded to Certificates are available in KillDisk Industrial only.

Save to PDF Options

Sub tab Save to PDF offers options for storing a certificate to file in PDF format as well as encrypting with
passwords and digitally signing output PDFs.

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 71

Figure 54: Save to PDF Options

Certificate location
Use this option to save erase certificate as a file in PDF format to the selected location

File name template

Here user specifies the template for the Erase Certificate. See the tags available in Appendix tags
section

Encrypt with password

If password field is not empty, output certificate (PDF) will be encrypted and protected with specified
password. This password needs to be typed in any PDF Viewer next time user opens a certificate for
printing

Sign Certificate with Digital Signature

Certificate file (PDF) can be signed with a default Digital Signature (supplied KillDisk.pfx certificate)
or with your custom Digital Signature (*.PFX) and can be verified later on. If Adobe Reader
successfully verified PDF document, it is guaranteed that its content hasn't been modified since
issue.
If custom Digital Signature is required, please issue a certificate and specify full path to the custom
certificate (*.PFX file) as well as its open password in the related fields below ( Digital Signature and
Use password to open )

Display Digital Signature

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 72

Digital Signature can be displayed as an overlay text on the first page of certificate. After you turn on
this option, you can specify overlay text using tags (see tags section), its position on the first page,
rectangle dimensions and text size

Related information
Name Tags on page 120

Company Information
These settings allow user to configure Company Information for Erase Certificates, Processing Reports and
Disk Labels.

To specify a Company Logo image just use the Set and Remove buttons. It allows you to select a desired
image with local File Explorer. Most of the image formats are supported: JPEG, TIFF, BMP, PNG etc. The logo
will be previewed in the Company Logo space.
Tip:
It is recommended to use company logo with resolution suitable for printing (300dpi) with a side
not exceeding 300px.

Add all the company information to the related fields.

When the Add company supervisor signature field to certificate check box is selected the required field is
added to the actual certificate.
Related information
Erase Certificate on page 68
Processing Report on page 73

Technician Information
These settings allow user to configure Technician Information for Erase Certificates, Processing Reports and
Disk Labels.

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 73

Add Operator name and Comments to the related fields.

When the Add technician (operator) signature field to certificate check box is selected the required field is
added to the actual certificate.
Related information
Erase Certificate on page 68
Processing Report on page 73

Processing Report
These settings allow you to configure the XML reports generated by KillDisk.

Report Location

User may configure where XML erasure reports are saved

File name template

Here you may specify the template for the XML reports. The main tags available are:

Available element: Tag:

Serial ID {Serial ID}
Erasure Status {Status}
Date of Erasure {Date(YYYY-MM-DD)}

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 74

Available element: Tag:

Time of Erasure {Time(HH-mm-ss)}

There are additional tags available (see the tags section in Appendix)

Include company information

Optionally adds the company information (defined in Company Information) into the XML erasure
report

Include technician information

Optionally adds the technician information (defined in Technician Information) into the XML erasure
report

Include system info

Ensures that the system-specific information is saved in the XML report, such as:
• Operating system
• Kernel version
• Architecture (x86, x64)

Include hardware info

Ensures that the system-specific information is saved in the XML report, such as:
• Motherboard manufacturer
• Motherboard description
• Host (name, domain)
• CPU (logical, physical)
• Memory

Include SMART information for each disk

Optionally adds an additional information about disk health based on S.M.A.R.T. attributes into the
XML erasure report.

The KillDisk XML report contains the following parts:

Table 2: XML Report Parameters (sample)

Type of Information Specific data

Technician Information Name
Note
Company Information Name
Licensed

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 75

Type of Information Specific data

Location
Phone
Disclaimer
System Information OS version
Platform
Kernel
Hardware Information Motherboard Manufacturer
Motherboard Description
Number of Processors
Erase Attributes Erase Verify
Passes
Method
Verification Passes
Error Handling Attributes Errors Terminate
Skip interval
Number of Retries
Lock
Source?
Ignore Write?
Read?
Lock?
Disks Device Size
Device Type
Serial Number
Revision
Product Number
Name
Geometric Information
Partitioning Scheme
Additional Report Attributes Fingerprint Information
Initialize disk?
Results Bay
Time and Date Started
Disk Information

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 76

Type of Information Specific data

Status
Result
Time Elapsed
Errors
Name of operation
Conclusion Overall result of the operation

Note:
If internal tag <task> is present, Results are appeared inside.

Related information
Name Tags on page 120

Disk Label Presets

These preferences help to adjust label settings for the KillDisk system globally. Labels may be formatted for
any printer, page or label type (device) using KillDisk highly customizable labels' features.

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 77

Label preset

Displays and let you select a default Label Preset or create a new one. Add New Label Preset button

allows you to create a custom label preset with your own specifications. Delete button deletes the
selected label preset

Label title
Allows you to set a title to be printed (in bold) at the top of the labels. It can be company name, batch
name or any other descriptors you may consider useful to identify the operation. Static text can be typed in
or any dynamic attributes (tags) can be inserted at current cursor's position. Click Insert Name Tag button

to insert predefined tag from the drop-down list

Label Area
Label's content for the preset. Static text can be typed in or any dynamic attributes (tags) can be inserted at

current cursor's position. Click Insert Name Tag button to insert predefined tag from the drop-down
list. Click Clear Pattern button to empty all label's area

Label Attributes
You can use RTF formatting and set Word Wrapping behavior using related check boxes
Add signature line
Toggling this "ON" places a line at the bottom of the label for the technician to sign off on upon
completion of the wipe

Add certificate logo

Includes the logo used in the certificate as a label's watermark background

Label preview
Displays a preview of one label with the current input settings. Refreshes when any adjustments are made
to the settings.

Barcode options
Selecting Append barcode check-box will print QR Code or Barcode on the label to be able to be scanned
thereafter for third party inventory database
Barcode data
String including essential erase parameters to be encoded and transformed to QR Code or Barcode.
Static text can be typed in or any dynamic attributes (tags) can be inserted at current cursor's

position. Click Insert Name Tag button to insert predefined tag from the drop-down list

Preview
Displays a preview of encoded string with the current input settings. Refreshes when any
adjustments are made to the settings.

Format

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 78

List of supported QR Code and Barcode formats. Currently supported: Aztec 2D barcode , Code 39
1D , Code 93 1D , Code 128 1D , QR Code . Note that different types of Barcodes can accept different
size of encoded string

Encoding
If barcode string contains symbols other than English letters, you can specify encoding (code page)
for the particular language

Error correction level

The lower the error correction level, the less dense the QR code image is, which improves minimum
printing size. The higher the error correction level, the more damage it can sustain before it becomes
unreadable

Size, mm
Size in millimeters for the Barcode/QR Code to be printed on the label

Note:
Barcodes and QR Codes embedded to Disk Labels are available in KillDisk Industrial only.

Print options
Define options for label printing including special label printers (Brother QL-700 etc.):
Default printer
Define printer to be used exclusively to print labels from the list of installed printers

Print output adjustments

The print output adjustments section of the dialogue allows you to vertically or horizontally displace
the position measured in specific print units to adjust to different printers

Print test label command will let you print Disk Label sample to verify your settings and selected layout
attributes.

Disk Label Templates

Disk Label Templates tab defines set of predefined label templates for usage with different scenarios.

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 79

The print label dialog gives you an access to a number of predefined standard templates and to any custom
templates you may create. These templates may be easily selected without opening any additional dialogs.
The details of the selected template are displayed below the selection box. If your specific labels differ

from any of the templates available the button allows you to create a custom template with your own

specifications. Additionally, the button allows you to modify an existing template and the button
deletes the selected template.

Print Start Position

The Print Start Position section of the dialogue allows you to select what label on the page is the one to
start from. The labels won't always start from the 1x1 position, so you can adjust this setting accordingly

Creating a new template

Upon clicking the button the following Template Editor window appears. Descriptions of the Template
Editor options are listed below.

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 80

Figure 55: Create a New Disk Label Template

Template Title
Here you may create a custom title for your template. This is the name to refer this template when
selecting it in the Print Label dialog

Page
Here you can specify the dimensions of the page used to print the labels. This may be selected from
the list of standard sizes or defined using exact measurements

Page margins
Page margins are defined for the top, bottom, left and right sides of the page

Label Layout
These settings define how the labels appear on the page. You may define the spacing in
between labels on the page and the dimensions of the label grid. Once you've enter the proper
measurements KillDisk will take care of the formatting

Size units

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 81

The units of measurement may vary between millimeters, inches, pixels and points. If a value in
entered in one measurement and the unit size is changed the appropriate conversion will take place

Disk Viewer
These settings allow user to set hexadecimal View settings, font and interaction.

