How to wipe file slack on OS X

Photo by walknboston on FlickR (CC-By 2.0)

Apple’s Disk Utility can wipe whole disks and free space. One thing it apparently does not do, however, is wipe file slack.

File systems are divided into finite block sizes. File slack is the space after the data in a file ends and until the file systems block finishes. On an average hard drive, file slack frequently constitutes more than a gigabyte of information – information that is not wiped when wiping free space.

Unlike the Windows utility Eraser, for example, Disk Utility does not include file slack when wiping, so in fact it is not a complete wipe of free space. Forensic investigators frequently find interesting information in slack space, so a wipe of free space that does not include slack is in fact incomplete.

There is, however, a way to wipe free space on Mac OS X 10.4, 10.5 and 10.6, including slack space. Jetico’s BCWipe – one of the most versatile and advanced cross-platform wipe utilities out there. The program has to be run from the command line, and the process is somewhat complicated if you haven’t done that sort of thing before.

That’s why this tutorial was made.

Be warned that playing with these commands unless you understand what you’re doing and typing precisely, could accidentally wipe important data. Consider backing up your data first.

First, you have to download, compile and install BCWipe.

Update, April 2010: Jetico is now offering a DMG and installer for Intel Macs, so you don’t have to compile it yourself. If you use this disk image, you can skip directly to point numer 5. You still have to run the software from the command line, though.

1. Download the software from http://www.jetico.com/download/
You want the BCWipe-1.9-8.tar.gz file, under the heading “BCWipe for UNIX” (“Download tar.gz”)

2. Unpack it by double clicking on it in the download directory.

3. It has to be compiled and installed. You need to download and install the Developer Tools from Apple to be able to compile software. To do that, go here http://developer.apple.com/mac/ and register an account, log in, download the Xcode Tools disk image, and install it. Then compile and install BCWipe by opening Terminal in Applications/Utilities, and run the following commands.

$ cd ~/Downloads/bcwipe-1.9-8/
$ sudo ./configure
$ sudo make install

5. Congratulations, you just installed BCWipe. It can now be run from the command-line by typing bcwipe. To read the instructions for using it, type “man bcwipe” (very useful)

Our recommended command to wipe file slack is
$ sudo bcwipe -ISrvwmz /

Update April 2011: Wiping slack with random (-ISrvwm1) sometimes triggers a bug where the system is brought to a halt because the pagefile fills up. Jetico is aware of the issue, and working on fixing it. Until then, use -ISrvwmz (as described here) which works fine (and it’s faster, too!).

Two useful scripts for Mac OS X
To save you some time, we have made two useful scripts, one to clear logs and cache, and one to wipe free space, including file slack

To make the scripts

$ sudo nano clear_logs_cache.sh

(or the name of your choice followed by .sh to designate it as a shell script)
(paste or type the contents of your choice below into the editor, remember, the commands are case sensitive)

CTRL-X, Y <enter> (to save the file)

Then, add execute permissions to the script to be able to run it

$ sudo chmod a+x clear_logs_cache.sh

Script contents

To delete logs and cache on Mac OS X 10.4, 10.5 and 10.6
bcwipe -Irvwm1 /private/var/log/*
bcwipe -Irvwm1 /Library/Logs/*
bcwipe -Irvwm1 /Library/Caches/*
bcwipe -Irvwm1 /System/Library/Caches/*
bcwipe -Irvwm1 ~/Library/Logs/*
bcwipe -Irvwm1 ~/Library/Caches/*

If you also want to delete the Spotlight database
bcwipe -Irvwm1 /.Spotlight-V100

(It could be useful to add the whole hard drive to the Privacy panel under Spotlight in System Preferences afterwards)

To delete file slack and free space
bcwipe -ISrvwmz /
bcwipe -IFrvwm1 /

Update, March 2011: BCWipe used to have problems deleting the files generated when wiping free space, but this seems to have been fixed now. If you still find that this issue is present, you can add the following two lines to your script:

rm -rf /bcwipe-wiping_free_space-??????
rm -rf /bcwipe-wiping_free_space-??????

To run a script
$ sudo ./clear_logs_cache.sh <enter>
(type your password) <enter>

The process usually takes thirty minutes to three hours depending on the size of your disk and what you wipe, whereas wiping cache and logs is done in a minute.

These scripts have been tested on Mac OS X 10.5 Leopard and 10.6 Snow Leopard as well as 10.4 Tiger on several machines, both PowerPC and Intel, and journaled and non-journaled Mac OS Extended drives, and they caused no problems. All the commands here can safely be run on a live system without problems. If you are using Boot Camp, using bcwipe on / might cause it to treat the Windows partition as well. One way to handle this is simply unmounting the Windows partition in Disk Utility before using bcwipe, and using Eraser, which is Windows native and free, on the Windows partition. It’s also a good idea to unmount any external drives and network volumes before starting.

However, this is not a guarantee that they will not cause problems for you. If you play with fire, you might get burnt. Remember that one typing mistake might wipe something essential to the operation of your system, or your important files. So unless, you know what you’re doing, consider not doing it, or having a computer literate friend help you. It might be wise to make a backup and play with these commands before using them in everyday computing.

DISCLAIMER: the author of this tutorial takes no responsibility for damaged data.

It should be sufficient to wipe data once, as no company has yet been able to recover overwritten data. Especially on modern hard drives, once scrub is enough, as there are less traces of previous data on these drives. However, some argue it could be possible to recover overwritten data (in theory) using magnetic force microscopy and image analysis, and that noone knows what technology the military might secretly possess. If you want to be sure it will be very hard to recover data, a 7-pass scrub is recommended. The instructions here are for a one-time scrub of random data without verification, which is a fast and effective method. To change the settings, refer to the BCWipe manual.

Be aware that SSD drives and memory flash drives (such as USB drives) do not behave like hard drives, and that using full disk encryption with a wipeable key file+password combo seems to be the best strategy for wiping such drives as of yet. Wiping on SSDs still works, but some data might be left in inaccesible areas on the drive.

BCWipe is free to use for 30 days, then you can purchase a license from Jetico.

This tutorial was last updated April 20, 2011.