![[1+1=2]](http://www.oneandoneis2.org/Pix/1+1=2.png)
OneAndOneIs2
| « Coding a random filesystem diagram | Yay! Kill the spam-bots! » |
Thu, Jan 04, 2007
![[Icon]](rsc/img/chain_link.gif)
![[Icon]](http://www.oneandoneis2.org/favicon.ico)
Why deleting just isn't enough
Every few months, a slow news day leads to somebody, somewhere, buying an old PC, hard drive, or flash memory card off ebay, and then writing a story about how they were able to restore all the files that the previous owner had tried to erase prior to selling.
If you want to sell hardware and you're not sure how some people can recover data from supposedly-erased hard drives, this article is for you.
I'm going to use this diagram to explain the whole thing: It represents data stored on a PC filesystem, such as a hard drive or Flash memory such as you get in digital cameras. It's hugely reduced in size (even a floppy disk would be more than 2000 times bigger than this!) to simplify the explanations, but it's good enough to illustrate the principles:
a b c d e f g h i j k l m n o p q r s t u v w x y z a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 b 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 c 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 d 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 f 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 g 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 h 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 j 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 k 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 l 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 m 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 n 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 o 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 p 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 q 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 r 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 s 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 t 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 u 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 v 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 w 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 y 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 z 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
It's currently a totally blank disk. Each zero represents one byte of data.
Now, no working disk drive looks like this, even when it's empty. The first thing that a disk has is a partition table. Most Windows PCs only have one partition, very slightly smaller than the capacity of the hard drive. But you can have up to four partitions on a normal disk drive (or even more, depending on your operating system.)
So we partition our disk drive, and now the computer knows where it can store data:
a b c d e f g h i j k l m n o p q r s t u v w x y z a p a r t i t i o n 1 = b a - z z 0 0 0 0 0 0 0 0 0 0 b 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 c 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 d 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 f 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 g 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 h 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 j 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 k 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 l 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 m 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 n 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 o 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 p 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 q 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 r 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 s 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 t 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 u 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 v 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 w 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 y 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 z 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
We've defined a single partition that occupies the disk from the start of the second row (ba) to the end of the last row (zz). We can't start storing data before 'ba', because hard drives devote a certain amount of space to partition tables, and in our case, it's the whole of the first row.
Next, we need to format our partition - in Windows, that means either NTFS or FAT. Other OSes use other filesystems. We're going to use an imaginary one to keep things simple. (To save space, I'm not going to show all the empty lines in the following diagrams)
a b c d e f g h i j k l m n o p q r s t u v w x y z a p a r t i t i o n 1 = b a - z z 0 0 0 0 0 0 0 0 0 0 b f o r m a t = c a - z z 0 0 0 0 0 0 0 0 0 0 0 0 0 0 c 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 d 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 f 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Again, we've devoted a complete row, this time to information about our formatted partition. However, the remaining 24 lines of space are now ready for writing. With this particular filesystem, the first row of the partition tells the computer where the files' contents are stored. We're going to add a file "credit.txt", a text file that holds our credit-card number.
a b c d e f g h i j k l m n o p q r s t u v w x y z a p a r t i t i o n 1 = b a - z z 0 0 0 0 0 0 0 0 0 0 b f o r m a t = c a - z z 0 0 0 0 0 0 0 0 0 0 0 0 0 0 c c r e d i t . t x t = d a - d s 0 0 0 0 0 0 0 0 0 0 d 1 2 3 4 - 3 2 1 2 - 3 4 5 6 - 5 4 3 2 0 0 0 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 f 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
The file and its location are now added (in green), and the contents (in orange) clearly visible from a simple scan of the disk.
Now this is where the problems start. We want to sell this drive, so we need to delete our credit card details from it. We delete the file, and this, we think, will delete the credit card details.
Right. . ?