Hexadecimal offsets
Toggles offset format between decimal and hexadecimal

Lines to scroll
Number of lines to scroll for a single mouse wheel sweep

Pages to scroll
Number of pages to skip for a single PageUp or PageDown click

Show ASCII column

Toggles display content in ASCII format

Show UNICODE column

Toggles display content in UNICODE format

Bytes per line

Defines amount of bytes per line in binary display

Font name
Select any mono-space font available for better experience

Font size
Font size to be used in binary view

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 82

Error Handling
KillDisk has a wide capabilities to handle errors during continuous disk processing. Those are the advanced
settings to configure KillDisk's error handling.

Error handling attributes

KillDisk allows user to select one of ways to handle Read/Write Errors:
Abort entire disk group processing
This means that if user runs a Batch erase and one of the disks has errors the erase process for ALL the
disks in the batch is terminated
Abort only failed disk from group processing
This is the suggested setting. Failed disks return an error and terminate the erase process. But other disks
in the batch are not interrupted from the erase operation
Ignore error for disk grouping
Ignores the read/write error and continues erasing wherever is possible on the disk. No active or forth
going operations are terminated
Terminate process after number of errors
Sets the error threshold to a certain amount before the disk operation is terminated and deemed
unsuccessful
Number of Read/Write attempts
Sets the number of attempts KillDisk makes to perform an operation when an error is encountered
before it stops execution
Use disk lock
Locks disks from being used by any other applications
Ignore disk lock errors
Errors encountered with KillDisk not being able to access locked disks are ignored
Ignore read/write errors
Toggle whether errors should appear for read/write errors
Rely upon disk performance
Set a minimum acceptable read/write speed in megabytes per second for disks to flag under-performing
drives
Note:
Rely upon disk performance option is available in KillDisk Industrial only.

© 1999 - 2020 LSoft Technologies Inc.

 | Preferences | 83

E-mail Notifications
KillDisk can deliver results of its sanitation process by e-mail.

Certificate, XML Report or Application Log can be e-mailed to the client, just check the related option.
When you check Use E-Mail Notifications option the next set of options: SMTP Server Settings will be
available for configuration.

SMTP Server Settings

These settings allow configuring mailer settings for delivering erasing/wiping reports to user's mailbox.
Simple Mail Transport Protocol (SMTP) is responsible for transmitting e-mail messages and needs to be
configured properly.

These options can be configured in the Freeware version but are available for use in the Professional version
only.
Account Type
KillDisk offers you a free SMTP account located on www.smtp-server.com that can be used for
sending reports out. By default all the required parameters are filled and configured properly. The
only field you need to type in is the e-mail address where reports will be sent to. If your corporate
policy does not allow using services other than its own you need to switch this option to Custom
Account and configure all the settings manually. Ask your system/network administrator to get these
parameters

To
Type an e-mail address where erasing/wiping reports will be sent to

From

© 1999 - 2020 LSoft Technologies Inc.

 | Troubleshooting | 84

Type an e-mail address which you expect these reports to come from

SMTP Server
KillDisk offers you the use of smtp-server.com for a free SMTP account. This account is pre-
configured for KillDisk users. Ask your system/network administrator to get the SMTP server name
to be used in the Custom Account

SMTP Port
For the free SMTP account KillDisk allows you to use smtp-server.com on port 80. This is a standard
port being used by all web browsers to access the Internet. This port most likely is open on a
corporate and home networks. Other ports can be filtered by and closed by a network firewall. Ask
your system/network administrator to set up a proper SMTP port for the related SMTP server

SMTP Server authorization

To avoid spam and other security issues some SMTP servers require each user to be authorized
before sending e-mails. In this case a proper Username and Password are required. Ask your system/
network administrator to get proper configuration settings

Troubleshooting
In the event that you experience any technical difficulties with KillDisk you may choose to either
troubleshoot the system yourself or, if you have an active support and updates (you receive 1 year free with
your purchase), contact our support team and attach your application log and hardware configuration file
(hardware diagnostic)

Common Troubleshooting Tips

Active@ Boot Disk Creator Troubleshooting:

All the OS options are grayed out
Make sure you have the Boot Disk Creator activated. You should see your registered name in the
application.

Image file not found

You have activated the freeware that does not have the boot disk image you wish to create.
Download a complete version using the link provided in your email and reinstall the software.

Issues formatting USB drive

This may happen occasionally when the file system causes conflicts in Windows. Launch the KillDisk
application and erase the first few megabytes of the USB drive you wish to use. This solves the
problem.

Issues booting from the boot disk

Make sure the boot disk device is set at the top of your boot priority in the BIOS
Make sure your system time in the BIOS is accurate

© 1999 - 2020 LSoft Technologies Inc.

 | Troubleshooting | 85

Make sure you are not booting a 64-bit boot disk on a 32-bit system. In these cases create a Console
boot disk

Disk data is not erased

Ensure you are not erasing the system disk from the application. Ensure that disk is fully functional
(not physically damages) and is accessible by Operating System.

Data still found after a 'Wipe' operation

The Wipe operation will only sanitize data that has already been deleted in the OS. To sanitize all the
data including the OS use the Erase Disk operation

Erased the wrong disk

Stop the operation as soon as possible. Once data is sanitized by erase features it will no longer be
accessible. Use a tool like Active@ File Recovery (https://www.file-recovery.com) to recover any
data that has not been sanitized yet

Application Log
Application Log View reflects every action taken by the application and displays messages, notifications and
other service information. Use the messages in this screen to observe and further analysis of the recovery
process.
To open and activate Application Log View do one of the following:
• From main menu choose Tools > Application Log or
• Use F8 keyboard shortcut at any time
It is best to save the log file to a physical disk (different from the disk that holds the deleted data). By doing
this you reduce the risk of writing over the data that you are trying to recover.

© 1999 - 2020 LSoft Technologies Inc.

 | Troubleshooting | 86

Figure 56: Application Log View

Save Log As
Opens a standard save as dialog. Save the actual application log file to the local disk (default
extension is .log)

Save Hardware Info as

Opens a standard save as dialog. Save the disk diagnostic file to the local disk (default extension is
.xml)

With sub-menu the following items are available:

Log entry filter

Shows or hides specific entry types in Log View:

Minimum details
Shows non-critical warning entries

Maximum details
Shows advanced entries related to the application behavior and data analysis

Text size

© 1999 - 2020 LSoft Technologies Inc.

 | Troubleshooting | 87

Changes text size to Large , Normal or Small

Expand All
Expands a tree log data if available

Collapse All
Collapses a tree log data if available

Clear
Clear log for current application sessions

It is possible to go through the options with the context menu (right mouse click).

Figure 57: Context menu

Tip:
We recommend that you attach a copy of the log file to all requests made to our technical support
group. The entries in this file will help us to resolve certain issues.

Hardware Diagnostic File

If you want to contact our technical support a file that contains a summary of your local devices is helpful.
KillDisk allows you to create a summary listing file in XML format. This data format is “human-readable”
and can help our technical support staff to analyze your computer configuration or point out disk failures
or abnormal behavior.
Create a hardware diagnostic file from the File menu by clicking the Save Hardware Info as... button.

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 88

Note:
To save time when contacting our technical support staff we highly recommend that you provide us
with a hardware diagnostic file.

Related information
Application Log on page 85

Appendix

Glossary

BIOS Settings
Basic Input Output Subsystem is the program a personal computer's microprocessor uses to get the
computer system started after you turn it on. It also manages data flow between the computer's operating
system and attached devices such as the hard disk, video adapter, keyboard, mouse and printer. A typical
method to access the BIOS settings screen is to press Delete / F1 / F2 / F8 / F10 or Esc during the boot
sequence

BCD
Boot Configuration Data. Firmware-independent database for boot-time configuration data. It is used by
Microsoft's new Windows Boot Manager and replaces the boot.ini that was used by NTLDR

Boot Priority
BIOS settings allow you to run a boot sequence from a floppy drive, a hard drive, a CD/DVD-ROM drive or
a USB device. You may configure the order that your computer searches these physical devices for the boot

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 89

sequence. The first device in the order list has the first boot priority. For example, to boot from a CD/DVD-
ROM drive instead of a hard drive, place the CD/DVDROM drive ahead of the hard drive in priority

Boot Record
See MBR

Boot Sector
The boot sector continues the process of loading the operating system into computer memory. It can be
either the Glossary on page 88MBR or the Glossary on page 88partition boot sector (see partition
boot sector, below)

Compressed cluster
When you set a file or folder property to compress data, the file or folder uses less disk space. While
the size of the file is smaller, it must use a whole cluster in order to exist on the hard drive. As a result,
compressed clusters contain file slack space. This space may contain residual confidential data from the file
that previously occupied this space. KillDisk can wipe out the residual data without touching the existing
data

CSV-file
A comma-separated values (CSV) file is a delimited text file that uses a comma to separate values. Each line
of the file is a data record. Each record consists of one or more fields, separated by commas. The use of the
comma as a field separator is the source of the name for this file format. A CSV-file typically stores tabular
data (numbers and text) in plain text, in which case each line will have the same number of fields

