How to wipe file slack on OS X

A tutorial explaining how to wipe free space, including file slack on Mac OS X

BCWipe lets you wipe slack

with 10 comments

Photo by walknboston on FlickR (CC-By 2.0)

Update: a new and easier to use version of BCWipe for Mac OS X with a graphical user interface is now available. Read more about it here.

Apple’s Disk Utility can wipe whole disks and free space. One thing it apparently does not do, however, is wipe file slack.

File systems are divided into finite block sizes. File slack is the space after the data in a file ends and until the file systems block finishes. On an average hard drive, file slack frequently constitutes more than a gigabyte of information – information that is not wiped when wiping free space.

Unlike the Windows utility Eraser, for example, Disk Utility does not include file slack when wiping, so in fact it is not a complete wipe of free space. Forensic investigators frequently find interesting information in slack space, so a wipe of free space that does not include slack is in fact incomplete.

There is, however, a way to wipe free space on Mac OS X 10.4, 10.5 and 10.6, including slack space. Jetico’s BCWipe – one of the most versatile and advanced cross-platform wipe utilities out there. The program has to be run from the command line, and the process is somewhat complicated if you haven’t done that sort of thing before.

That’s why this tutorial was made.

Be warned that playing with these commands unless you understand what you’re doing and typing precisely, could accidentally wipe important data. Consider backing up your data first.

First, you have to download, compile and install BCWipe.

1. Download the software from http://www.jetico.com/download/
You want the BCWipe-1.9-13.tar.gz file, under the heading “BCWipe for UNIX” (“Download tar.gz”)

2. Unpack it by double clicking on it in the download directory.

3. It has to be compiled and installed. You need to download and install the Developer Tools from Apple to be able to compile software. To do that, go here and register an account, log in, download the Xcode Tools disk image, and install it. Or you could get it from the Mac App store. It should be sufficient to just install the command line tools. Then compile and install BCWipe by opening Terminal in Applications/Utilities, and run the following commands.

$ cd ~/Downloads/bcwipe-1.9-13/
$ sudo ./configure
$ sudo make install

5. Congratulations, you just installed BCWipe. It can now be run from the command-line by typing bcwipe. To read the instructions for using it, type “man bcwipe” (very useful)

Our recommended command to wipe file slack is
$ sudo bcwipe -ISrvwm1 /

Two useful scripts for Mac OS X
To save you some time, we have made two useful scripts, one to clear logs and cache, and one to wipe free space, including file slack

To make the scripts

$ sudo nano clear_logs_cache.sh

(or the name of your choice followed by .sh to designate it as a shell script)
(paste or type the contents of your choice below into the editor, remember, the commands are case sensitive)

CTRL-X, Y <enter> (to save the file)

Then, add execute permissions to the script to be able to run it

$ sudo chmod a+x clear_logs_cache.sh

Script contents

To delete logs and cache on Mac OS X 10.4, 10.5 and 10.6
bcwipe -Irvwm1 /private/var/log/*
bcwipe -Irvwm1 /Library/Logs/*
bcwipe -Irvwm1 /Library/Caches/*
bcwipe -Irvwm1 /System/Library/Caches/*
bcwipe -Irvwm1 ~/Library/Logs/*
bcwipe -Irvwm1 ~/Library/Caches/*

If you also want to delete the Spotlight database
bcwipe -Irvwm1 /.Spotlight-V100

To delete file slack and free space
bcwipe -ISrvwmz /
bcwipe -IFrvwm1 /

To run a script
$ sudo ./clear_logs_cache.sh <enter>
(type your password) <enter>

The process usually can take everything from a few minutes to three hours depending on the size and type of your disk and what you wipe, whereas wiping cache and logs is done in a minute.

These scripts have been tested on Mac OS X 10.10 and many of the previous versions, journaled and non-journaled file systems, SSDs and hard drives, and they caused no problems. All the commands here can safely be run on a live system without problems. If you are using Boot Camp, using bcwipe on / might cause it to treat the Windows partition as well. One way to handle this is simply unmounting the Windows partition in Disk Utility before using bcwipe, and using Eraser, which is Windows native and free, on the Windows partition. It’s also a good idea to unmount any external drives and network volumes before starting.