Wrong. This is our filesystem after we delete the file:
a b c d e f g h i j k l m n o p q r s t u v w x y z a p a r t i t i o n 1 = b a - z z 0 0 0 0 0 0 0 0 0 0 b f o r m a t = c a - z z 0 0 0 0 0 0 0 0 0 0 0 0 0 0 c 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 d 1 2 3 4 - 3 2 1 2 - 3 4 5 6 - 5 4 3 2 0 0 0 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 f 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
The file's entry has been removed from row 'c' - The computer is presented with what it thinks is a blank disk. But the contents of the file are left untouched: Only row 'c' has been altered. The file has been logically deleted, because to the computer, the disk appears empty. But it has not been physically deleted: It's still there.
Perhaps, instead, we should have simply deleted the whole partition? Let's see what this would have achieved:
a b c d e f g h i j k l m n o p q r s t u v w x y z a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 b f o r m a t = c a - z z 0 0 0 0 0 0 0 0 0 0 0 0 0 0 c c r e d i t . t x t = d a - d s 0 0 0 0 0 0 0 0 0 0 d 1 2 3 4 - 3 2 1 2 - 3 4 5 6 - 5 4 3 2 0 0 0 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 f 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Oh dear, this is even worse! The partition is gone, but all the information about the formatted filesystem and its contents are still there. It's very easy, with the data we've got, to simply re-create the partition table and restore all files within it. This makes it even easier for our malicious buyer to grab our credit card details!
The problem, in a nutshell, is that deleting never actually deletes the information. At best, it removes references to the information while leaving the information itself untouched.
In order to delete a file safely, what we really need to do is get at the actual contents. At this point, my bias starts to show through, because I think Linux users are considerably better off than Windows users here: Linux usually comes with a tool that does this very thing. It's called shred. If you're a Windows user, either get hold of a Linux LiveCD such as Knoppix, or look up a Windows-specific secure deletion program on Google. I'm going to continue by talking about shred, but the principles are the same whatever you use.
Shred and its brethen simply over-write file contents with random data. As an example, let's see what would happen if we shred credit.txt
a b c d e f g h i j k l m n o p q r s t u v w x y z a p a r t i t i o n 1 = b a - z z 0 0 0 0 0 0 0 0 0 0 b f o r m a t = c a - z z 0 0 0 0 0 0 0 0 0 0 0 0 0 0 c c r e d i t . t x t = d a - d s 0 0 0 0 0 0 0 0 0 0 d k 2 v @ ( j 5 Z £ ^ ! k a 8 * N 8 A , 0 0 0 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 f 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
That's better! The file is still there, but the contents are of no use to anybody. Shred learned from the green row, 'c', that credit.txt's data was located from 'da' to 'ds' and then wrote random data to that area of the disk. If we now delete the file as usual, we can be sure that this disk drive has no clue as to our credit card number.
But what if we had a file with our credit card details in it that we deleted several months ago? What if its contents are still there, somewhere?
The only way to make absolutely sure that no recoverable data is left on the disk at all is to shred the whole thing. This does what we really wanted to do right at the start: Removes absolutely everything from the disk. Because Windows locks the files that it is currently using, and all OSes tend to write to the disk from time to time, you can't do this from within a normal OS. You need to use something that can function independantly: Knoppix is really handy at this point! Do, of course, bear in mind that what you're doing here is permanently and irreversibly wiping a disk drive completely, so make sure you remove or at least unplug any drives that you don't want wiped! Accidents do happen. . .
From within Knoppix, you would open up a terminal and use fdisk -l to tell you what disk drives it can detect. It should show you at least two: The CD you booted from, and the drive you want to wipe.
The naming system is a bit arcane if you're used to Windows and "C:" and "D:" for the hard drive and CD-ROM, but it's simple enough to follow. All hard drive names start with "/dev" which simply means "device" - all the PC's hardware has a name beginning with "/dev". Typically, a hard drive will be "hd" if it's IDE, or "sd" if it's SATA. It will also have a letter following it: The first hard drive will be "a", the second "b", and so on.
So if you have a simple IDE hard drive, it will be called "/dev/hda". If you have a SATA drive with two partitions, the disk will be "/dev/sda" and the partitions will be "/dev/sda1" and "/dev/sda2"
Simple enough, once you get the hang of it.
