Introduction
Deleting data is very important activity in day to day life, especially if we have some sensitive information there. We frequently take deletion for granted, not paying enough attention or are simply lazy. F***, at times I don’t even know what’s where. Enourmous amount of projects and endeavours, TBs of stored data on multiple drives, servers or flash sticks. I’m trying to counteract that by not holding any sensitive data (especially personal), or encrypting it immediately. That’s just in case those get into the wrong hands. Encryption should make access somewhat difficult, if not impossible. Deletion is not enough. Formating is not enough. The only proper way to Remove Data Permanently is to physically destroy that drive (drill, fire and other creative ways).
Here we’ll not go that far. We’ll keep the drive, but we’ll make life a bit harder for data forensic guys.
Point is, be careful if you’re selling or giving away your drives. There are numerous ways to recover data from “clean” drives, from simple recovery tools to highly scientific measurements and techniques (difference in magnetic fields, with knowledge on firmware algorithm). For instance, Magnetic Force Microscopy (MFM) allows any moderately funded person to recover the last two or three layers of data written to disk. Data recovery might be easier than what many people would like to believe.
Few Windows Options
To simply overwrite free space, open an Administrative Command Prompt, and type:
C:\> cipher /w:<DRIVE_LETTER>
This sill overwrite free space with three passes:
- First with all zero’s (0x00)
- Second with all 255’s (0xFF)
- Finally with random numbers
Another option is to use SDelete:
C:\> SDelete -c <DRIVE_LETTER>:
Tool Options (Linux)
There are numerous tools at our disposal to Remove Data Permanently. We’ll cover some of them. As a “guinea pig” I’ll use an antique 13GB HDD Fujitsu model from year 1999 (dug from the basement, corroded but still kicking):
root@HelionPrime:/media/unknown# lsblk -l NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sdc 8:32 0 12,7G 0 disk sdc1 8:33 0 12,6G 0 part /media/unknown/5CA0AEAFA0AE8F58
Shred (Favorite)
Overwrites a file to hide its contents, and optionally delete it
Options:
- -f / –force
- change permissions to allow writing if necessary
- -n / –iterations=N
- overwrite N times instead of the default (3)
- –random-source=FILE
- get random bytes from FILE
- -s / –size=N
- shred this many bytes (suffixes like K, M, G accepted)
- -u / –remove=HOW
- truncate and remove file after overwriting
- -v / –verbose
- show progress
- -x / –exact
- do not round file sizes up to the next full block;
this is the default for non-regular files
- do not round file sizes up to the next full block;
- -z / –zero
- add a final overwrite with zeros to hide shredding
- –help
- –version
Remove single file with 5 iterations:
# time shred -zvu -n 5 OllyDbg/OLLYDBG.EXE
shred: OllyDbg/OLLYDBG.EXE: pass 1/6 (random)... shred: OllyDbg/OLLYDBG.EXE: pass 2/6 (000000)... shred: OllyDbg/OLLYDBG.EXE: pass 3/6 (random)... shred: OllyDbg/OLLYDBG.EXE: pass 4/6 (ffffff)... shred: OllyDbg/OLLYDBG.EXE: pass 5/6 (random)... shred: OllyDbg/OLLYDBG.EXE: pass 6/6 (000000)... shred: OllyDbg/OLLYDBG.EXE: removing shred: OllyDbg/OLLYDBG.EXE: renamed to OllyDbg/00000000000 shred: OllyDbg/OLLYDBG.EXE: removed real 0m0,682s
To shred entire partition/volume, just specify it:
# time shred -vzn 3 /dev/sdc1
shred: /dev/sdc1: pass 1/4 (random)...
shred: /dev/sdc1: pass 1/4 (random)...84MiB/13GiB 0%
shred: /dev/sdc1: pass 1/4 (random)...183MiB/13GiB 1%
shred: /dev/sdc1: pass 1/4 (random)...282MiB/13GiB 2%
...