However, this is not a guarantee that they will not cause problems for you. If you play with fire, you might get burnt. Remember that one typing mistake might wipe something essential to the operation of your system, or your important files. So unless, you know what you’re doing, consider not doing it, or having a computer literate friend help you. It might be wise to make a backup and play with these commands before using them in everyday computing.

DISCLAIMER: the author of this tutorial takes no responsibility for damaged data.

It should be sufficient to wipe data once, as no company has yet been able to recover overwritten data. Especially on modern hard drives, one scrub is enough, as there are less traces of previous data on these drives. However, some argue it could be possible to recover overwritten data (in theory) using magnetic force microscopy and image analysis, and that noone knows what technology the military might secretly possess. If you want to be sure it will be very hard to recover data, a 7-pass scrub is recommended. The instructions here are for a one-time scrub of random data without verification, which is a fast and effective method. To change the settings, refer to the BCWipe manual.

Be aware that SSD drives and memory flash drives (such as USB drives) do not behave like hard drives, and that using full disk encryption with a wipeable key file+password combo seems to be the best strategy for wiping such drives as of yet. Wiping on SSDs still works, but some data might be left in inaccesible areas on the drive.

BCWipe is free to use for 30 days, then you can purchase a license from Jetico.

This tutorial was last updated August 28, 2015.

Advertisements

Written by wipetutorial

June 3, 2009 at 12:29 pm

10 Responses

Subscribe to comments with RSS.

  1. I’m unsure why a person would need to use this to wipe file slack. When OS X creates a file it automatically zero-fills the file slack space, so there should be no remnant data in the file slack space (see MAC OSX Internals – A Systems Approach, p. 1392).

    steve

    December 29, 2009 at 12:58 pm

    • Does that happen if you copy a file onto somewhere where for example, unencrypted swap has been stored or only when creating new files? What about files downloaded from the internet and unpacked, or your old files? Does OS X wipe slack on these files automatically? I’ll try and find the book you mention and check.

      wipetutorial

      January 5, 2010 at 12:54 am

  2. Ya, that’s true BC Wipe really worked for me to wipe the files.
    Thank’s a lot for your help.

    Wipe Mac

    February 2, 2010 at 10:02 am

  3. Guys,

    2 things:

    1) When I copy and paste $ sudo bcwipe -ISrvm1 / in ‘Shell / New command ” I get an error message. but “sudo bcwipe -ISrvm1 /” without the dollar works.

    2) I would like to wipe the slack space on external drives? what script can I use..?

    ps wipetutorial – really appreciate your inputs above.

    Danny

    September 14, 2010 at 3:11 am

    • Thank you. Of course you should not include the dollar sign. Why don’t you just learn a bit more about how to use the shell/Terminal? Try «man bcwipe», which will give you a Unix users manual page for bcwipe. The external drives are located at /Volumes in Mac OS X, so if you use the same commands, but on one of the volumes there, that should work.

      An example: “sudo bcwipe -ISrvwm1 /Volumes/UNTITLED/”

      By the way, it is a good idea to unmount any volumes you do not want to include before wiping slack on /, or they will be included.

      wipetutorial

      October 21, 2010 at 1:00 pm

  4. Newbie with Mac here, i’m interested to learn it but i don’t really get the Terminal, if i were to erase the file slack what would be the exact things i have to do from the terminal?

    I appreaciate your time.

    JC

    November 30, 2010 at 6:32 am

    • That’s exactly what this article deals with. Read it again. If you don’t know exactly what you are doing, I recommend getting some help and backing up your data before trying.

      wipetutorial

      March 23, 2011 at 1:55 pm

    • That’s what I describe in this blog post. Be careful!

      wipetutorial

      August 28, 2015 at 11:46 am

  5. Hey there! Someone in my Facebook group shared this website with us so I came to take
    a look. I’m definitely enjoying the information. I’m book-marking
    and will be tweeting this to my followers! Terrific blog and wonderful
    design.

    http://www.wipenew.com

    April 20, 2013 at 12:08 am

  6. Excellent, what a web site it is! This weblog presents useful facts to us, keep it up.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: