 Welcome back, everyone. Today we're going to be talking about how to zero out a storage disk in Windows using sDelete. In prayer videos, I've shown you how to zero out a hard drive using DD. DD is built into Linux almost always by default. However, Windows does not have DD by default, so we have to download other utilities. The utility that I'm going to use today is a command line utility called sDelete from SysInternals. SysInternals is part of Microsoft. We have to first download from the sysInternals website sDelete, and then the version I'm using is 2.01. Once you download sDelete, you'll get this zip folder. If you open up the zip folder, it has three files in it, the EULA, and then sDelete, basically 32-bit, and then sDelete 64. To install them, all you have to do is open up the C drive Windows System32 folder, and then just drag and drop sDelete into the System32 folder. That will let you run sDelete from the command line without having to enter the entire path for sDelete every single time. Once we have sDelete installed in C drive Windows System32, or any other paths that you have, for example, I sometimes create a Utilities folder, and then you add that Utilities folder to my path, and then just drop all of my tools into the Utilities folder. Basically, same result. You just want to be able to type only the name instead of typing the full path. We've downloaded sDelete. We've installed it in our path, and now we need to find our disk that we're interested in zeroing out. I'm going to just to show you the current state of our disk. I'm going to open up Winhex, which is a hex editor, and I'm going to open our disk, and the disk I'm interested in is the Sand Disk Extreme USB stick. Click OK. From this, you can see that there is a partition. It's mounted as eDrive, or detected as eDrive in this computer, and then we can see that there is some structure here. Missing operating system load error, these should be relatively familiar for the beginning of a disk. Then there's some data on this disk. I know that there is some data on the disk, so now we need to wipe everything off. What you do next is open up a command line, so just type cmd, and then right-click on Command Prompt, and run as administrator. I'm going to run as administrator because I need to access the hard disk, and you need administrator privileges to do that. Whenever you open up Command Prompt, if you've installed sDelete in your path, you should just be able to type sDelete, and then you'll get this help menu if it's correctly installed. If you don't get this help menu, if it says that the command is not found, then sDelete is not in your path, and you need to make sure that you've installed it where your computer can find it. Okay, so sDelete has a couple different options. For example, it can securely delete files and directories. It can go over a drive letter or a partition and try to securely delete everything from the partition. What we want is physical disk, so sDelete and then dash p is the number of passes, the default is one, and then zero or c, so clean free space or zero free space out, we want zero, and the reason we want zero is because we want to be able to prove that there is no data left on this disk. If you clean it, if you add random data, then you don't know if it's harder to prove that that random data didn't have some original data in it, but if it's all zeros, you know that there's no data there. And then the physical disk number. So basically we do sDelete passes zero out physical disk number. So I'm going to do sDelete, but before I do that, I need to find the physical disk number. There's a couple of different methods to do that, but what I use is WMIC disk drive list brief. WMIC disk drive list brief. And then that will give us a brief listing of the drives detected in this system. You can see that we have two. This VBox hard disk is the internal hard drive, and then the Sandisk Extreme USB device is the external drive, and that's the disk that we want to zero out right now. And it is on physical drive one, okay? So what we need to remember here is one, okay? Partitions, yep, everything else looks good. So just remember physical drive, in my case physical drive one, you might have different drives, okay? Now, if I run sDelete, sDelete dash z, and then one sDelete z1, and hit enter, it should give me a warning. Yeah, so in this case, this disk does have a volume installed, right? So there is a volume in this disk right now, and sDelete will say, hey, this disk has a volume, I'm not going to zero it out, which to me doesn't make any sense, but maybe it's a security feature, I'm not really sure why. DD would just happily overwrite everything, which is more dangerous, but also more handy in this case. So the first thing that we have to do is actually delete the volume. Now, there's a couple different ways to do it. If you like the GUI, you can type disk MGR, disk MGR, and then that will open up disk manager. And then you can see my volume is here, you can right click on it, and then just try to delete the volume. I've had actually some bad experience with using disk manager this way, but you can definitely do it that way. But we're going to do it from the command line. So I'm going to use disk manager, or disk part from the command line. So I just type disk parT, disk parT. And then this gets us into a interactive program. So disk part, and we see now the disk part command prompt. So I want to list volume, list volume, and then that tells me basically all of the volumes available in the disk right now. And we can see our volume 3, eDrive, def 8, fat 32, removable 29 gig, healthy. That's exactly what I'm interested in. So volume 3 is what I want to get rid of. So then we select volume 3, volume 3 is the selected volume, and then delete volume. Now make sure you know exactly what you're selecting, because when you delete this, the volume is gone, and you'll have to try to recover in a different way. So disk part successfully deleted the volume. So then we can list volume again, list volume, and then we should see now all of the labels and everything are gone. So that looks good. So then we exit, then we want to run s delete dash z for 0 out, and then drive 1 again, and then click or hit enter. So now it's pass 0, progress 1%, 100 meg per second. So it's going through. And basically what this should be doing is just like DD, it should just write 0s from the beginning to the end of the disk. And then whenever we get to the end, it should have 0s all the way through. So just to see, I think 9% is probably enough. So I'm going to go ahead and close this, stop it now if I can. So I've just exited out, but it's already done 10%. So let's go back to hex editor, and then go to tools, open disk, and then the sand disk extreme again, click OK. And you see that at the beginning of the disk, everything is 0s. So it is actually zeroing everything out. Let's see if there's any data left. So I didn't get all the way through the disk. We only got like 10%-ish. And then there was still some data. So you would want to run this all the way through. And then depending on the type of disk, one pass is enough. Other disks, especially magnetic media, you might want to run two or three passes or more. So in this case, what we've done here is zeroed out the disk. And the reason that we want to zero out the disk before we try to use it for, for example, another case, let's say that I have one hard drive dedicated to files related to suspect data. And the only thing that goes on that disk is suspect data from a different case, from each case. If we are very rich, we can probably afford a different hard drive for every single case. But sometimes it's cheaper and more efficient to reuse the disk. But if we reuse the same disk from multiple cases, then somebody could make the claim that remnants of an old case are still available on the current disk. So before we reuse the disk for a new case, we need to make sure to zero out everything and then open up the disk in a hex viewer and prove that all of the data has actually been zeroed out. In this case, I can see that some data hasn't been. So I want to prove that all the data has been zeroed out. Document that, the date that I zeroed everything out. Maybe take screenshots about the fact that there is no more data on it. Then reformat the disk and then assuming that our court accepts that kind of work, which I think most jurisdictions do, then the court should accept us storing a different case on that same disk because it has been wiped completely clean. So that's the justification for this. I'm not trying to do any data hiding or anything like that. We are trying to clean the disk from prior suspect data. That's what we're trying to do here. Basically a pretty quick way to zero out any disks that you have as long as you delete the volume first. Maybe you just want to zero out the partition, but for forensic investigations, I feel more comfortable completely wiping out the entire disk. That's it for sDelete. Thank you very much.