Disk formatting explained

Disk formatting is the process of preparing a data storage device such as a hard disk drive, solid-state drive, floppy disk, memory card or USB flash drive for initial use. In some cases, the formatting operation may also create one or more new file systems. The first part of the formatting process that performs basic medium preparation is often referred to as "low-level formatting".[1] Partitioning is the common term for the second part of the process, dividing the device into several sub-devices and, in some cases, writing information to the device allowing an operating system to be booted from it.[2] The third part of the process, usually termed "high-level formatting" most often refers to the process of generating a new file system.[1] In some operating systems all or parts of these three processes can be combined or repeated at different levels and the term "format" is understood to mean an operation in which a new disk medium is fully prepared to store files. Some formatting utilities allow distinguishing between a quick format, which does not erase all existing data and a long option that does erase all existing data.

As a general rule, formatting a disk by default leaves most if not all existing data on the disk medium; some or most of which might be recoverable with privileged[3] or special tools.[4] Special tools can remove user data by a single overwrite of all files and free space.[5]

History

A block, a contiguous number of bytes, is the minimum unit of storage that is read from and written to a disk by a disk driver. The earliest disk drives had fixed block sizes (e.g. the IBM 350 disk storage unit (of the late 1950s) block size was 100 six-bit characters) but starting with the 1301[6] IBM marketed subsystems that featured variable block sizes: a particular track could have blocks of different sizes. The disk subsystems and other direct access storage devices on the IBM System/360 expanded this concept in the form of Count Key Data (CKD) and later Extended Count Key Data (ECKD); however the use of variable block size in HDDs fell out of use in the 1990s; one of the last HDDs to support variable block size was the IBM 3390 Model 9, announced May 1993.[7]

Modern hard disk drives, such as Serial attached SCSI (SAS)[8] and Serial ATA (SATA)[9] drives, appear at their interfaces as a contiguous set of fixed-size blocks; for many years 512 bytes long but beginning in 2009 and accelerating through 2011, all major hard disk drive manufacturers began releasing hard disk drive platforms using the Advanced Format of 4096 byte logical blocks.[10] [11]

Floppy disks generally only used fixed block sizes but these sizes were a function of the host's OS and its interaction with its controller so that a particular type of media (e.g., 5¼-inch DSDD) would have different block sizes depending upon the host OS and controller.

Optical discs generally only use fixed block sizes.

Disk formatting process

Formatting a disk for use by an operating system and its applications typically involves three different processes.[12]

  1. Low-level formatting (i.e., closest to the hardware) marks the surfaces of the disks with markers indicating the start of a recording block (typically today called sector markers) and other information like block CRC to be used later, in normal operations, by the disk controller to read or write data. This is intended to be the permanent foundation of the disk, and is often completed at the factory.
  2. Partitioning divides a disk into one or more regions, writing data structures to the disk to indicate the beginning and end of the regions. This level of formatting often includes checking for defective tracks or defective sectors.
  3. High-level formatting creates the file system format within a disk partition or a logical volume. This formatting includes the data structures used by the OS to identify the logical drive or partition's contents. This may occur during operating system installation, or when adding a new disk. Disk and distributed file system may specify an optional boot block, and/or various volume and directory information for the operating system.

Low-level formatting of floppy disks

The low-level format of floppy disks (and early hard disks) is performed by the disk drive's controller.

For a standard 1.44 MB floppy disk, low-level formatting normally writes 18 sectors of 512 bytes to each of 160 tracks (80 on each side) of the floppy disk, providing 1,474,560 bytes of storage on the disk.

Physical sectors are actually larger than 512 bytes, as in addition to the 512 byte data field they include a sector identifier field, CRC bytes (in some cases error correction bytes) and gaps between the fields. These additional bytes are not normally included in the quoted figure for overall storage capacity of the disk.

Different low-level formats can be used on the same media; for example, large records can be used to cut down on inter-record gap size.