shred: /dev/sdc1: pass 2/4 (random)...11GiB/13GiB 87%
shred: /dev/sdc1: pass 2/4 (random)...12GiB/13GiB 94%
shred: /dev/sdc1: pass 2/4 (random)...13GiB/13GiB 100%
shred: /dev/sdc1: pass 3/4 (random)...
shred: /dev/sdc1: pass 3/4 (random)...70MiB/13GiB 0%
shred: /dev/sdc1: pass 3/4 (random)...169MiB/13GiB 1%
...
shred: /dev/sdc1: pass 4/4 (000000)...11GiB/13GiB 87%
shred: /dev/sdc1: pass 4/4 (000000)...12GiB/13GiB 94%
shred: /dev/sdc1: pass 4/4 (000000)...13GiB/13GiB 100%
real 49m45,951s
Very basic example of cleaning 16GB sdcard using “shred” and “photorec” for data recovery. Recovery before:
$ shred -vzn 2 -n 1 /dev/sdg
shred: /dev/sdg: pass 1/2 (random)...
shred: /dev/sdg: pass 1/2 (random)...41MiB/15GiB 0%
shred: /dev/sdg: pass 1/2 (random)...98MiB/15GiB 0%
shred: /dev/sdg: pass 1/2 (random)...162MiB/15GiB 1%
shred: /dev/sdg: pass 1/2 (random)...225MiB/15GiB 1%
shred: /dev/sdg: pass 1/2 (random)...288MiB/15GiB 1%
shred: /dev/sdg: pass 1/2 (random)...351MiB/15GiB 2%
...
shred: /dev/sdg: pass 2/2 (000000)...10GiB/15GiB 67%
shred: /dev/sdg: pass 2/2 (000000)...11GiB/15GiB 73%
shred: /dev/sdg: pass 2/2 (000000)...12GiB/15GiB 80%
shred: /dev/sdg: pass 2/2 (000000)...13GiB/15GiB 87%
shred: /dev/sdg: pass 2/2 (000000)...14GiB/15GiB 93%
shred: /dev/sdg: pass 2/2 (000000)...15GiB/15GiB 100%
real 41m3,660s
user 0m26,195s
sys 0m32,538s
Recovery after:
Wipe
A tool for securely erasing files from magnetic media. It repeatedly writes special patterns to the files to be destroyed, using the fsync() call and/or the O_SYNC bit to force disk access. In normal mode, 34 patterns are used (of which 8 are random). A quick mode allows you to use only 4 passes with random patterns, which is of course much less secure.
Debian
# sudo apt-get install wipe
RedHat
# sudo yum install wipe
Flags:
- -r – (recurse into subdirectories)
- Will allow the removal of the entire directory tree. Symbolic links are not followed.
- -f – (force; disable confirmation query)
- By default wipe will ask for confirmation. You can disable the confirmation query with the -f (force) option
- i – (informational, verbose mode)
- This enables reporting to stdout. By default all data is written to stderr.
- -q – (quick wipe)
- If this option is used, wipe will only make (by default) 4 passes on each file, writing random data. See option -Q
- -Q N
- Sets the number of passes (N) for quick wiping. Default is 4. This option requires -q.
Check man page for more details.
To remove everything under the directory (in this case OllyDbg, remove all proofs):
# wipe -rfi OllyDbg/*
In respetive to directory size (3.7 MB), it’s relatively slow. Probably due to the number of iterations and/or HDD speed (an old girl).
Secure-delete: Toolkit for linux
A collection of secure file deletion tools. Some of them are:
- srm – Used to delete files and directories from you disk
- sfill – Wipes all data from free space on your disk. This makes sure there are no more recoverable files on the disk.
