In a recent blog entry, we mentioned that with the release of OS X 10.11 El Capitan, Apple has removed the ability to create RAIDs using the Disk Utility application. We then discussed how RAIDs can still be created using Terminal.
In this, our second post on restoring some of the power that was stripped away from the Disk Utility application in El Capitan, we'll take a look at using the diskutil Terminal command.
One function that has been removed from Disk Utility is the ability to zero out free space on an HFS+ partition. In OS X 10.10 and older, an examiner could open the Disk Utility application (Applications ➔ Utilities ➔ Disk Utility), select the desired volume, choose the Erase tab, then select Erase Free Space.
When erasing a volume with this process, a series of zeros (0) is written over the free space, or unallocated space, of the volume. While this is an anti-forensic tool built into the operating system, examiners have several practical uses for this feature. One such feature is to ready a computer for the next examination. Examiners can delete temporary files, caches, and files in the Trash, then erase the free space of the volume.
When the erase function was still present in Disk Utility, users could choose the level of erasure they wished to employ, ranging from fastest to slowest but most secure. Although the nuances of these erase options changed over the years, OS X 10.10 offered users the following choices: one pass of zeros, three passes of zeros, and seven passes of zeros.
Despite the fact that the erase feature has been removed from El Capitan's Disk Utility application, the feature can still be accessed through Terminal.
Open the Terminal application (Applications ➔ Utilities ➔ Terminal). The first step is to run a list using the command diskutil list. This is an extremely important step, as we need to ensure that we are deleting the free space from the desired volume!
In this example we are going to erase the free space of /dev/disk0s4.
Checking the man pages of the diskutil command secureErase, we see even more erase options that what the Disk Utility application offered in OS X 10.10.
After choosing the desired level of security for deleting the free space, we can enter the command. For this example we are choosing level 0 (zero). The command is as follows:
diskutil secureErase freespace 0 /dev/disk0s4
Caution: Remember Terminal is very unforgiving! Do not forget to type the command exactly as exemplified above, after ensuring you've identified the correct volume. If you forget the word freespace, the command will happily zero out the entire volume, and that is a very bad day.