Data Cluster
A cluster or allocation unit is a unit of disk space allocation for files and directories. To reduce the overhead
of managing on-disk data structures, the file system does not allocate individual disk sectors by default,
but contiguous groups of sectors, called clusters. A cluster is the smallest logical amount of disk space that
can be allocated to hold a file. Storing small files on a file system with large clusters will therefore waste
disk space; such wasted disk space is called slack space. For cluster sizes which are small versus the average
file size, the wasted space per file will be statistically about half of the cluster size; for large cluster sizes,
the wasted space will become greater. However, a larger cluster size reduces bookkeeping overhead and
fragmentation, which may improve reading and writing speed overall. Typical cluster sizes range from 1
sector (512 B) to 128 sectors (64 Kb). The operating system keeps track of clusters in the hard disk's root
records or MFT records (See Lost Cluster)

Device Node
In the Local System Devices list, a physical device containing logical drives. The first physical device is
named 80h

Exclusive Access
Lock that is applied to a partition for exclusive writing access. For example, while recovering deleted or
damaged files or folders. The recovery operation must have exclusive access to the target partition while
recovering files. If another application or the operating system are using the target partition, user/process
must close all applications or system processes that may be using the target partition before locking it

FAT
File Allocation Table. File (dump) that contains the records of every other file and directory in a FAT-
formatted hard disk drive. The operating system needs this information to access the files. There are FAT32,
FAT16 and FAT versions. FAT file systems are still commonly found on floppy disks, flash and other solid-
state memory cards and modules (including USB flash drives), as well as many portable and embedded
devices. FAT is the standard file system for digital cameras per the DCF specification

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 90

FTP
File Transfer Protocol. This is a standard network protocol used for the transfer of computer files between a
Client and Server on a computer network. FTP is built on a client-server model architecture using separate
control and data connections between the client and the server. FTP users may authenticate themselves
with a clear-text sign-in protocol, normally in the form of a username and password, but can connect
anonymously if the server is configured to allow it. For secure transmission that protects the username
and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File
Transfer Protocol (SFTP). The first FTP client applications were command-line programs developed before
operating systems had graphical user interfaces, and are still shipped with most Windows, Unix, and Linux
operating systems. Many FTP clients and automation utilities have since been developed for desktops,
servers, mobile devices, and hardware, and FTP has been incorporated into productivity applications, such
as HTML editors

File Slack Space

The smallest file (and even an empty folder) takes up an entire cluster. A 10- byte file will take up 2,048
bytes if that is the cluster size. File slack space is the unused portion of a cluster. This space may contain
residual confidential data from the file that previously occupied this space. KillDisk can wipe out the
residual data without touching the existing data

Free Cluster
A cluster that is not occupied by a file. This space may contain residual confidential data from the file that
previously occupied this space. KillDisk can wipe out the residual data

FreeDOS
A free operating system for IBM PC compatible computers. It intends to provide a complete DOS-
compatible environment for running legacy software and supporting embedded systems. FreeDOS can
be booted from a floppy disk or USB flash drive. It is designed to run well under virtualization or x86
emulation. Unlike most versions of MS-DOS, FreeDOS is composed of free and open-source software,
licensed under the terms of the GNU General Public License

Deleted Boot Records

All disks start with a boot sector. In a damaged disk (if the location of the boot records is known) the
partition table can be reconstructed. The boot record contains a file system identifier

iSCSI
Internet Small Computer Systems Interface. iSCSI is a transport layer protocol that works on top of the
Transport Control Protocol (TCP). It enables block-level SCSI data transport between the iSCSI initiator and
the storage target over TCP/IP networks

ISO
An International Organization for Standardization ISO-9660 file system is a standard CD-ROM file system
that allows you to read the same CD-ROM whether you're on a PC, Mac, or other major computer platform.
Disk images of ISO-9660 file systems (ISO images) are a common way to electronically transfer the contents
of CD-ROMs. They often have the file name extension .ISO (though not necessarily), and are commonly
referred to as "ISOs"

Logical Drive
A partition is a logical drive because it does not affect the physical hard disk other than the defined space
that it occupies, yet it behaves like a separate disk drive

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 91

Lost Cluster
A cluster that has an assigned number in the file allocation table, even though it is not assigned to any file.
You can free up disk space by reassigning lost clusters. In DOS and Windows you can find lost clusters with
the ScanDisk utility

MBR
Master Boot Record. All disks start with a boot sector. When you start the computer, the code in the MBR
executes before the operating system is started. The location of the MBR is always track (cylinder) 0, side
(head) 0, and sector 1. The MBR contains a file system identifier

MFT records
Master File Table. A file that contains the records of every other file and directory in an NTFS-formatted
hard disk drive. The operating system needs this information to access the files

Named Streams
NTFS supports multiple data streams where the stream name identifies a new data attribute on the file. A
handle can be opened to each data stream. A data stream, then, is a unique set of file attributes. Streams
have separate opportunistic locks, file locks, and sizes, but common permissions

NTFS
NT file system, New Technology File System (developed by Microsoft) is the file system that the Windows
NT operating system uses for storing and retrieving files on a hard disk. NTFS is the Windows NT equivalent
of the Windows 95 file allocation table (FAT) and the OS/2 High Performance File System (HPFS)

NTLDR
Aka NT loader is the boot loader for all releases of Windows NT operating system up to and including
Windows XP and Windows Server 2003. NTLDR is typically run from the primary hard disk drive, but it can
also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk

openSUSE
A Linux distribution. It is widely used throughout the world. The focus of its development is creating usable
open-source tools for software developers and system administrators, while providing a user-friendly
desktop and feature-rich server environment

Partition
A section of memory or hard disk isolated for a specific purpose. Each partition can behave like a separate
disk drive

Partition Boot Sector

On NTFS or FAT file systems, the partition boot sector is a small program that is executed when the
operating system tries to access a particular partition. On personal computers, the Master Boot Record uses
the partition boot sector on the system partition to determine file system type, cluster size, etc. and to load
the operating system kernel files. Partition boot sector is the first sector of the partition

Physical Device
A piece of hardware that is attached to your computer by screws or wires. A hard disk drive is a physical
device. It is also referred to as a physical drive

RAID
RAID ("Redundant Array of Inexpensive Disks" or "Redundant Array of Independent Disks") is a data
storage virtualization technology that combines multiple physical disk drive components into one or more
logical units for the purposes of data redundancy, performance improvement, or both. Data is distributed

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 92

across the drives in one of several ways, referred to as RAID levels, depending on the required level of
redundancy and performance. The different schemes, or data distribution layouts, are named by the
word "RAID" followed by a number, for example RAID 0 or RAID 1. Each scheme, or RAID level, provides a
different balance among the key goals: reliability, availability, performance, and capacity. RAID levels greater
than RAID 0 provide protection against unrecoverable sector read errors, as well as against failures of whole
physical drives.
RAID 0
RAID 0 consists of striping, but no mirroring or parity. Compared to a spanned volume, the capacity
of a RAID 0 volume is the same; it is the sum of the capacities of the drives in the set. But because
striping distributes the contents of each file among all drives in the set, the failure of any drive
causes the entire RAID 0 volume and all files to be lost. In comparison, a spanned volume preserves
the files on the unfailing drives. The benefit of RAID 0 is that the throughput of read and write
operations to any file is multiplied by the number of drives because, unlike spanned volumes, reads
and writes are done concurrently. The cost is increased vulnerability to drive failures—since any drive
in a RAID 0 setup failing causes the entire volume to be lost, the average failure rate of the volume
rises with the number of attached drives

RAID 1
RAID 1 consists of data mirroring, without parity or striping. Data is written identically to two or more
drives, thereby producing a "mirrored set" of drives. Thus, any read request can be serviced by any
drive in the set. If a request is broadcast to every drive in the set, it can be serviced by the drive that
accesses the data first (depending on its seek time and rotational latency), improving performance.
Sustained read throughput, if the controller or software is optimized for it, approaches the sum of
throughputs of every drive in the set, just as for RAID 0. Actual read throughput of most RAID 1
implementations is slower than the fastest drive. Write throughput is always slower because every
drive must be updated, and the slowest drive limits the write performance. The array continues to
operate as long as at least one drive is functioning

RAID 2
RAID 2 consists of bit-level striping with dedicated Hamming-code parity. All disk spindle rotation is
synchronized and data is striped such that each sequential bit is on a different drive. Hamming-code
parity is calculated across corresponding bits and stored on at least one parity drive. This level is of
historical significance only; although it was used on some early machines (for example, the Thinking
Machines CM-2), as of 2014 it is not used by any commercially available system

RAID 3
RAID 3 consists of byte-level striping with dedicated parity. All disk spindle rotation is synchronized
and data is striped such that each sequential byte is on a different drive. Parity is calculated across
corresponding bytes and stored on a dedicated parity drive. Although implementations exist, RAID 3
is not commonly used in practice