So, if your hard drive is a standard IDE, it will be /dev/hda you want to erase, and you would issue the command shred /dev/hda and then go and find something else to do for a while, because this takes quite some time: There's a lot of data to write. By default, shred will overwrite the whole drive 25 times! If you have a 100GB disk, that means writing 2500GB of data. To just do it once, you would type shred -n 1 /dev/hda, but bear in mind that this is less secure.
Eventually, shred will leave you with a filesystem that looks like this:
a b c d e f g h i j k l m n o p q r s t u v w x y z a n # Y v C n $ } I / . ` b 0 J r n v 9 8 N % I : 3 ? b = Y ` K c E b x x f W S p y \ g L l $ C ? ) , 8 k o c O ! w | \ 7 2 v A i O I p w 5 v O k 1 \ I ` s T u a d N g h j t y - 2 n c k m r 1 ( W 1 r . i < M _ L ' + e @ } G L ^ ^ f ( t S = ] i ( D q ! r E 5 = K _ y 0 7 f % _ Z a o g I 2 . K v u O h D q q , A ` 2 0 E " g ? g K | k g 6 A " j % S ? Z v a p t Z l x z < r P 3 D v h > # n ( A e D * < _ [ N e x 7 i r T c a z f R t _ 3 i 9 M i # / K m E Z & k M ; m | C b * - > , _ * f i d j | ( \ i m c o 3 k H & 5 G ; Q + ] m M w M 0 ) J E ? k u ! T M r c ; 7 ` w < F , M \ 9 } a q # C j 0 Z u < l O I p A : , D H } \ q 5 O 9 x z : C t { b > O ` G ; m m V [ M p ` U p @ i C v n ' , s P | t I U Y T , / n n h # h n i a J I R y b S y 0 A I W r U C 4 o F # b X o - E ^ \ Q [ l U I + # u v { Y ( U _ @ = o ) h J _ m p ^ L n t J # A ; V . ] m ! ] c a _ { , " l m X \ o e q % 6 n c g H x G 2 ^ , T ` " " / 0 > U X 8 % . 3 / 5 r ] f H f r h M ! c j W = 3 | I k | 6 J | X K f 3 T , s Y A > U / 0 Z $ y . C n T + & L } K o M m h { | s x t _ o p L ] y g > _ N B & H 4 ; Y 3 B - j T m F . F o u Q ? / F C ! Z j 3 : t E 9 s a o } _ H " \ : q ] W # v z ; w j W 2 : B * o P Q ! % 6 " 9 L m z I t r 8 _ + w = l V { h n 9 I t Y A r f r L d V H C $ s g ! { s J x L ] I r E + q b Q \ y B & Q 3 I # $ W b , y x V Y t y f $ ^ ' c O } @ 5 B _ 5 \ w 0 N Q j ( b - I w & ( ? z ^ . y \ " 2 F x ` V s # H 5 ; t ! } ! y 5 y ? e w #
If you'd rather it was returned to the pristine block of zeros we started with, add -z to the command: shred -z /dev/hda and the final pass of shred will write zeros instead of random data. We thus end up with this:
a b c d e f g h i j k l m n o p q r s t u v w x y z a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 b 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 c 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 d 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 f 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 g 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 h 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 j 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 k 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 l 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 m 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 n 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 o 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 p 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 q 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 r 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 s 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 t 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 u 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 v 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 w 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 y 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 z 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
And your disk is now about as safe as it can be, short of placing it in solvent and leaving it there until it dissolves. In theory, the data can still be recovered after multiple random over-writes, but you'd need very expensive forensic equipment to manage it: Not something the average ebayer is likely to have.
50 comments
It's because they are trying to be efficient. Instead of spending ages of time and processor power restoring the hard drive to zeros, it simply says: "we don't need this anymore, so that space is free for me to use however I want." (ie, putting new data in that spot.)
Nice article though!
I really like your articles and I think you do a great job of explaining technical things in a common sense way so I'm hoping maybe you can shed some light on this hard drive forensics stuff for me. ?