Several freeware, shareware and free software programs (e.g. GParted, FDFORMAT, NFORMAT, VGA-Copy and 2M) allowed considerably more control over formatting, allowing the formatting of high-density 3.5" disks with a capacity up to 2 MB.

Techniques used include:

Linux supports a variety of sector sizes,[13] and DOS and Windows support a large-record-size DMF-formatted floppy format.[14]

After establishing the structure of tracks, a formatter also needs to fill the entire floppy and look for bad sectors. Traditionally, the physical sectors were initialized with a fill value of 0xF6 as per the INT 1Eh's Disk Parameter Table (DPT) during format on IBM compatible machines. This value is also used on the Atari Portfolio. CP/M 8-inch floppies typically came pre-formatted with a value of 0xE5,[15] and by way of Digital Research this value was also used on Atari ST and some Amstrad formatted floppies. Amstrad otherwise used 0xF4 as a fill value.

Low-level formatting (LLF) of hard disks

Hard disk drives prior to the 1990s typically had a separate disk controller that defined how data was encoded on the media. With the media, the drive and/or the controller possibly procured from separate vendors, users were often able to perform low-level formatting. Separate procurement also had the potential of incompatibility between the separate components such that the subsystem would not reliably store data.[16]

User-instigated low-level formatting (LLF) of hard disk drives was common for minicomputer and personal computer systems until the 1990s. IBM and other mainframe system vendors typically supplied their hard disk drives (or media in the case of removable media HDDs) with a low-level format. Typically this involved subdividing each track on the disk into one or more blocks which would contain the user data and associated control information. Different computers used different block sizes and IBM notably used variable block sizes but the popularity of the IBM PC caused the industry to adopt a standard of 512 user data bytes per block by the middle 1980s.

Depending upon the system, low-level formatting was generally done by an operating system utility. IBM compatible PCs used the BIOS, which is invoked using the MS-DOS debug program, to transfer control to a routine hidden at different addresses in different BIOSes.[17]

Transition away from LLF

Starting in the late 1980s, driven by the volume of IBM compatible PCs, HDDs became routinely available pre-formatted with a compatible low-level format. At the same time, the industry moved from historical (dumb) bit serial interfaces to modern (intelligent) bit serial interfaces and word serial interfaces wherein the low-level format was performed at the factory.[18] [19] Accordingly, it is not possible for an end user to low-level format a modern hard disk drive.

Modern disks: reinitialization

Modern hard drives can no longer perform post-production LLF, i.e. to re-establish the basic layout of "tracks" and "blocks" on the recording surface. Reinitialization refers to processes that return a disk to a factory-like configuration: no data, no partitioning, all blocks available to use.

Command-set support

SCSI provides a command. This command performs the needed certification step to weed out bad sectors and has the ability to change sector size. The command-line sg_format program may be used to issue the command. A variety of sector sizes may be chosen, but are not available on all devices: 512, 520, 524, 528, 4096, 4112, 4160, and 4224-byte sectors.[20] Although the SCSI command provides many options, even resizing, it does not touch on the track layer where low-level format happens.[21]

ATA does not expose a low-level format functionality, but they allow the sector size to be changed via (in [[hdparm]]). (Consumer drives usually only support 512 and 4096-byte sectors.) Although sector-size change may scramble data, it is not a safe way of erasing data, nor is any certification done. ATA offers a separate (in [[hdparm]]) command for erasure.

NVMe drives have a standard method of formatting, available in, for example, the Linux command-line program . Sector size change and secure erase options are available. Note that NVMe drives are generally solid-state, making this "track" distinction useless.

Seagate Technology drives offer a TTL serial debugging console.[22] Among other things, the console can format the "system" and "user" partitions while performing defect checks (re-initialization over pre-established logical blocks) and modify track parameters (managing the real low-level format).[23]

Disk-filling

When the hard drive's built-in reinitialization function (see above) is unavailable due to driver or system limitations, it is possible to fill the entire disk instead. On older hard drives without bad sector management,[24] a program will also need to check for any damaged sectors and try to spare them out. On newer drives with defect management, reallocated sectors may be left unerased, whereas the built-in re-initialization function will erase them.