RAID 4
RAID 4 consists of block-level striping with dedicated parity. This level was previously used by
NetApp, but has now been largely replaced by a proprietary implementation of RAID 4 with two
parity disks, called RAID-DP. The main advantage of RAID 4 over RAID 2 and 3 is I/O parallelism: in
RAID 2 and 3, a single read I/O operation requires reading the whole group of data drives, while in
RAID 4 one I/O read operation does not have to spread across all data drives. As a result, more I/O
operations can be executed in parallel, improving the performance of small transfers

RAID 5

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 93

RAID 5 consists of block-level striping with distributed parity. Unlike RAID 4, parity information is
distributed among the drives, requiring all drives but one to be present to operate. Upon failure of a
single drive, subsequent reads can be calculated from the distributed parity such that no data is lost.
RAID 5 requires at least three disks. Like all single-parity concepts, large RAID 5 implementations are
susceptible to system failures because of trends regarding array rebuild time and the chance of drive
failure during rebuild. Rebuilding an array requires reading all data from all disks, opening a chance
for a second drive failure and the loss of the entire array

RAID 6
RAID 6 consists of block-level striping with double distributed parity. Double parity provides fault
tolerance up to two failed drives. This makes larger RAID groups more practical, especially for high-
availability systems, as large-capacity drives take longer to restore. RAID 6 requires a minimum of
four disks. As with RAID 5, a single drive failure results in reduced performance of the entire array
until the failed drive has been replaced. With a RAID 6 array, using drives from multiple sources and
manufacturers, it is possible to mitigate most of the problems associated with RAID 5. The larger
the drive capacities and the larger the array size, the more important it becomes to choose RAID 6
instead of RAID 5. RAID 10 (see Nested RAID levels) also minimizes these problems

PXE
Preboot EXecution Environment. In computing the Preboot Execution Environment specification describes a
standardized client-server environment that boots a software assembly, retrieved from a network, on PXE-
enabled clients. On the client side it requires only a PXE-capable network interface controller, and uses a
small set of industry-standard network protocols such as DHCP and TFTP

RAS
Remote Access Service. Is any combination of hardware and software to enable the remote access tools or
information that typically reside on a network of IT devices.
A remote access service connects a client to a host computer, known as a remote access server. The most
common approach to this service is remote control of a computer by using another device which needs
internet or any other network connection.
Here are the connection steps:
1. User dials into a PC at the office.
2. Then the office PC logs into a file server where the needed information is stored.
3. The remote PC takes control of the office PC's monitor and keyboard, allowing the remote user to view
and manipulate information, execute commands, and exchange files.
Many computer manufacturers and large businesses' help desks use this service widely for technical
troubleshooting of their customers' problems. Therefore you can find various professional first-party, third-
party, open source, and freeware remote desktop applications. Which some of those are cross-platform
across various versions of Windows, MacOS, UNIX, and Linux. Remote desktop programs may include
LogMeIn or TeamViewer.
To use RAS from a remote node, a RAS client program is needed, or any PPP client software. Most remote
control programs work with RAS. PPP is a set of industry standard framing and authentication protocols
that enable remote access.
Microsoft Remote Access Server (RAS) is the predecessor to Microsoft Routing and Remote Access Server
(RRAS). RRAS is a Microsoft Windows Server feature that allows Microsoft Windows clients to remotely access
a Microsoft Windows network.

Registry Hive
Highest level of organization in the Windows registry. It is a logical group of keys, subkeys, and values in the
registry that has a set of supporting files loaded into memory when Windows is started or an user logs in

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 94

Root Records
File Allocation Table. A file that contains the records of every other file and directory in a FAT-formatted
hard disk drive. The operating system needs this information to access the files. There are FAT32, FAT16 and
FAT versions

SAM
Security Account Manager. Database file that stores users' passwords in a hashed format. Since a hash
function is one-way, this provides some measure of security for the storage of the passwords. It can be used
to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates
remote users.

Sector
The smallest unit that can be accessed on a disk. Typically sector size is 512 or 4096 bytes

SCSI
Small Computer System Interface. A set of standards for physically connecting and transferring data
between computers and peripheral devices. The SCSI standards define commands, protocols, electrical,
optical and logical interfaces. SCSI is most commonly used for hard disk drives and tape drives, but it
can connect a wide range of other devices, including scanners and CD drives, although not all controllers
can handle all devices. The SCSI standard defines command sets for specific peripheral device types; the
presence of "unknown" as one of these types means that in theory it can be used as an interface to almost
any device, but the standard is highly pragmatic and addressed toward commercial requirements

Secure Erase (SSD)

The ATA Secure Erase command is designed to remove all user data from a drive. With an SSD without
integrated encryption, this command will put the drive back to its original out-of-box state. This will
initially restore its performance to the highest possible level and the best (lowest number) possible
write amplification, but as soon as the drive starts garbage collecting again the performance and write
amplification will start returning to the former levels. Drives which encrypt all writes on the fly can
implement ATA Secure Erase in another way. They simply zeroize and generate a new random encryption
key each time a secure erase is done. In this way the old data cannot be read anymore, as it cannot be
decrypted. Some drives with an integrated encryption will physically clear all blocks after that as well, while
other drives may require a TRIM command to be sent to the drive to put the drive back to its original out-
of-box state (as otherwise their performance may not be maximized)

Secure Erase (Security Frozen State)

SSD disk is blocked (frozen) by BIOS. The reasons can differ. Modern ATA hard drives and SSDs offer
security options that help user to control access and reliably destroy data if necessary. Brand new HDD or
SSD from a store have all the security features initially disabled... BIOSes of many motherboards run the
SECURITY_FREEZE_LOCK ATA command when booting to provide protection against manipulation

Signature Files
File types are recognized by specific patterns that may serve as a reference for file recovery. When a file
header is damaged, the type of file may be determined by examining patterns in the damaged file and
comparing these patterns to known file type templates

Span Array
A series of dynamic drives linked together to make one contiguous spanned volume

S.M.A.R.T.
S.M.A.R.T. (Self-Monitoring, Analysis and Reporting Technology; often written as SMART) is a monitoring
system included in computer hard disk drives (HDDs), solid-state drives (SSDs) and embedded
MultiMediaCards (eMMC) drives. Its primary function is to detect and report various indicators of drive

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 95

reliability with the intent of anticipating imminent hardware failures. When S.M.A.R.T. data indicates a
possible imminent drive failure, software running on the host system may notify the user so preventative
action can be taken to prevent data loss and the failing drive can be replaced and data integrity maintained

Templates (patterns)
File types are recognized by specific patterns that may serve as a reference for file recovery. When a file
header is damaged, the type of file may be determined by examining patterns in the damaged file and
comparing these patterns to known file type templates. This same pattern-matching process can be applied
to deleted or damaged partitions. Using FAT or NTFS templates, recovery software can assume that a
particular sector is a FAT or NTFS boot sector because parts of it match a known pattern

Tiny Core Linux

A minimal Linux kernel based operating system focusing on providing a base system functionality. The
distribution is notable for its small size (11 to 16 MB) and minimalism; additional functions are provided by
extensions. Tiny Core Linux is free and open source software and is licensed under the GNU General Public
License version 2

Track
Tracks are concentric circles around the disk and the sectors are segments within each circle

Unallocated Space
Space on a hard disk where no partition exists. A partition may have been deleted or damaged or a
partition may not have been created

UEFI
Unified Extensible Firmware Interface is a specification for a software program that connects a computer's
firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is
installed at the time of manufacturing and is the first program that runs when a computer is turned on

Unused Space in MFT-records

The performance of the computer system depends a lot on the performance of the MFT. When you delete
files, the MFT entry for that file is not deleted, it is marked as deleted. This is called unused space in the
MFT. If unused space is not removed from the MFT, the size of the table could grow to a point where it
becomes fragmented, affecting the performance of the MFT and possibly the performance of the computer.
This space may also contain residual confidential data (file names, file attributes, resident file data) from the
files that previously occupied these spaces. KillDisk can wipe out the residual data without touching the
existing data

Volume
A fixed amount of storage on a hard disk. A physical device may contain a number of volumes. It is also
possible for a single volume to span a number of physical devices

Volume Shadow Copy

Shadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology
included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes,
even when they are in use. It is implemented as a Windows service called the Volume Shadow Copy service

Windows System Caching

Windows reserves a specified amount of volatile memory for file system operations. This is done in RAM
because it is the quickest way to do these repetitive tasks

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 96

Windows System Records

The Windows registry keeps track of almost everything that happens in Windows OS. This enhances
performance of the computer when doing repetitive tasks. Over time, these records can take up a lot of
space

Windows PE
Windows PE (WinPE) for Windows 10 is a small operating system used as a recovery environment to
install, deploy, and repair Windows 10 for Desktop Editions, Windows Server, and other Windows operating
systems. After boot to Windows PE, user can:
• Set up a hard drive before installing Windows.
• Install Windows by using apps or scripts from a network or a local drive.
• Capture and apply Windows images.
• Modify the Windows operating system while it's not running.
• Set up automatic recovery tools.
• Recover data from unbootable devices.
• Add a custom shell or GUI to automate these kinds of tasks

How Fast Erasing Occurs?