Thanks! -Devin
http://www.cgsecurity.org/index.html?testdisk.html
is i.e. a grate (partition- and data-) recovery tool...
-> Even if you write zeros, there *are* still magnetic traces left on the disk, which are not readable by the read-write head of the harddrive but can be read through special tools that work directly on the plates of the disks.
For simple understanding, even if you erase something on a paper that was written by a pencil and is now compeletely invisible to naked eye, there still are tools *other than* the eye itself that can read what was written there. ;)
In a related situation, I have an old "dead" hard drive on which I have a lot of data I would like to retrieve. It just got old fast and stopped booting. I had it replaced (still under warranty), but I was allowed to keep it in order to attempt to retrieve the data. However, the expense of having it done for me is out of the range of the value of the data.
I now wonder if it's either the drive partition data or the FAT/NTFS data that is just jumbled? The symptoms began with it refusing to boot only sporadically.
I will be back to your site when I have more time to search for more tips.
Thanks again!
Get your self a few copy's of really good PC Mags, I use them all the time to pick up new tests and useful programes. I get APC here in Australia and the free DVD it comes with has given me several retreval and boot tools. (Note nothing will ever get back info from a "DSCRUBed" drive)as this programe was developed in co-operation with the USA and British goverments to provide "Safe" PC Distruction....Tao
When you write to the hard drive, tiny innacruacies of the write head cause it to not overwrite data, but rather leave concentric rings of data. Using the extremely precise read head, they are able to read all the different operations that the head has made.
If you want to protect your data from a well funded forensic labarotary, your only really option is to melt the disk.
If people are buying the PC used, then a 40GB HDD should do, and that would only cost them $30 or so nowadays.
Perhaps that is why I have the "outside" perspective to say "Brilliant!" You've made the maddeningly obscure comprehensible to me, and that's important. After all, the problem of "scattered data" is no mere academic inquiry, these days. Thank you, thank you, for taking the time.
God bless.
If you place a strong magnet on a drive, will that destroy a drive enough that it cant be recovered?
Thanks
So don't think shred will save you when the FBI come knocking. =P
It is uncrackable and transparent when using.
Also, it has a desktop shredder for securely deleting files, drag and drop.
And finally, it can scramble the unused spaces on a current drive (shreds everything previously deleted) while XP is running. The program can create a drive that is totally scrambled at all times with whole disk encryption.
No one, even if I allow a Fed techie to have my computer to study, can retrieve the data I don't want them to. The physical recovery of data does not matter because the data is useless without the password key.
Without the secret drive mounted, there are no pictures, porn, bank info, etc available to find even while the tech guys are working on your computer.
A search for pictures, video files comes up empty, but in 15 sec, I can mount the drive and access them like they were there all the time.
TaDa...
Sure, you can encrypt your entire partition or folder or whatever, but how would you access it? You'd need the same program to unencrypt the data. How would that program know who you are, that you are someone authorized to see the unencrypted data? Usually with a password. So, what do you do if you, as a hacker, stumble upon an encrypted folder/partition and you want to break in? Just bruteforce the password using the original encryption program. Granted, some encrypters take steps to eliminate this, but not all do. Am I wrong in my understanding here
Say you enter a password, and it gets the MD5 hash of it to do its encryptions. The word "password" has a hash of 5f4dcc3b5aa765d61d8327deb882cf99. Ok, so, if you didn't know at all what the program did, this would be a good enough key for your encryption. However, as you said, the people trying to get it likely would have the program.
This is where the idea of password strength comes in. One of the only problems is that 2 strings could possibly have the same hash, as there is a limited number. But as we can see, there are 32 characters, from a-z, and 0-9, so 32 sets of 36 characters. 36^32 = 6.334028666e+49 possibilities, making it highly unlikely that anybody would come up with a random set of characters with the exact same hash as you did.
Now, as for brute-forcing it, running 2000 checks a second (which is reasonable with the average computer nowadays), it would take ~1.003566283e+39 years to go through every possibility. Not to say that we cannot hack it, as it could be one of the first few we try, but it is unlikely just guessing will work. This is where the strength of your password comes in.
