Zeroing out NTFS free space

Question

the zerofree command finds the unallocated, non-zeroed blocks in an ext2 or ext3 file-system and fills them with zeroes

A NTFS Windows machine, with a mechanical drive, was upgraded from 7 to 10. The drive is old and I suspect that much of the free space actually has data and not filled with zeros.

Is it possible (how?) to zero out the free space, so that when an image is created, the size is minimal?

Assume either a bootable USB configured with Ubuntu or SysRescueCD is available to process the HDD by mounting the NTFS partion with NTFS-3G if necessary

@NonnyMoose Very useful to 1) really disappear deleted file content 2) archive the ntfs partition in compressed form 3) also many VMs are using compressed virtual hard disk images — peterh, Jun 07 '20 at 22:42
Btw, I believe the best option is a dd if=/dev/zero of=/mount/path/bigtmp. This is also an fs-independent option. Although it might be not perfect, for example deleted directory entries might remain allocated, depending on how ntfs handles them. Doing a defrag and then this zero-file is probably close to be perfect. — peterh, Jun 07 '20 at 23:06
Even if the drive was new, the free space wouldn't be full of zeroes. — Weirdo, Jun 08 '20 at 00:04
@peterh-ReinstateMonica Oh wow, I didn't notice that OP said they wanted to create an image. Sorry, OP. — Nonny Moose, Jun 08 '20 at 15:38
Does this answer your question? How to fill a device with zeros, without overwriting the bytes that are already zeros? — Bernard Rosset, Jun 08 '20 at 16:45

Eduardo Trápani · Answer 1 · 2020-06-07T21:10:43.483

15

Depends on the tool you are using to create the image. Usually you don't need to zero it out.

For example ntfsclone (part of ntfs-3g) states this in the man page:

ntfsclone will efficiently clone (copy, save, backup, restore) or rescue an NTFS filesystem to a sparse file, image, device (partition) or standard output. It works at disk sector level and copies only the used data. Unused disk space becomes zero (cloning to sparse file), encoded with control codes (saving in special image format), left unchanged (cloning to a disk/partition) or filled with zeros (cloning to standard output).

So, the free space will be ignored and, if you are cloning to a file, converted to "holes" in the sparse result.

Other cloning software, such as Clonezilla will use ntfsclone by default to create the partition image.

edited Jun 07 '20 at 21:10

answered Jun 07 '20 at 04:16

Eduardo Trápani

12,834

That's not 100% accurate. Clonezilla will use ntfsclone or dd, depending on what you choose. – Ismael Miguel Jun 07 '20 at 18:12
I meant by default. Corrected. – Eduardo Trápani Jun 07 '20 at 21:12
Strictly speaking Clonezilla will use partclone.ntfs by default, but it will also make an efficient copy like ntfsclone would. – gronostaj Jun 08 '20 at 14:05

score 6 · Answer 2 · answered Jun 07 '20 at 16:03

6

You could use dd for Windows.

dd if=/dev/zero of=EMPTY bs=128k
del EMPTY

Should do the trick.

answered Jun 07 '20 at 16:03

Artem S. Tashkinov

29,025

score 2 · Answer 3 · answered May 23 '21 at 09:16

I BELIEVE this command does what you described zerofree does (namely zeroes out unused blocks/clusters that are NOT already 0) but I have not checked the code / contacted the dev to be sure.

Here is a forum post about suggested changes which I presume were implemented if you want to follow up with the dev : https://forum.tuxera.com/viewtopic.php?f=2&t=30812&view=next

The tool is called ntfswipe and is a part of ntfs-3g, however it needs to be properly configured to get your (and mine) desired result.

I think the following command is correct; i.e. will skip unallocated clusters that are already 0 and otherwise only overwrite unallocated clusters with 0 (by default ntfswipe uses random/list bytes, for "wiping" purposes).

sudo ntfswipe -U -b 0 -v /dev/sdx#

Where sdx# is replaced with the ntfs partition you want to process.

score 1 · Answer 4 · answered Jun 08 '20 at 11:52

You wrote "Assume USB/CD is available" but can you log into the upgraded Windows system, too?

For my Windows VM, from time to time I use Mark Russinovic's sdelete from the sysinternals suite.

In an admin-CMD enter the following

sdelete -z C:

According to documentation, this will

-z Zero free space (good for virtual disk optimization).

Alternatively, use

-c Clean free space.

instead.

Running this after a cleanmgr run in the WindowsVM, the VM-image can be compacted by several GBs.

Bernard Rosset · Answer 5 · 2020-06-08T16:30:30.180

[EDIT] Since secure erasing is not part of the problem here, this question might actually be a duplicate, the answer of which suggests ddrescue, another great tool, handling potentially failing disks.

Paul gave a good solution on Windows (SDelete from sysinternals/Microsoft).

However, since this question has been posted in "Unix & Linux", I suppose a tool working in those environments is being seeked for.

I would then suggest sfill from the secure-delete Debian package, using:

-l to reduce passes to 2 (one 0xff + the last one)
-z to replace the last random pass with a zeroing one

score 0 · Answer 6 · answered Jun 08 '20 at 06:31

0

Assuming you have enough space to temporarily create a full-size image, you could then mount the resulting image using losetup and/or mount -o loop, then run the fstrim tool against the mountpoint.

On modern kernels, when the filesystem is backed by a loop-device, fstrim will make the image file sparse – the empty areas will immediately stop occupying space and will return zeros when read.

This works for NTFS given a recent ntfs-3g version. It also works for any other filesystem that the kernel has discard support for.

answered Jun 08 '20 at 06:31

u1686_grawity

5,858

1

fstrim does not wipe out the data. It simply marks it as not there. It's already marked as 'not there' but OP wants it overwritten with zeros. – abligh Jun 08 '20 at 07:13
1

It's currently marked as 'not there' at filesystem level – fstrim reads that information and marks it as 'not there' at the underlying block device level. For SSDs, that translates into a "TRIM" command – but for image files, that translates into a hole within the image. (Linux supports punching holes in an existing file, turning a non-sparse file into sparse.) The result is that the image file will very quickly have those unused areas replaced with zeros. – u1686_grawity Jun 08 '20 at 08:06

score 0 · Answer 7 · answered Sep 19 '22 at 22:17

0

I am using that script:

#!/usr/bin/env bash
f="./zeros.tmp"
sync
df -HB MiB .
pv /dev/zero >> "$f"
sync
pv /dev/zero >> "$f"
sync
df -HB 1 .
echo -n cleaning...
rm "$f"
echo ok
sync
df -HB MiB .

answered Sep 19 '22 at 22:17

pbies

464

Zeroing out NTFS free space

7 Answers7