Apple’s Disk Utility can wipe whole disks and free space. One thing it apparently does not do, however, is wipe file slack.
File systems are divided into finite block sizes. File slack is the space after the data in a file ends and until the file systems block finishes. On an average hard drive, file slack frequently constitutes more than a gigabyte of information – information that is not wiped when wiping free space.
Unlike the Windows utility Eraser, for example, Disk Utility does not include file slack when wiping, so in fact it is not a complete wipe of free space. Forensic investigators frequently find interesting information in slack space, so a wipe of free space that does not include slack is in fact incomplete.
There is, however, a way to wipe free space on Mac OS X 10.4, 10.5 and 10.6, including slack space. Jetico’s BCWipe. The program has to be run from the command line, and the process is somewhat complicated if you haven’t done that sort of thing before.
That’s why this tutorial was made.
Be warned that playing with these commands unless you understand what you’re doing and typing precisely, could accidentally wipe important data. Consider backing up your data first.
First, you have to download, compile and install BCWipe.
1. Download the software from http://www.jetico.com/
You want the BCWipe-1.9-3.tar.gz file, under the heading “BCWipe for UNIX versions”
2. Unpack it by double clicking on it in the download directory
3. It has to be compiled and installed. You need to download and install the Developer Tools from Apple to be able to compile software. To do that, go here http://developer.apple.com/mac/ and register an account, log in, download the Xcode Tools disk image, and install it. Then compile and install BCWipe by opening Terminal in Applications/Utilities, and run the following commands.
$ cd ~/Downloads/bcwipe-1.9-3/
$ sudo ./configure
$ sudo make install
5. Congratulations, you just installed BCWipe. It can now be run from the command-line by typing bcwipe. To read the instructions for using it, type “man bcwipe” (very useful)
Our recommended command to wipe file slack is
$ sudo bcwipe -ISrvm1 /
Two useful scripts for Mac OS X
To save you some time, we have made two useful scripts, one to clear logs and cache, and one to wipe free space, including file slack
To make the scripts
$ sudo nano clear_logs_cache.sh
(or the name of your choice followed by .sh to designate it as a shell script)
(paste or type the contents of your choice below into the editor, remember, the commands are case sensitive)
CTRL-X, Y <enter> (to save the file)
Then, add execute permissions to the script to be able to run it
$ sudo chmod a+x clear_logs_cache.sh
Script contents
To delete logs and cache on Mac OS X 10.4, 10.5 and 10.6
bcwipe -Irvwm1 /private/var/log/*
bcwipe -Irvwm1 /Library/Logs/*
bcwipe -Irvwm1 /Library/Caches/*
bcwipe -Irvwm1 /System/Library/Caches/*
bcwipe -Irvwm1 ~/Library/Logs/*
bcwipe -Irvwm1 ~/Library/Caches/*
If you also want to delete the Spotlight database
bcwipe -Irvwm1 /.Spotlight-V100
(It could be useful to add the whole hard drive to the Privacy panel under Spotlight in System Preferences afterwards)
To delete file slack and free space
bcwipe -ISrvwm1 /
bcwipe -IFrvwm1 /
rm -rf /bcwipe-wiping_free_space-??????
rm -rf /bcwipe-wiping_free_space-??????
To run a script
$ sudo ./clear_logs_cache.sh <enter>
(type your password) <enter>
The process usually takes thirty minutes to three hours depending on the size of your disk and what you wipe, whereas wiping cache and logs is done in a minute.
These scripts have been tested on Mac OS X 10.5 Leopard and 10.6 Snow Leopard as well as 10.4 Tiger on several machines, both PowerPC and Intel, and journaled and non-journaled Mac OS Extended drives, and they caused no problems. All the commands here can safely be run on a live system without problems. If you are using Boot Camp, using bcwipe on / might cause it to treat the Windows partition as well. One way to handle this is simply unmounting the Windows partition in Disk Utility before using bcwipe, and using Eraser, which is Windows native and free, on the Windows partition. It’s also a good idea to unmount any external drives and network volumes before starting.
However, this is not a guarantee that they will not cause problems for you. If you play with fire, you might get burnt. Remember that one typing mistake might wipe something essential to the operation of your system, or your important files. So unless, you know what you’re doing, consider not doing it, or having a computer literate friend help you. It might be wise to make a backup and play with these commands before using them in everyday computing.
DISCLAIMER: the author of this tutorial takes no responsibility for damaged data.
It should be sufficient to wipe data once, as no company has yet been able to recover overwritten data. Especially on modern hard drives, once scrub is enough, as there are less traces of previous data on these drives. However, some argue it could be possible to recover overwritten data (in theory) using magnetic force microscopy and image analysis, and that noone knows what technology the military might secretly possess. If you want to be sure it will be very hard to recover data, a 7-pass scrub is recommended. The instructions here are for a one-time scrub of random data without verification, which is a fast and effective method. To change the settings, refer to the BCWipe manual.
BCWipe works for free for 30 days, and then you can purchase a license from Jetico.
Update: Kremlin seems to be selling a product that also wipes free space including file slack on Mac OS X, from looking at their web pages. The author of this tutorial has not tested this tool. BCWipe is a tried and trusted tool with a long history, however, and the author would probably prefer it anyway.
Tags: Apple, BCWipe, clean, clear, Disk Utility, file slack, Finder, forensics, free space, Jetico, logs, Mac OS X, wipe