In modern times, it is most common to fill hard drives with value of 0x00. One popular method for performing this zero-fill operation on a hard disk is by writing zero-value bytes to the drive using the Unix dd utility with the /dev/zero stream as the input file and the drive itself (or a specific partition) as the output file.[25] This command may take many hours to complete, and will erase all files and file systems.

A value of 0xFF is used on flash disks to reduce wear . The latter value is typically also the default value used on ROM disks (which cannot be reformatted). Some advanced tools allow configuring the fill value.

Zero-filling a drive is not a secure method of preparing a drive for use with an encrypted filesystem. Doing so voids the plausible deniability of the process, as the encrypted areas (indistinguishable from random without a key, unless the cipher is compromised) will stand out among zero blocks. The correct technique is to zero-fill inside a temporary encrypted layer then discard the key and layer setup. (/dev/urandom provides similar safety, but tends to be slow.)[26]

Confusion

The present ambiguity in the term low-level format seems to be due to both inconsistent documentation on web sites and the belief by many users that any process below a high-level (file system) format must be called a low-level format. Since much of the low-level formatting process can today only be performed at the factory, various drive manufacturers describe reinitialization software as LLF utilities on their web sites. Since users generally have no way to determine the difference between a complete LLF and reinitialization (they simply observe running the software results in a hard disk that must be high-level formatted), both the misinformed user and mixed signals from various drive manufacturers have perpetuated this error.

Note: whatever possible misuse of such terms may exist, many sites do make such reinitialization utilities available (possibly as bootable floppy diskette or CD image files), to both overwrite every byte and check for damaged sectors on the hard disk.

Partitioning

See main article: Disk partitioning.

Partitioning is the process of writing information into blocks of a storage device or medium to divide the device into several sub-devices, each of which is treated by the operating system as a separate device and, in some cases, to allow an operating system to be booted from the device.

On MS-DOS, Microsoft Windows, and UNIX-based operating systems (such as BSD, Linux and macOS) this is normally done with a partition editor, such as fdisk, GNU Parted, or Disk Utility. These operating systems support multiple partitions.

Floppy disks are not partitioned; however depending upon the OS they may require volume information in order to be accessed by the OS.

Partition editors and ICKDSF today do not handle low-level functions for HDDs and optical disc drives such as writing timing marks, and they cannot reinitialize a modern disk that has been degaussed or otherwise lost the factory formatting.

IBM operating systems derived from CP-67, e.g., z/VM, maintain partitioning information for minidisks externally to the drive.

High-level formatting

High-level formatting is the process of setting up an empty file system on a disk partition or a logical volume and for PCs, installing a boot sector. This is often a fast operation, and is sometimes referred to as quick formatting.

Formatting an entire logical drive or partition may optionally scanned for defects, which may take considerable time.

In the case of floppy disks, both high- and low-level formatting are customarily performed in one pass by the disk formatting software. Eight-inch floppies typically came low-level formatted and were filled with a format filler value of 0xE5.[15] Since the 1990s, most 5.25-inch and 3.5-inch floppies have been shipped pre-formatted from the factory as DOS FAT12 floppies.

In current IBM mainframe operating systems derived from OS/360 and DOS/360, such as z/OS and z/VSE, formatting of drives is done by the INIT command of the ICKDSF utility.[27] These OSs support only a single partition per device, called a volume. The ICKDSF functions include writing a Record 0 on every track, writing IPL text, creating a volume label, creating a Volume Table of Contents (VTOC) and, optionally, creating a VTOC index (VTOCIX); high level formatting may also be done as part of allocating a file, by a utility specific to a file system or, in some older access methods, on the fly as new data are written. In z/OS Unix System Services, there are three distinct levels of high-level formatting:

In IBM operating systems derived from CP-67, formatting a volume initializes track 0 and a dummy VTOC. Guest operating systems are responsible for formatting minidisks; the CMS FORMAT command formats a CMS file system on a CMS minidisk.