An actual speed depends on many factors:
• HDD speed: RPM and SATA/SCSI/SAS type - the most important factors
• Disk Controller speed: SAS (6 Gbps/12 Gbps), SATA III (6Gbps), SATA II (3 Gbps), SATA I (1.5 Gbps)
• Computer overall performance (CPU + RAM)
For most modern computers and disks (manufactured last years) SATA III standard is supported, so erase
speed is limited by HDD throughput (disk write speed) only.
Our tests give the results: 10 GB per minute (in average) per pass with decent computer configuration
and disks with age of up to 5 years old.
For example, 2 TB Toshiba disk has been erased on Windows platform with one pass within 3 hours and 32
minutes, 14 TB Western Digital disk - within 18 hours 53 minutes.
The following snapshots are real-test certificates for erasing of:
1) 2 TB Toshiba (manufactured in 2015) SATA III (6 GBps) 7200 rpm disk with One Pass Zeros and US DoD
5220.22-M (3 passes + verification) showing the average speed of 9 GB/min per pass

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 97

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 98

2) 14 TB Western Digital (manufactured in 2019) SATA III (6 Gbps) 7200 rpm disk with One Pass Zeros and
US DoD 5220.22-M (3 passes + 10% verification) showing the average speed of 12 GB/min per pass

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 99

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 100

Erase Disk Concepts

Erasing Confidential Data

Modern methods of data encryption are deterring network attackers from extracting sensitive data from
stored database files.
Attackers (who want to retrieve confidential data) become more resourceful and look for places where
data might be stored temporarily. For example, the Windows DELETE command merely changes the files
attributes and location so that the operating system will not look for the file. The situation with NTFS is
similar.

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 101

One avenue of attack is the recovery of data from residual data on a discarded hard drive. When deleting
confidential data from hard drives, removable disks or USB devices, it is important to extract all traces of the
data so that recovery is not possible.
Most official guidelines regarding the disposal of confidential magnetic data do not take into account the
depth of today's recording densities nor the methods used by the OS when removing data.
Removal of confidential personal information or company trade secrets in the past might have been
performed using the FORMAT command or the FDISK command. Using these procedures gives users a
sense of confidence that the data has been completely removed.
When using the FORMAT command Windows displays a message like this:
Important:
Formatting a disk removes all information from the disk.

The FORMAT utility actually creates new FAT and ROOT tables, leaving all previous data on the disk
untouched. Moreover, an image of the replaced FAT and ROOT tables is stored so that the UNFORMAT
command can be used to restore them.
FDISK merely cleans the Partition Table (located in the drive's first sector) and does not touch anything else.
Moreover, most of hard disks contain hidden zones (disk areas that cannot be accessed and addressed on a
logical access level). KillDisk is able to detect and reset these zones, cleaning up the information inside.

Advanced Data Recovery Systems

Advances in data recovery have been made such that data can be reclaimed in many cases from hard drives
that have been wiped and disassembled. Security agencies use advanced applications to find cybercrime
related evidence. Also there are established industrial spy agencies using sophisticated channel coding
techniques such as PRML (Partial Response Maximum Likelihood), a technique used to reconstruct the data
on magnetic disks. Other methods include the use of magnetic force microscopy and recovery of data
based on patterns in erase bands.
Although there are very sophisticated data recovery systems available at a high price. Almost all the data
can also be easily restored with an off-the-shelf data recovery utility like Active@ File Recovery, making
your erased confidential data quite accessible.
Using KillDisk all data on your hard drive or removable device can be destroyed without the possibility
of future recovery. After using KillDisk the process of disposal, recycling, selling or donating your storage
device can be done with peace of mind.

International Standards in Data Removal

Active@ KillDisk conforms to more than 20 international standards for clearing and sanitizing data (US
DoD 5220.22-M, Gutmann and others). You can be sure that sensitive information is destroyed forever once
you erase a disk with Active@ KillDisk.
Active@ KillDisk is a professional security application that destroys data permanently on any computer
that can be started using a bootable CD/DVD/BD or USB Flash Disk. Access to the drive's data is made on
the physical level via the BIOS (Basic Input-Output System) bypassing the operating system’s logical drive
structure organization. Regardless of the operating system, file systems, or type of machine, this utility can
destroy all the data on all storage devices. It does not matter which operating systems or file systems are
located on the machine.

Secure Erase Concepts

Secure Erase for SSD is used to permanently delete data from the media and to restore the drive’s speed
if it starts to drop to noticeably lower performance than stated (at the same time, we don’t consider SLC-
caching and other "official" reasons for speed reduction since it’s hardware drive features).

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 102

The essence of the problem that Secure Erase can solve: drive began to work slowly (writing and reading
data). There can be a lot of reasons, some of them are related to the hardware component and some to
the software component. SSDs are very different in service from classic HDDs, therefore, simply deleting
data or formatting the drive does not really mean resetting the cell - you need to clear it before recording,
which slows down the process of recording new data. In theory, there shouldn’t be such problems, because
TRIM exists - a command to clear the data marked for deletion in cells. This command only works with
2.5” and M.2 SATA drives. For drives connected to the PCIe bus (M.2 or PCIe on the motherboard) there is
an analogue - Deallocate. But it happens that these functions are disabled for some reason - an OS error,
a user error in setting up a disk through third-party software, or the use of non-standard OS assemblies
with unknown software components. So, the disk starts to work noticeably slower and it is quite noticeable
without any benchmark performance measurements.
SSDs use a number of mapping layers that hide the physical layout of the flash-based memory, as well as
help in managing how flash memory data integrity and lifetime are managed. Collectively, these layers are
referred to as the Flash Translation Layer (FTL).
SSDs are also over-provisioned: they contain a bit more flash memory than what they’re rated for. This extra
memory is used internally by the FTL as empty data blocks, used when data needs to be rewritten, and as
out-of-band sections for use in the logical to physical mapping.
The mapping layers, and how the flash controller manages memory allocation, pretty much ensure that
either erasing or performing a conventional hard drive type of secure erase won’t ensure all data is
overwritten, or even erased at all.
One example of how data gets left behind intact is due to how data is managed in an SSD. When you edit a
document and save the changes, the saved changes don’t overwrite the original data (an in-place update).
Instead, SSDs write the new content to an empty data block and then update the logical to physical map
to point to the new location. This leaves the space the original data occupied on the SSD marked as free,
but the actual data is left intact. In time, the data marked as free will be reclaimed by the SSD’s garbage
collection system, but until then, the data could be recovered.
A conventional Secure Erase, as used with hard drives, is unable to access all of the SSD’s memory location,
due to the FTL and how an SSD actually writes data, which could lead to intact data being left behind.
SSD manufacturers understand the need for an easy way to sanitize an SSD, and most have implemented
the ATA command, Secure Erase Unit (used with SATA-based SSDs), or the NVMe command, Format NVM
(used with PCIe-based SSDs) as a fast and effective method of securely erasing an SSD.
So, SSD drives have a non-trivial system of work, therefore, the scheme for the complete destruction of
data should also not be the easiest. But in reality, this is not so at all. Any SSD has a controller that is the
"brain" of the drive. He not only tells the system where to write data, but also encrypts the information
passing through it and stores the key with himself. If you remove (or rather replace) a given key, then all the
information will turn into a random set of 1 and 0 - it will be impossible to decrypt it in any way. Just one
simple action by the user can solve the problem of safe data erasure. This method is the fastest and most
effective.
Note:
To protect information that is critical, both for serious organizations that are concerned about
the safety of data and for public sector enterprises working with information classified as state
secrets, information systems should usually use certified sanitation algorithms (US DoD 5220.22-M,
Canadian OPS-II, NSA 130-2 etc.).

If you combine these two methods (replacing the key and resetting the cells), you get the perfect algorithm
for obtaining a completely sterile disk in the state of its maximum performance. This, firstly, solves the
problem that we raised at the very beginning, and, secondly, it can help us answer the question about the
degree of drive wear.
It is important to note that some drives with built-in encryption can receive only one algorithm upon
receipt of a safe erase command - it depends on the controller settings by the manufacturer. If you "reset"
your SSD and compare the actual performance with the declared one, you will get the answer to this

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 103

question. This procedure does not affect disk wear (which is very important). Note that these actions are
designed specifically for analyzing the state of the disk, but it will not be possible to achieve a long-term
increase in the read/write speed due to the peculiarities of the operation of SSD disks - the situation may
depend on both the drive model and the controller firmware. And it must be noted that not all drives
support encryption. In this case, the controller simply resets the cells.

