Examine contents of unused space on the HDD

Question

When using managed dedicated services, either virtual or physical, where you're presented with complete control to an operating system installed on some piece of hardware you don't have physical access to, is there any good way to test whether the storage have been appropriately wiped of any data from the previous customer?

I figure that if I'm getting data from the previous customer on my machine, it's likely that the next customer might be getting my data, thus I'd like to have a way of testing whether the disc has been scrubbed appropriately of any previous data, to know what I'm up for.

A naive approach would use dd together with hexdump -C, fgrep -v and uniq, but it's very non-trivial to distinguish which data is yours and which isn't, because we're running this on an already-formatted HDD.

Are there any tools for Linux, FreeBSD or OpenBSD to examine unused disc space not currently allocated by the filesystem? The ideal tool would be capable of determining the filesystem currently used, and presenting all data, in a linear or better format, of all unused disc space; including stuff that's not necessarily adhering to the format of the filesystem currently in use (e.g., files that used to be part of other arbitrary filesystem formats).

Answer 1

Ideally, you would need to analyze the drive as soon as you get it (i.e. not install some OS on the drive itself and then analyze it).

Usually, wiping a drive means overwriting all bytes on the drive with other data. Again, usually writing 0, 1 or random data. Of course, this will not be common to all providers and does entirely depend on provider and its policy, software, hardware, ...

Many recovery software tools have been developed that may allow you to recover data from a non-running drive. However, when going through this route you will be descending into a world of doubt and uncertainty, if you do not know exactly what the provider did to the drive. Maybe the provider only wiped part of the drive, maybe the provider altered the data by applying a Caesar-like cipher.

I figure that if I'm getting data from the previous customer on my machine, it's likely that the next customer might be getting my data, thus I'd like to have a way of testing whether the disc has been scrubbed appropriately of any previous data, to know what I'm up for.

I don't know of a methodical way of proving this. What I would immediately do in order: 1. try to boot from the system (these things have a tendency of breaking) 2. analyze the beginning and end of the drive if I have been told that it has been wiped with 1s/0s. 3. Run testdisk (or another partition recovery tool or another tool that is compatible with multiple file systems) to maybe confirm if the initial partitions are still present on the drive. This may not be possible with all provider environments.

Note: these drive recovery tools usually read GTP, MBR, RAID or other partition layout information at the beginning of a drive. They do not usually analyze every single byte on the drive since this will be slow. Some tools are even aware of some drive encryption specifications (e.g. LUKS), but again there are many such technologies and they almost always have some identifiable bytes in the beginning of a drive or partition.

I cannot help you directly with the question of analyzing from an already installed operating system as you are embracing all the variables above and more. Thus I suppose you need to further define what would constitute a minimum information leakage (e.g. if a single bit on the drive has the same value, because the provider did not change it after allocating it to the new costumer).

You should also specify a situation for a given provider. Some providers will allow mounting the drive on an existing OS, while others force you to install their own custom image of an OS to be able to use that drive.

Note: I was trying to use the comment feature but I can could only comment with an answer.