I recently was asked to contribute to a discussion on the IT social community of Spiceworks. It started out as a question about disk formatting utilities, but by the end of the discussion, users were trying to determine what the “format” command for Windows’ command line actually did — with no parameters as far as overwriting sectors or not.
I can see the reason for the discussion as this is a little tricky. I find that Microsoft hasn’t been totally clear in a few places.
In Windows, a “Quick Format” (which can be thought of as a “regular” format, since it’s fairly common) does not wipe/zero/overwrite the data. But what about the specific command line “format”?
From the MS documentation here, the /q parameter appears at first glance to only prevent a CHKDSK run that would check for bad sectors.
But what does a “format” in the command line by itself with no parameters do? Well, this has changed in the past.
From the MS documentation on the format command:
If you do not specify any of the following command-line options, format uses the volume type to determine the default format for the disk.
Well what does that mean? Microsoft doesn’t link to any related documentation, unfortunately.
The GUI format dialog has a Quick Format checkbox, which seems to correspond to the /q parameter and is normally checked by default. However, MS changed the behavior of the format command for Windows Vista and later.
The behavior of the format command changed in Windows Vista and later Windows versions. By default in Windows Vista and later versions, the format command writes zeros to the whole disk when a full format is performed. In Windows XP and earlier versions of Windows, the format command does not write zeros to the whole disk when a full format is performed.
https://support.microsoft.com/en-us/kb/941961
That is fairly imprecise, since we don’t know what “when a full format is performed” means for actual command line commands.
Essentially, it means a “non /q” format on the command line. For XP and earlier, format command without /q did not overwrite with zeroes. For Vista and later, format without /q does overwrite with zeroes (one pass unless /p is specified).
How Can I Verify A Wiped Hard Drive in Windows?
The previous file system is destroyed or invalidated with a format command (speaking generally and not knowing which specific command was used). However, that doesn’t mean file data is completely gone.
If a format was completed that did not zero out all of the sectors, previous file data remains in the areas on the drive that the new file system considers to be free space until overwritten. Software that scans through raw data should be able to find files there.
Also, some software can use the remnants of the previous file system if there is still enough of that around to locate and extract files with also file system metadata intact. That works more often than you’d think with the right software in the hands of the right tech.
To verify the drive is wiped, you can use a couple different methods. Think like a data recovery engineer; try to find evidence or data from before the wipe.
Running software that scans raw data for files would be a good test of a true wipe. Something easy to try is Photorec, which is free and effective. It does a good job of scanning for files in raw data, particularly JPEGs because they have very well-defined header/footer in raw data. Each different file type is a bit different to recover from raw data. Plain text files, for instance, have no identifiers at all so are basically impossible to recover in an automated fashion, though they can certainly be seen in the raw data.
You could also simply open the drive up in a hex editor and scroll around and see what is actually on there. Is it zeroes? That’s what it should be from the MS documentation. Do some searches. Any recognizable ASCII or Unicode data in places? Binary data?
We recover data on a daily basis from drives that have had fresh Windows installs done on them that include a Quick Format. Quick Format is generally the default option in most situations (though now we know that’s no longer the case for the command line). It really depends on the overwrite damage in these cases, but we usually have good success.
