Lightweight USB storage wipe utility for Linux, provides NIST & DoD level wipe functionality
WipeZero quickly wipes any remenants of data from a USB storage device. You can select the level of data wipe to be performed using a pre-built profile, or you can set custom data wipe parameters.
The utility will create you a NIST data wipe report, and a cryptographically signed with hardware hash signature report if you so desire.
WipeZero was designed and developed on Ubuntu 25.10 Linux because that was my need at the time. I did add code for Mac & Windows platforms but I will admit it has not been thouroughly tested (other then on Ubuntu).
To install on Ubuntu Linux:
[bash shell]:
$ # clone the git repository
$ git clone https://github.com/OGMemDC/wipezero.git
$ cd wipezero
$ # run setup to install dependencies
$ bash ./setup.sh
$ # resolve any dependancy issues...
$ bash ./install.sh
To install on other operating systems: write your own installer, I have not got to it yet ;-)
WipeZero uses a CLI interface and long style command line parameters. The most important of which is --force. Due to the nature of the utility and the risk of data loss, the default operating mode is always a dry run unless the --force flag is used.
usage: wipezero [-h] [--force] [--profile {nist-clear,nist-purge,dod-short,dod custom}] [--passes PASSES] [--progress] [--gui] [--list] [--crypto-erase] [--secure-erase]
[--auto] [--verify] [--report] [--report-dir REPORT_DIR] [--pdf-report] [--hash-verify] [--gui-report] [--detect-fake-usb] [--forensic-verify] [path]Advanced, cross-platform, multi-profile disk wipe utility for removable USB storage devices. Includes multiple reporting options and additional features such as listing removable USB storage devices and detecting fake removable USB storage devices.
Author: BlackHatOG Email: bitbltog@proton.me Date: December 2025
positional arguments: path - Path to the USB storage device/directory/block/etc to be wiped
options: -h, --help - show this help message and exit --force - without this flag specified nothing gets deleted or wiped, just a dry-run --profile - {nist-clear,nist-purge,dod-short,dod,custom} specify the wipe profile or a custom profile (default: nist-clear) --passes PASSES - if you do not select a wipe profile then you can specify the number of wipe passes manually (default: 1) --progress - display a progress bar with progress updates --gui - display a message box that confirms delete --list - display a list of automatically detected USB storage devices --crypto-erase - Attempt hardware cryptographic erase (if supported) --secure-erase - Attempt controller secure erase (if supported) --auto - Automatically select safest erase method per device --verify - Perform post-erase verification pass --report - Generate NIST compliance report --report-dir REPORT_DIR - Directory for reports (default: cwd) --pdf-report - Generate a X.509 signed PDF report with hardware identification hashes --hash-verify - Generate a unique hashcode and embed it in the report as part of the signature payload --gui-report - display a gui report reader at the end --detect-fake-usb - examine and display warning messages about suspect USB storage devices --forensic-verify - forensic evidence level verification and reporting
WipeZero "wipes" fragments of old data by filling the storage device with new data until the storage device is full, effectively overwriting whatever remenants are left on the device. Then deletes the data that was written to the device so that it is empty again.
Each time that the storage device is filled to capacity and deleted is called a "pass".
The data that is written to the device is called "fill character", it is common to use the character 1 (one) or 0 (zero), or to just use random data.
The following table outlines how each profile wipes the storage device by defining the number of passes and what fill character is used in each pass. Each profile has a different number of passes that are performed, and will contains different combinations of fill characters that are used on each pass.
| PROFILE | Pass:1 | Pass:2 | Pass:3 | Pass:4 | Pass:5 | Pass:6 | Pass:7 |
|---|---|---|---|---|---|---|---|
| nist-clear | zero | ||||||
| nist-purge | zero | random | |||||
| dod-short | zero | one | random | ||||
| dod | zero | one | random | zero | one | random | zero |
| custom |
examples:
The following will wipe the device at /dev/dm-0 using the nist-clear
profile and produce a NIST approved report:
sudo wipezero --profile nist-clear --force --report --report-dir ~/wipezero/out/report.pdf /dev/dm-0
To wipe a USB storage device to DoD standards:
sudo wipezero --profile dod --force --report --report-dir ~/wipezero/out/report.pdf /dev/dm-0
The custom wipe setting is for when you want to perform a wipe that is not satisfied by one of the pre-built profiles.
A custom wipe uses the command line arguments --profile custom and --passes, when you perform a custom wipe WipeZero will use zero (0) as the fill character.
examples:
The following will wipe the device at /dev/dm-0 6 times and produce a NIST approved report:
sudo wipezero --profile custom --passes 6 --report --report-dir ~/wipezero/out/report.pdf /dev/dm-0
TODO: Write this section
TODO: Write this section
TODO: Write this section
TODO: Write this section
TODO: Write this section
TODO: Write this section
TODO: Write this section
TODO: Write this section
TODO: Write this section
TODO: Write this section
TODO: Write this section