Wipe Disk Concepts

Wiping Confidential Data from Unoccupied Disk's Space

You may have confidential data on your hard drive in spaces where data may have been stored temporarily.
You may also have deleted files by using the Windows Recycle Bin and then emptying it. While you are still
using your local hard drive, there may be confidential information available in these unoccupied spaces.
Wiping the logical drive's deleted data does not delete existing files and folders. It processes all unoccupied
drive space so that recovery of previously deleted files becomes impossible.
Installed applications and existing data are not touched by this process. When you wipe unoccupied drive
space, the process is run from the bootable CD/DVD operating system. As a result, the wipe or erase
process uses an operating system that is outside the local hard drive and is not impeded by Windows
system caching. This means that deleted Windows system records can be wiped clean.
KillDisk wipes unused data residue from file slack space, unused sectors, and unused space in MTF records
or directory records.
Wiping drive space can take a long time, so do this when the system is not being otherwise utilized. For
example, this can be done overnight.

Wipe Algorithms
The process of deleting files does not eliminate them from the hard drive. Unwanted information may still
be left available for recovery on the computer. A majority of software that advertises itself as performing
reliable deletions simply wipes out free clusters. Deleted information may be kept in additional areas of a
drive. KillDisk therefore offers different wipe algorithms to ensure secure deletion: overwriting with zeros,
overwriting with random values, overwriting with multiple passes using different patterns and much more.
KillDisk supports more than 20 international data sanitizing standards, including US DoD 5220.22M and the
most secure Gutmann's method overwriting with 35 passes.

Figure 58: Disk free space and allocated clusters

Wiping File Slack Space

This relates to any regular files located on any file system. Free space to be wiped is found in the "tail"
end of a file because disk space is usually allocated in 4 Kb clusters. Most files have sizes that are not 4 Kb
increments and thus have slack space at their end.

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 104

Figure 59: Disk free space and allocated clusters

Specifics of Wiping Microsoft NTFS File System

NTFS Compressed Files
Wiping free space inside a file: The algorithm NTFS uses to "compress" a file operates by separating the file
into compressed blocks (usually 64 Kb long). After it is processed, each of these blocks has been allocated a
certain amount of space on the volume. If the compressed information takes up less space than the source
file, then the rest of the space is labeled as sparse space and no space on the volume is allocated to it.
Because the compressed data often doesn't have a size exactly that of the cluster, the end of each of these
blocks stays as unusable space of significant size. Our algorithm goes through each of these blocks in a
compressed file and wipes the unusable space, erasing previously deleted information that was kept in
those areas.

Figure 60: Compressed file structure

The MFT (Master File Table) Area

Wiping the system information:
The MFT file contains records, describing every file on the volume. During the deletion of these files,
the records of their deletion are left untouched - they are simply recorded as "deleted". Therefore file
recovery software can use this information to recover anything from the name of the file and the structure
of the deleted directories down to files smaller than 1Kb that are able to be saved in the MFT directly.
The algorithm used by KillDisk wipes all of the unused information out of the MFT records and wipes the
unusable space, making a recovery process impossible.

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 105

Figure 61: MFT structure

Specifics of Wiping Microsoft FAT File System

Wiping Directory Areas
Each directory on a FAT/FAT32 or an exFAT volume can be considered as a specific file, describing the
contents of the directory. Inside this descriptor there are many 32-byte records, describing every file and
other inner folders.
When you delete files this data is not being fully erased. It is just marked as deleted (hex symbol 0xE5).
That's why data recovery software can detect and use these records to restore file names and full directory
structures.
In some cases dependent on whether a space where item located has been overwritten yet or not, files and
folders can be fully or partially recovered..
Active@ KillDisk makes data recovery impossible by using an algorithm that wipes out all unused
information from directory descriptors. Active@ KillDisk not only removes unused information, but also
defragments Directory Areas, thus speeding up directory access.

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 106

Figure 62: This is how Directory Area looks before Wiping, red rectangles display deleted records

Figure 63: Directory Area after Wiping: all deleted records removed, root defragmented

Specifics of Wiping Apple HFS+ File System

HFS+ B-tree
A B-tree file is divided up into fixed-size nodes, each of which contains records consisting of a key and
some data.

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 107

Figure 64: B-tree structure

In the event of the deletion of a file or folder, there is a possibility of recovering the metadata of the file,
(such as its name and attributes), as well as the actual data that the file consists of. KillDisk's Wipe method
clears out all of this free space in the system files.

Figure 65: HFS+ system table

Specifics of Wiping Linux Ext2/Ext3/Ext4 File Systems

A Linux Ext file system (Ext2/Ext3/Ext4) volume has a global descriptors table. Descriptors table records are
called group descriptors and describe each blocks group. Each blocks group has an equal number of data
blocks.
A data block is the smallest allocation unit: size vary from 1024 bytes to 4096 bytes. Each group descriptor
has a blocks allocation bitmap. Each bit of the bitmap shows whether the block is allocated (1) or available
(0). KillDisk software enumerates all groups, and for each and every block within the group on the volume
checks the related bitmap to define its availability. If the Block is available, KillDisk wipes it using the
method supplied by the user.

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 108

Figure 66: Ext2/Ext3/Ext4 descriptors table

Erase Methods (Sanitation Standards)

One Pass Zeros or One Pass Random

When using One Pass Zeros or One Pass Random standard, the number of passes is fixed and cannot be
changed. When the write head passes through a sector, it writes only zeros or a series of random characters

US DoD 5220.22-M
The write head passes over each sector three times. The first time with zeros 0x00, second time with 0xFF
and the third time with random characters. There is one final pass to verify random characters by reading

Canadian CSEC ITSG-06

The write head passes over each sector, writing a random character. On the next pass, writes the
compliment of previously written character. Final pass is random, proceeded by a verify

Canadian OPS-II
The write head passes over each sector seven times (0x00, 0xFF, 0x00, 0xFF, 0x00, 0xFF, random). There is
one final pass to verify random characters by reading

British HMG IS5 Baseline

Baseline method overwrites disk's surface with just zeros 0x00. There is one final pass to verify random
characters by reading

British HMG IS5 Enhanced

Enhanced method - the write head passes over each sector three times. The first time with zeros 0x00,
second time with 0xFF and the third time with random characters. There is one final pass to verify random
characters by reading

Russian GOST p50739-95

The write head passes over each sector two times. (0x00, Random). There is one final pass to verify random
characters by reading

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 109

US Army AR380-19
The write head passes over each sector three times. The first time with 0xFF, second time with zeros 0x00
and the third time with random characters. There is one final pass to verify random characters by reading

US Air Force 5020

The write head passes over each sector three times. The first time with random characters, second time with
zeros 0x00 and the third time with 0xFF. There is one final pass to verify random characters by reading

NAVSO P-5329-26 RL
RL method - the write head passes over each sector three times (0x01, 0x27FFFFFF, Random). There is one
final pass to verify random characters by reading

NCSC-TG-025
The write head passes over each sector three times (0x00, 0xFF, Random). There is one final pass to verify
random characters by reading

NSA 130-2
The write head passes over each sector two times (Random, Random). There is one final pass to verify
random characters by reading

NIST 800-88
Supported three NIST 800-88 media sanitation standards:
• 1. The write head passes over each sector one time (0x00).
• 2. The write head passes over each sector one time (Random).
• 3. The write head passes over each sector three times (0x00, 0xFF, Random).
For details about this,the most secure data clearing standard, you can read the original article at the link
below: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf

German VSITR
The write head passes over each sector seven times

Bruce Schneier
The write head passes over each sector seven times (0xFF, 0x00, Random, Random, Random, Random,
Random). There is one final pass to verify random characters by reading

Peter Gutmann
The write head passes over each sector 35 times. For details about this, the most secure data clearing
standard, you can read the original article at the following link: http://www.cs.auckland.ac.nz/%7Epgut001/
pubs/se%0Acure_del.html

Australian ISM-6.2.93
The write head passes over each sector once with random characters. There is one final pass to verify
random characters by reading

Secure Erase (ANSI ATA, SE)

According to National Institute of Standards and Technology (NIST) Special Publication 800-88: Guidelines
for Media Sanitation, Secure Erase is "An overwrite technology using firmware based process to overwrite a
hard drive. Is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications, which
runs inside drive hardware. It completes in about 1/8 the time of 5220 block erasure." The guidelines also
state that "degaussing and executing the firmware Secure Erase command (for ATA drives only) are acceptable
methods for purging." ATA Secure Erase (SE) is designed for SSD controllers. The SSD controller resets

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 110

all memory cells making them empty. In fact, this method restores the SSD to the factory state, not only
deleting data but also returning the original performance. When implemented correctly, this standard
processes all memory, including service areas and protected sectors

User Defined
User indicates the number of times the write head passes over each sector. Each overwriting pass is
performed with a buffer containing random characters. Enables user to define any disk erase algorithm

Using KillDisk in PXE environment

How to place a registered Active@ KillDisk into a Windows PE image for use in a network PXE boot
environment
Note:
To modify Windows PE image (WIM) you need to have Windows ADK installed.