Host protected area

See main article: Host protected area.

The host protected area, sometimes referred to as hidden protected area, is an area of a hard drive that is high-level formatted such that the area is not normally visible to its operating system (OS).

Reformatting

Reformatting is a high-level formatting performed on a functioning disk drive to free the medium of its contents. Reformatting is unique to each operating system because what actually is done to existing data varies by OS. The most important aspect of the process is that it frees disk space for use by other data. To actually "erase" everything requires overwriting each block of data on the medium; something that is not done by many high-level formatting utilities.

Reformatting often carries the implication that the operating system and all other software will be reinstalled after the format is complete. Rather than fixing an installation suffering from malfunction or security compromise, it may be necessary to simply reformat everything and start from scratch. Various colloquialisms exist for this process, such as "wipe and reload", "nuke and pave", "reimage", etc. However, reformatting a drive containing only user data does not require reinstallation of the OS.

Formatting

DOS, OS/2 and Windows

format command: Under MS-DOS, PC DOS, OS/2 and Microsoft Windows, disk formatting can be performed by the [[format (command)|format]] command. The format program usually asks for confirmation beforehand to prevent accidental removal of data, but some versions of DOS have an undocumented /AUTOTEST option; if used, the usual confirmation is skipped and the format begins right away. The WM/FormatC macro virus uses this command to format drive C: as soon as a document is opened.

Unconditional format: There is also the /U parameter that performs an unconditional format which under most circumstances overwrites the entire partition,[28] preventing the recovery of data through software. Note however that the /U switch only works reliably with floppy diskettes (see image to the right). Technically because unless /Q is used, floppies are always low level formatted in addition to high-level formatted. Under certain circumstances with hard drive partitions, however, the /U switch merely prevents the creation of [[unformat (command)|unformat]] information in the partition to be formatted while otherwise leaving the partition's contents entirely intact (still on disk but marked deleted). In such cases, the user's data remain ripe for recovery with specialist tools such as EnCase or disk editors. Reliance upon /U for secure overwriting of hard drive partitions is therefore inadvisable, and purpose-built tools such as DBAN should be considered instead.

Overwriting: In Windows Vista and upwards the non-quick format will overwrite as it goes. Not the case in Windows XP and below.[29]

OS/2: Under OS/2, format will overwrite the entire partition or logical drive if the /L parameter is used, which specifies a long format. Doing so enhances the ability of CHKDSK to recover files.

Unix-like operating systems

High-level formatting of disks on these systems is traditionally done using the [[mkfs]] command. On Linux (and potentially other systems as well) mkfs is typically a wrapper around filesystem-specific commands which have the name mkfs''.fsname'', where fsname is the name of the filesystem with which to format the disk.[30] Some filesystems which are not supported by certain implementations of mkfs have their own manipulation tools; for example Ntfsprogs provides a format utility for the NTFS filesystem.

Some Unix and Unix-like operating systems have higher-level formatting tools, usually for the purpose of making disk formatting easier and/or allowing the user to partition the disk with the same tool. Examples include GNU Parted (and its various GUI frontends such as GParted and the KDE Partition Manager) and the Disk Utility application on Mac OS X.

Recovery of data from a formatted disk

As in file deletion by the operating system, data on a disk are not fully erased during every high-level format. Instead, the area on the disk containing the data is merely marked as available, and retains the old data until it is overwritten. If the disk is formatted with a different file system than the one which previously existed on the partition, some data may be overwritten that wouldn't be if the same file system had been used. However, under some file systems (e.g., NTFS, but not FAT), the file indices (such as $MFTs under NTFS, inodes under ext2/3, etc.) may not be written to the same exact locations. And if the partition size is increased, even FAT file systems will overwrite more data at the beginning of that new partition.