If you're using any dictionary word, then people could get it with a simple "dictionary attack", which is to run through every word in a dictionary and see if any of them match. This can take some time, but works for a lot of things, because people can, and do, use simple passwords like this to keep themselves safe. When you get a strong password, however, it becomes less likely to crack. Such as h7d$jgk!3%f. it means nothing, but one could memorize it, and use it. The chances of a brute-force attack coming across this is downright nill, but still there.
So, I guess when it comes down to it, the only real security for encryption is how the key is generated, and how secure the password is. Also, keep in mind, that once somebody has the physical hardware themselves, there is nothing stopping them but their own knowledge and access to resources.
cipher /w:c
This command would wipe the free space on drive C.
# cat /dev/urandom > /dev/hda1
Break w/ Ctrl+c
# dd if=/dev/urandom if=/dev/hda1
if u want zeros, use /dev/zero instead.
Thanks many times! :):):)
Thermite.
I have a hard drive sized amount of thermite above my hard drives. One turn of a key, and it will ignite taking the hard drives and bottom of the case with it.
you perhaps should also have covered the concept of inodes, and other special file system markers. deleting doesn't delete the data. it just marks that space for overwriting.
tune2fs -O ^has_journal /dev/hdXX
But can you shred the journal?
Good article, I learned a couple things. :)
# dd if=/dev/urandom if=/dev/hda1
to
# dd if=/dev/urandom of=/dev/hda1
I was wondering, though, does it really make much of a difference to wipe with, say, /dev/urandom before /dev/zero ? Either way, the disk ends up with 0's ...
URL: http://www.dban.org/
G-
To Gonds' post, that would depend on the state of the unencrypted files, ie; were they unencrypted in ram/software, or did they ever reside on the actual drive in an unencrypted state.
The super powerful magnet idea is actually much trickier than most would think. First of all it is not a matter of simply placing it on the drive, you must pass alternating north and south fields over it. Also most hard drive cases would protect the actual platters inside from all but an obscenely powerfull electromagnet, and I am talking about something powerfull enough to pick up a locomotive here, but even with the platters exposed you would be surprised how strong a field it would take to do even a modest job.
For encryption, the real pros (FBI) after running a few dictionary attacks (languages) and a few other tricks, (assuming they know what encryption software was used, without which a key is useless) will then revert to attacking the actual encryption. For a very basic example lets say I've encrypted the word "shoulder". In the english language there are very common letter groupings such as "sh" or "ou' and "er" They can run pattern finding algorithms to start piecing it all back together.
I didn't go that far because the objective i was aiming for was to recover the drive and make it usable again. Opening the case was kinda ok but it rapidly and unexpectedly went downhill fast from there :( Luckily i didn't actually need the data, i just wanted the extra drive space :)
http://xkcd.com/538/
http://www.heise.de/newsticker/Sicheres-Loeschen-Einmal-ueberschreiben-genuegt--/meldung/121855
overwriting the whole drive once is enough.
Sorry for this being a German articel; I didn't found an English pendant
These commands would delete the whole file system, not just make deleted files un-recoverable!
# dd if=/dev/urandom of=/dev/hda1
# dd if=/dev/zero of=/dev/hda1
These commands make deleted files un-recoverable without affecting the other files.
# dd if=/dev/urandom of=[path of a dummy file on the file system]
# dd if=/dev/zero of=[path of a dummy file on the file system]
When the fie system fills up, delete [path of a dummy file on the file system]. Best to stop processes that get upset when the file system fills up before running the dd command(s).
This decade-old claim has apparently been refuted:
http://www.h-online.com/security/news/item/Secure-deletion-a-single-overwrite-will-do-it-739699.html
Quoting from the Heise article:
»a single bit whose precise location is known can in fact be correctly reconstructed with 56 per cent probability (in one of the quoted examples). To recover a byte, however, correct head positioning would have to be precisely repeated eight times, and the probability of that is only 0.97 per cent. Recovering anything beyond a single byte is even less likely.«
Sounds reasonable to me.