Start the Active@ Boot Disk Creator and make bootable media.
Let's assume that the Active@ Boot Disk media has an F: letter in our environment:

Figure 67: Creating Active@ KillDisk bootable media

Using the Windows Search Bar, find and run Command Prompt as an Administrator:

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 111

Figure 68: Run Command Prompt as Administrator

Create an empty directory C:\MOUNT and mount BOOT.WIM file to it using the DISM tool:
Command: Dism /mount-image /imagefile:F:\sources\boot.wim /index:1 /mountdir:C:\mount

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 112

Figure 69: Mounting BOOT.WIM

Replace BOOTDISK.KEY in C:\MOUNT directory with BOOTDISK.KEY located at the root of Active@ Boot
Disk media (F:\ BOOTDISK.KEY). This file contains user's registration information.

Figure 70: Replacing BOOTDISK.KEY in BOOT.WIM

Dismount the BOOT.WIM image, commiting the changes you applied:

Command: Dism /Unmount-Image /MountDir:C:\mount /commit

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 113

Figure 71: Dismounting BOOT.WIM

Use F:\SOURCES\BOOT.WIM for network PXE boot environment

How to load Active@ KillDisk over the network via PXE environment on Windows Server platform
• Add roles Windows Deployment Services
• Configure the WDS server, but don’t add images in WDS Configuration Wizard
• Add Windows PE image with Active@ KillDisk software Boot.wim in Boot Images on WDS server
• In properties of WDS server in Boot tab add our image as default boot image for x64 architecture
• Configure the DHCP server for work with WDS server
For more detailed instructions, read Microsoft TechNet official documentation.

How to load Active@ KillDisk over the network via PXE environment on a Windows 10 computer
There are several steps required to do this: configuring the WinPE WIM, Boot Manager and PXE Server.
For the configuration steps, let's assume that inserted Active@ Boot Disk has a F: letter in our
configuration environment.
Step 1: Copy WinPE Source Files onto the PXE Server
• Map a network connection to the root TFTP directory on the PXE/TFTP server and create a \BOOT
folder there. We will assign this network drive the Y: letter
Note:
You can the ‘Easy access’ feature in the Windows Explorer to do this.

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 114

Figure 72: Mapping drive in Windows Explorer

Make sure to enable read/write permissions in the sharing and folder options
• Copy the PXE boot files from the mounted \BOOT folder of the Active@ Boot Disk boot.wim to the
\BOOT folder on PXE/TFTP server. For example:
copy C:\mount\windows\boot\pxe\*.* y:\boot

Note:
To mount/dismount the boot.wim file, see section “How to place a registered Active@
KillDisk into a Windows PE image for use in a network PXE boot environment”

• After dismounting the boot.wim, copy the bootable Windows PE image (F:\ Sources\boot.wim) to
the \BOOT folder on PXE/TFTP server
• Copy the file boot.sdi (F:\Boot\boot.sdi) to the \BOOT folder on PXE/TFTP server
Step 2: Configure boot configuration
• On a Windows 10 computer or in a Windows PE environment, create a BCD store using the
BCDEdit tool
• In the BCD store, configure the RAMDISK, BOOTMGR and OSLoader settings for the Windows PE
image
• Copy the BCD file to the \BOOT folder on PXE/TFTP server
• Configure your PXE/TFTP server and DHCP server to point PXE clients to download PXEBoot.com or
PXEBoot.n12
These are a few of the files that were copied over to the server in Step 1
For more details, see “Creating a BCD file for PXE boot” below.
Step 3: Deployment process
Boot the client machine through PXE, connected to the network. After pressing initializing the PXE boot, the
system should handle the rest. Here’s what will happen:
• The client is directed (by using DHCP Options or the PXE Server response) to download
PXEBoot.com
• PXEBoot.com downloads Bootmgr.exe and the BCD store. The BCD store must reside in a \BOOT
directory in the TFTP root folder. Additionally, the BCD store must be called BCD
• Bootmgr.exe reads the BCD operating system entries and downloads boot.sdi and the Windows PE
image
• Bootmgr.exe begins booting Windows PE by running Winload.exe within the Windows PE image
For more detailed instructions, read the Microsoft TechNet official documentation.

Configuring a PXE Server

Configuring a TFTP server is made simple with a tool called Serva. You can download it here.
This tool is an “Automated PXE Server Solution Accelerator” that supports a variety of server protocols. The
ones we will be configuring are TFTP and DHCP.
• Click the logo in the top left to access the Settings

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 115

• Configure your DHCP settings. You may copy the ones below, just make sure the address it binds to
is a static IP address from your router. Under IP Pool 1st addr, input the first available IP address in
your routers IP pool settings.

Figure 73: DHCP configuration

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 116

• Configure your TFTP settings. You may also copy the setting below. Again, make sure the IP address
is your router’s static IP and the TFTP server root directory is the one you configured in Step 1.

Figure 74: TFTP configuration

Once the settings are configured, reset the application and your PXE server should be fully operational!
Creating a BCD file for PXE boot:
This entire process is done in Windows Command Prompt. Be sure to run it as Administrator.
1. Create a BCD store using bcdedit.exe:
bcdedit /createstore c:\BCD

2. Configure RAMDISK settings:

bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot
bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \boot\boot.sdi
bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader

The last command will return a GUID, for example:

The entry { bb254249-93e9-11e7-84cb-6c71d9da760e } was successfully created.
Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with
your GUID.
3. Create a new boot application entry for the Windows PE image:
bcdedit /store c:\BCD /set {bb254249-93e9-11e7-84cb-6c71d9da760e} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit /store c:\BCD /set {bb254249-93e9-11e7-84cb-6c71d9da760e} path \windows\system32\winload.exe
bcdedit /store c:\BCD /set {bb254249-93e9-11e7-84cb-6c71d9da760e} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions}
bcdedit /store c:\BCD /set {bb254249-93e9-11e7-84cb-6c71d9da760e} systemroot \windows
bcdedit /store c:\BCD /set {bb254249-93e9-11e7-84cb-6c71d9da760e} detecthal Yes
bcdedit /store c:\BCD /set {bb254249-93e9-11e7-84cb-6c71d9da760e} winpe Yes

4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID):
bcdedit /store c:\BCD /create {bootmgr} /d "boot manager"
bcdedit /store c:\BCD /set {bootmgr} timeout 30
bcdedit /store c:\BCD -displayorder {bb254249-93e9-11e7-84cb-6c71d9da760e} -addlast

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 117

5. Copy the BCD file to your TFTP server:

copy c:\BCD \\PXE-1\TFTP\Boot\BCD

Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using
the command:
bcdedit /store <BCD file location> /enum all

See the following example below.

Note:
Your GUID will be different than the one shown below.

C:\>bcdedit /store C:\BCD /enum all

Windows Boot Manager
--------------------
identifier {bootmgr}
description boot manager
displayorder {bb254249-93e9-11e7-84cb-6c71d9da760e}
timeout 30

Windows Boot Loader

-------------------
identifier {bb254249-93e9-11e7-84cb-6c71d9da760e}
device ramdisk=[boot]\boot\boot.wim,{ramdiskoptions}
description winpe boot image
osdevice ramdisk=[boot]\boot\boot.wim,{ramdiskoptions}
systemroot \Windows
detecthal Yes
winpe Yes

Setup Ramdisk Options

---------------------
identifier {ramdiskoptions}
description ramdisk options
ramdisksdidevice boot
ramdisksdipath \boot\boot.sdi

Customizing Boot Disk

Note:
To customize Boot Disk image file you need basic skills in Command Line Scripts writing.

To customize Active@ KillDisk Boot Disk (WinPE image), for example to change a default Erase Method
and to add a Company Logo:
1. Create custom KILLDISK.INI file using documented parameters (Application Settings)
Here is an example of an INI file which uses US DoD 5220.22-M (ECE) erase method with 10%
verification, stores logs, reports and certificates to X:\\ location (X: virtual drive is the only known drive
with guaranteed letter when boot disks starts), specifies Company Name and Logo Image file:

[General]
killMethod=3
killVerification=true
killVerificationPercent=10
logName=X:\\killdisk.log
showCert=true
saveCert=true
certPath=X:\\
showLogo=true
logoFile=X:\\MyCompanyLogo.png
companyName=LSoft.NET

2. Create KillDisk start up script which uses Command Line parameters

Here is an example of an CMD file which enumerates all drive letters, searches KILLDISK.INI file in
User_Files folder, defines Drive Letter where Settings and Logo stored, copies Company Logo image file
to known location and starts KillDisk with custom KILLDISK.INI file:

@ECHO OFF

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 118

FOR %%i IN (c d e f g h i j k l m n o p q r s t u v w x y z) DO (IF EXIST %%i:\user_files\KILLDISK.INI ( SET

CDROM=%%i:&& GOTO END ))
:END
copy %CDROM%\user_files\MyCompanyLogo.png X:\
KillDisk.exe -ip="%CDROM%\user_files"

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 119

3. Start Active@ Boot Disk Creator configure Boot Disk start up settings
Start Active@ Boot Disk Creator
Click Windows Start menu and launch Active@ Boot Disk Creator from KillDisk folder

Select a Target
Select a media for Boot Disk to be created on (CD/DVD/BD ROM, ISO image or USB drive) and click
Next