From the perspective of preventing the recovery of sensitive data through recovery tools, the data must be completely overwritten (every sector), either by a separate tool, or during formatting. Data are destroyed in DOS, OS/2, and Windows when the /L (long) option is used on format and always for a Partitioned Data Set (PDS) in MVS and for newer file systems on IBM mainframes.

See main article: data erasure. It is disputed whether one pass of zero-fill is enough to destroy sensitive data on older (until 1990s) magnetic storage: Gutmann (known for his 35-pass Gutmann method) claims that magnetic force microscopy may be able to "see" old bits on a floppy,[31] but the sources he cited does not prove such. Random fill is believed to be stronger than a fixed pattern fill.[32] One pass of zero fill is sufficient to prevent data remanence, according to NIST (2014) and Wright et al (2008).[33] [34] The Secure Erase option built into hard drives is considered trustworthy,[35] [36] with the caveat that early solid state drives are known to mis-implement the function.[37]

Degaussing is effective without controversy; however, this may render the drive unusable.

See also

External links

Notes and References

  1. Book: Modern Operating Systems . 2nd . Tanenbaum . Andrew . Andrew S. Tanenbaum . 2001 . Prentice Hall . section 3.4.2, Disk Formatting . 0130313580 . registration .
  2. Web site: Disk Devices and Partitions. 7 January 2021. Microsoft Docs.
  3. E.g., AMASPZAP in MVS
  4. Web site: How to recover lost files after you accidentally wipe your hard drive . Hermans . Sherman . 28 August 2006 . Linux.com . 28 November 2019.
  5. Web site: The Urban Legend of Multipass Hard Disk Overwrite and DoD 5220-22-M . Smithson . Brian . 29 August 2011 . Infosec Island . 22 November 2012 . 5 October 2018 . https://web.archive.org/web/20181005045747/http://www.infosecisland.com/blogview/16130-The-Urban-Legend-of-Multipass-Hard-Disk-Overwrite.html . dead.
  6. Web site: IBM 1301 disk storage unit . 23 January 2003 . . 2010-06-24.
  7. Web site: IBM 3390 direct access storage device . 23 January 2003 . IBM.
  8. "The LBAs on a logical unit shall begin with zero and shall be contiguous up to the last logical block on the logical unit"., Information technology — Serial Attached SCSI - 2 (SAS-2), INCITS 457 Draft 2, May 8, 2009, chapter 4.1 Direct-access block device type model overview.
  9. ISO/IEC 791D:1994, AT Attachment Interface for Disk Drives (ATA-1), section 7.1.2
  10. Web site: Western Digital's Advanced Format: The 4K Sector Transition Begins . Ryan . Smith . 2009-12-18 . Anandtech.
  11. Web site: Transition to Advanced Format 4K Sector Hard Drives . Seagate Technology.
  12. Each process may involve multiple steps, and steps of different processes may be interleaved.
  13. Web site: Fdutils.
  14. Web site: Definition of Distribution Media Format (DMF). Microsoft Knowledge Base. 2007-01-19. 2011-10-16. https://web.archive.org/web/20110914232540/http://support.microsoft.com/kb/120348. 2011-09-14. dead.
  15. Book: Andrew . Schulman . Ralf D. . Brown . Ralf D. Brown . David . Maxey . Raymond J. . Michels . Jim . Kyle . Undocumented DOS: A programmer's guide to reserved MS-DOS functions and data structures - expanded to include MS-DOS 6, Novell DOS and Windows 3.1 . . 2 . 1994 . November 1993 . 0-201-63287-X . (xviii+856+vi pages, 3.5"-floppy) Errata: https://web.archive.org/web/20190417215556/http://www.cs.cmu.edu/afs/cs/user/ralf/pub/books/UndocumentedDOS/errata.ud2https://web.archive.org/web/20190417212906/https://www.pcjs.org/pubs/pc/programming/Undocumented_DOS/#errata-2nd-edition