- sswap – wipes all data from swap partition
Before we continue, install:
Debian:
# sudo apt-get install secure-delete
RedHat:
# sudo yum install secure-delete
SRM (Secure Remove)
Similar to rm, srm removes files an directories, but it first overwrites the file(s) multiple times with random data, renames the file(s) multiple times and then finaly deletes them. As specified in man info, srm steps:
- 1 pass with 0xff
- 5 random passes. /dev/urandom is used for a secure RNG if available
- 27 passes with special values defined by Peter Gutmann
- 5 random passes. /dev/urandom is used for a secure RNG if available
- Rename the file to a random value
- Truncate the file
Example, simple file deletion (1.1 MB deleted in 1 min 7 sec):
# srm OLLYDBG.EXE
Directory deletion (3.7 MB):
# time srm OllyDbg/* real 3m50,960s
Options:
-d
: ignore the two dot special files “.” and “..”-f
: fast (and insecure mode): no /dev/urandom, no synchronize mode-l
: lessens the security (use twice for total insecure mode)-r
: recursive mode, deletes all subdirectories-v
: is verbose mode-z
: last wipe writes zeros instead of random data
sfill – Secure Free Disk/Inode Space Wiper
This tool checks selected partition for space marked as free/available, and then fills it up with random data. As srm, it performs 38 writes by default:
- 1 pass with 0xff
- 5 random passes. /dev/urandom is used for a secure RNG if available.
- 27 passes with special values defined by Peter Gutmann.
- 5 random passes. /dev/urandom is used for a secure RNG if available.
afterwards as many temporary files as possible are generated to wipe the free inode space. After no more temporary files can be created, they are removed and sfill is finished.
Example, simply by specifying a directory that resides on a partition, will clean free space on it:
# sfill /home or # sfill /home/unknown
Usefull when you’re giving away your computer, but don’t want to re-install OS.
sswap – Secure Swap Wiper
It your swap partitions. The swap is storing data of currently executed processes when RAM gets full. It can potentially store very sensitive data and info. Before runing sswap
, the swap partition must be disabled. Process and parameters are similar to sfill
. Check man page.
# cat /proc/swaps Filename Type Size Used Priority /dev/sdc2 partition 2097148 2092540 -1 /dev/sda2 partition 2097148 2089012 -2 # swapoff /dev/sdc2 # sswap /dev/sdc2
sdmem – Secure Memory Wiper
It securely removes data present in your memory (RAM), which can not be recovered by thieves, law enforcement or other threats. With the new SDRAMs, data will not wither away, but will be kept static. It’s easy to extract the necessary information. The wipe algorithm is based on the paper “Secure Deletion of Data from Magnetic and Solid-State Memory” presented at the 6th Usenix Security Symposium by Peter Gutmann. Simply run it:
# sdmem
Options:
- -f fast (and insecure mode): no /dev/urandom
- -l lessens the security. Only two passes are written: the first with 0x00 and a final random one
- -l -l for a second time lessons the security even more: only one pass with 0x00 is written
- -v verbose mode
Additional Info (alternatives and SSD)
I’ve seen couple of places where people mentioned dd
as a good way to wipe the hdd. Write it with zero values (replace X with your volume letter):
# dd if=/dev/zero of=/dev/sdX bs=512
or write random patterns:
# dd if=/dev/random of=/dev/sdX bs=512
Using smaller block size (down to bs=4) will write slightly more random, but would take longer.
Tools above might not be good/ideal for SSDs for multiple reasons:
- Writing a flash-based memory (especially multiple times) is not healthy for the memory itself. You don’t want to
dd
your SSD on a daily basis, but few times per year, is not a big deal. - Commercial SSDs usually come with additional replacement cells. Initially they’re not being used by the drive, but when they start to wear out, damaged cells are being replaced with those in the reserve. That can lead to SSD controller unmapping such damaged cells (possibly containing sensitive informations) and making them inaccessible from low-level tools.
Available options, destroy it or rely on manufacturer’s ATA_SECURE_ERASE command implementation. The hdparam
command using --security-erase
option (man):
# hdparam --user-master u --security-erase p /dev/sdX
A{“type”:”block”,”srcIndex”:1,”srcClientId”:”7c3d4713-8196-4a55-8977-668a85a2ed96″,”srcRootClientId”:””}nother “newbie” method I’ve seen for wiping free space, is to fill it with “random” values.
# yes "pattern" > /path/on/the/volume/huge_file
You can get drive info with:
# smartctl -a /dev/sdX # hdparm -I /dev/sdX
Things to work on:
- Check Gutmann method
- Check Crypto-Shredding