Select Windows-based Boot Disk

Make sure Windows-based Boot Disk check box is selected on a Target tab

Disable default application auto-start

Switch to System Boot Settings tab and select OFF in Default Application Start option

Add custom KILLDISK.INI file and Company Logo to User_Files folder

Switch to User's Files tab and click Add File(s) button to add your custom settings file KILLDISK.INI
and Company Logo Image file (JPG, PNG, BMP formats). After files being added, application should
look like:

Add custom KillDisk start script to Startup Scripts

Switch to Startup Scripts tab and click Add File(s) button to add your custom script (CMD file) where
you launch KillDisk with custom Command Line parameters. After file being added, application
should look like:

Click Next button to complete Boot Disk creation

Finalize Boot Disk creation

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 120

Click Create button to burn CD/DVD/BD, or store Boot Disk to ISO file, or write Boot Disk to USB
disk, depending on Target option selected on the first step

Related tasks
Active@ Boot Disk Creator on page 15
Related information
Application Settings on page 54
Command Line Mode on page 44

Name Tags

General
{Computer ID}
Workstation (computer) ID
{OS}
Operating System name
{AppName}
Application name
{AppVersion}
Application full version
{KernelVersion}
Kernel version
{UniqueID}
Generated unique 8 symbols ID

Date & Time

Tags to represent current date in different formats:
{Date(YYYYMMDD)}
Complete date in full form without delimiters
{Date(YYYY-MM-DD)}
Complete date in full form with delimiters
{Date(YYMMDD)}
Complete date in short form without delimiters
{Date(YYYY)}
Year in full form
{Date(YY)}
Year in short form
{Date(Month)}
Full month name as literal
{Date(MM)}
Month as digital with leading zero
{Date(DD)}
Day of month with leading zero
{Time(HHmmss)}
Time with hours, minutes and seconds without delimiters
{Time(HH-mm-ss)}
Time with hours, minutes and seconds with delimiters
{Time(HH)}
Hours with leading zero
{Time(mm)}
Minutes with leading zero

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 121

{Time(ss)}
Seconds with leading zero

Disk
Values for these name tags retrieved from context device:
{Serial ID}
Disk serial number, retrieved from OS or from S.M.A.R.T. attributes
{Platform ID}
Disk platform identification (may be vary due to OS format)
{Product ID}
Disk manufacturer Id
{Model}
Disk model name (if available)
{Size}
Disk size in gigabytes
{Sectors}
Disk size in sectors

Processing attributes
Disk processing attributes based on execution conditions:
{Method}
Erase method
{Passes}
Erases passes description
{Verified}
Verification attribute
{DateStarted}
Process start date
{TimeStarted}
Process start time
{TimeElapsed}
Process elapsed time
{Status}
Overall completion status for group processing or separate disk processing status.
{StatusCode}
Overall process result digital code

Item processing attributes

Item processing attributes based on execution conditions:
{ProcessType}
Process type name
{ProcessedAs}
Process short name
{Range}
Processed disk range

Disk Hidden Zones (HPA/DCO)

Active@ KillDisk is able to detect and reset disk's hidden zones: HPA and DCO.

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 122

HPA - Host protected area

The Host Protected Area (HPA) is an area of a hard drive or solid-state drive that is not normally visible to
an operating system. It was first introduced in the ATA-4 standard CXV (T13) in 2001.
How it works:
The IDE controller has registers that contain data that can be queried using ATA commands. The data
returned gives information about the drive attached to the controller. There are three ATA commands
involved in creating and using a host protected area. The commands are:
• IDENTIFY DEVICE
• SET MAX ADDRESS
• READ NATIVE MAX ADDRESS
Operating systems use the IDENTIFY DEVICE command to find out the addressable space of a hard drive.
The IDENTIFY DEVICE command queries a particular register on the IDE controller to establish the size of a
drive.
This register however can be changed using the SET MAX ADDRESS ATA command. If the value in the
register is set to less than the actual hard drive size then effectively a host protected area is created. It is
protected because the OS will work with only the value in the register that is returned by the IDENTIFY
DEVICE command and thus will normally be unable to address the parts of the drive that lie within the HPA.
The HPA is useful only if other software or firmware (e.g. BIOS) is able to use it. Software and firmware
that are able to use the HPA are referred to as 'HPA aware'. The ATA command that these entities use is
called READ NATIVE MAX ADDRESS. This command accesses a register that contains the true size of the
hard drive. To use the area, the controlling HPA-aware program changes the value of the register read by
IDENTIFY DEVICE to that found in the register read by READ NATIVE MAX ADDRESS. When its operations
are complete, the register read by IDENTIFY DEVICE is returned to its original fake value.

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 123

Figure 75: Creation of an HPA

The diagram shows how a host protected area (HPA) is created:

1. IDENTIFY DEVICE returns the true size of the hard drive. READ NATIVE MAX ADDRESS returns the true
size of the hard drive
2. SET MAX ADDRESS reduces the reported size of the hard drive. READ NATIVE MAX ADDRESS returns the
true size of the hard drive. An HPA has been created
3. IDENTIFY DEVICE returns the now fake size of the hard drive. READ NATIVE MAX ADDRESS returns the
true size of the hard drive, the HPA is in existence
Usage:
• At the time HPA was first implemented on hard-disk firmware, some BIOS had difficulty booting
with large hard disks. An initial HPA could then be set (by some jumpers on the hard disk) to limit
the number of cylinder to 4095 or 4096 so that older BIOS would start. It was then the job of the
boot loader to reset the HPA so that the operating system would see the full hard-disk storage
space
• HPA can be used by various booting and diagnostic utilities, normally in conjunction with the BIOS.
An example of this implementation is the Phoenix First BIOS, which uses Boot Engineering Extension
Record (BEER) and Protected Area Run Time Interface Extension Services (PARTIES). Another example
is the Gujin installer which can install the bootloader in BEER, naming that pseudo-partition /dev/
hda0 or /dev/sdb0; then only cold boots (from power-down) will succeed because warm boots
(from Ctrl-Alt-Delete) will not be able to read the HPA
• Computer manufacturers may use the area to contain a preloaded OS for install and recovery
purposes (instead of providing DVD or CD media)
• Dell notebooks hide Dell MediaDirect utility in HPA. IBM ThinkPad and LG notebooks hide system
restore software in HPA

© 1999 - 2020 LSoft Technologies Inc.

 | Appendix | 124

• HPA is also used by various theft recovery and monitoring service vendors. For example, the laptop
security firm Computrace use the HPA to load software that reports to their servers whenever the
machine is booted on a network. HPA is useful to them because even when a stolen laptop has its
hard drive formatted the HPA remains untouched
• HPA can also be used to store data that is deemed illegal and is thus of interest to government and
police
• Some vendor-specific external drive enclosures (Maxtor) are known to use HPA to limit the capacity
of unknown replacement hard drives installed into the enclosure. When this occurs, the drive may
appear to be limited in size (e.g. 128 GB), which can look like a BIOS or dynamic drive overlay
(DDO) problem. In this case, one must use software utilities (see below) that use READ NATIVE MAX
ADDRESS and SET MAX ADDRESS to change the drive's reported size back to its native size, and
avoid using the external enclosure again with the affected drive
• Some rootkits hide in the HPA to avoid being detected by anti-rootkit and antivirus software
• Some NSA exploits use the HPA for application persistence

DCO - Device Configuration Overlay

Device Configuration Overlay (DCO) is a hidden area on many of today’s hard disk drives (HDDs). Usually
when information is stored in either the DCO or host protected area (HPA), it is not accessible by the
BIOS, OS, or the user. However, certain tools can be used to modify the HPA or DCO. The system uses the
IDENTIFY_DEVICE command to determine the supported features of a given hard drive, but the DCO can
report to this command that supported features are nonexistent or that the drive is smaller than it actually
is. To determine the actual size and features of a disk, the DEVICE_CONFIGURATION_IDENTIFY command
is used, and the output of this command can be compared to the output of IDENTIFY_DEVICE to see if a
DCO is present on a given hard drive. Most major tools will remove the DCO in order to fully image a hard
drive, using the DEVICE_CONFIGURATION_RESET command. This permanently alters the disk, unlike with
the (HPA), which can be temporarily removed for a power cycle.
Usage:
The Device Configuration Overlay (DCO), which was first introduced in the ATA-6 standard, "allows system
vendors to purchase HDDs from different manufacturers with potentially different sizes, and then configure
all HDDs to have the same number of sectors. An example of this would be using DCO to make an 80-
gigabyte HDD appear as a 60-gigabyte HDD to both the (OS) and the BIOS.... Given the potential to place
data in these hidden areas, this is an area of concern for computer forensics investigators. An additional
issue for forensic investigators is imaging the HDD that has the HPA and/or DCO on it. While certain
vendors claim that their tools are able to both properly detect and image the HPA, they are either silent on
the handling of the DCO or indicate that this is beyond the capabilities of their tool.

© 1999 - 2020 LSoft Technologies Inc.