  16. This problem became common in PCs where users used RLL controllers with MFM drives; "MFM drives should not be used on RLL controllers.".
  17. http://support.microsoft.com/kb/60089 Using DEBUG to Start a Low-Level Format
  18. Web site: The NOSPIN Group, Inc.. Low level formatting an IDE hard drive. FreePCTech.com. https://web.archive.org/web/20120716043736/http://freepctech.com/pc/001/007.shtml. July 16, 2012. December 24, 2003.
  19. Web site: The PC Guide. Site Version: 2.2.0 - Version Date: April 17, 2001. Low-Level Format, Zero-Fill and Diagnostic Utilities. May 24, 2007. https://web.archive.org/web/20190103014814/http://www.pcguide.com/ref/hdd/geom/formatUtilities-c.html. January 3, 2019.
  20. http://www.seagate.com/docs/pdf/whitepaper/tp595_building_faster_more_flexible_infrastructure.pdf Seagate SAS drives
  21. Web site: INCITS 506-202x - Information technology - SCSI Block Commands - 4 (SBC-4) draft revision 22 . 22 May 2023 . 15 September 2020.
  22. Web site: Seagate Serial Talk OS/2 Museum .
  23. Web site: F3 Serial Port Diagnostics . older version available from
  24. Web site: BadBlockHowto – smartmontools . www.smartmontools.org.
  25. Web site: How to Securely Erase (Wipe) a Hard Drive for Free with DD. myfixlog.com. https://web.archive.org/web/20160418143615/http://www.myfixlog.com/fix.php?fid=58. April 18, 2016.
  26. http://www.globallinuxsecurity.pro/quickly-fill-a-disk-with-random-bits-without-dev-urandom/ Quickly fill a disk with random bits
  27. Web site: Device Support Facilities User's Guide and Reference . 2010-12-27 . 2021-12-09 . https://web.archive.org/web/20211209100904/http://publibz.boulder.ibm.com/epubs/pdf/ick4020f.pdf . dead .
  28. Web site: AXCEL216 / MDGx MS-DOS Undocumented + Hidden Secrets . 2008-06-07.
  29. Web site: MSKB941961: Change in the behavior of the format command in Windows Vista . . The format command behavior has changed in Windows Vista. By default in Windows Vista, the format command writes zeros to the whole disk when a full format is performed. In Windows XP and in earlier versions of the Windows operating system, the format command does not write zeros to the whole disk when a full format is performed. . 2009-02-23 . 2012-10-24 .
  30. Web site: mkfs(8) - Linux man page . 2010-04-25.
  31. Gutmann, Peter. (July 22–25, 1996) Secure Deletion of Data from Magnetic and Solid-State Memory. University of Auckland Department of Computer Science. Epilogue section.
  32. Web site: 2003. Can Intelligence Agencies Recover Overwritten Data?. Daniel Feenberg. 2007-12-10.
  33. Craig . Wright . Kleiman, Dave . Dave Kleiman . Shyaam, Sundhar R.S. . Information Systems Security ICISS 2008 . Overwriting Hard Drive Data: The Great Wiping Controversy . Lecture Notes in Computer Science . Springer Berlin / Heidelberg . 978-3-540-89861-0 . 10.1007/978-3-540-89862-7_21 . 243–257 . December 2008. 5352 .
  34. Special Publication 800-88 Rev. 1: Guidelines for Media Sanitization . . December 2014 . 10.6028/NIST.SP.800-88r1 . 2018-06-26. Kissel . Richard . Regenscheid . Andrew . Scholl . Matthew . Stine . Kevin . free .
  35. Web site: Secure Data Deletion. June 7, 2012. 9 December 2013.
  36. Web site: ATA Secure Erase (SE) and hdparm. Created: 2011.02.21, updated: 2013.04.02.
  37. FAST'11: Proceedings of the 9th USENIX conference on File and storage technologies. 2018-01-08. .