Its to the advantage of FBI and assorted friends to convince everyone they have godlike powers of forensic analysis.
I was actually told upon siezure that the lab would recover every single key that had ever been pressed on the machine.
Yeah right what a pile of BS. I made 4 passes on sensitive items with the pgp wipe tool and 3 passes for free space.
So did they recover anything? In short, no. I actually recieved access to the forensic report on my hard drive. It contained such heartwarming phrases (heartwarming to me) like "data is no longer present on the machine" and "it is impossible to ascertain the nature of the data".
In other words they can't get it for all their posturing, the only reason they knew those files existed was from email records that I had kept on purpose.
One caveat though, fragments of data were recovered from unallocated space, which is not the same as free space on a partition.
So to ensure security use boot time partition tools to take care of unallocated space that might be storing who knows what.
Leave a comment
![[icon]](http://geekblog.oneandoneis2.org/rsc/icons/feed-icon-16x16.gif)
Blogroll
![[icon]](http://www.creativehedgehog.com/icon.png){kind=icon}
Creative Hedgehog
La parte A se refiere solamente a las dos novelas estudiadas. La parte A debe ser preparada después de leer la primera mitad de la novela y contestar las siguientes preguntas: ¿te está gustando la novela/película o no, y por qué? No me gusta la novela. Las personajes que puedes gustar son superficiales, o hacen [...]![[Link to post]](http://geekblog.oneandoneis2.org/skins/112/rsc/img/chain_link.gif "[Link to post]")
06/08/10 - SPN3730 diario: Pascual Duarte parte A
![[icon]](http://geekblog.oneandoneis2.org/media/blogs/112/hari.png)
Hari's corner
Why being bi-lingual has its advantages10/08/10 - Being bi-lingual has its advantages
Place of Stuff
Isn't this exciting? We're out of the tedium of Genesis (world created, man falls, many people live and die. Oh, and attempted forced buggery and a spot of incest). We're into Exodus now; the Bible has got going, that tricky first chapter is out of the way and the real action can start! When the [...]
03/08/10 - The Bible ? On The Waterfront
![[icon]](http://geekblog.oneandoneis2.org/media/blogs/112/blogger.ico)
I was giddy and hopeful when I first met Cary and spent a brief amount of time with him.
The week after that I was happily high on the idea of what could be, the possibility of getting to know someone interesting and intriguing, the wide open potential of what could be.
And I wanted to tell my friends all about him and what had, and hadn't happened, but I also wanted to keep it to myself, sealed safely in the happy bubble that was floating inside me. So I talked to some close friends about him, told them he lived in Vancouver and they, meaning well, told me quite firmly that they would not allow me to go through another long distance relationship. That I shouldn't even consider it.
My bubble had been burst.
I was completely deflated. Hurt. Let down.
I talked to C-Dawg, a sad tinge to the story now that I'd been told it could. . . should never work out.
"Vancouver?" she said, her voice somewhere between amused and incredulous. "That's not long distance! Get serious. Go for it."
And I let my bubble maybe start to re-inflate. Cautiously. Maybe just a little.
Then I talked to my friend about Cary. She said good things.
Maybe there was reason to be hopefully optimistic. Maybe it was ok to be a little girly and dreamy over what-ifs.
I went for a walk with S. We had life to catch up on.
Life including Cary and the story that still makes me smile.
She encouraged me to get his email, which I did, and then she went home and tried to find out what she could about him.
See, I'm not on Facebook. (No, really.) But S is, and in the small world way that Facebook seems to work, she found that Cary and she had a mutual friend and so she looked him up for me. (The modern background check.)
You can sometimes tell a lot about a person by what they put on their Facebook, she cautioned me. Sometimes.
How old is he?
Me: I don't know.
Is he a smoker?
Me: Um, I don't know? (God, I hope not)
Could he maybe be a little bit immature?
Me: I don't know. I suppose.
Well, he seems like a good guy. Cute. Interesting. I'd say he was my type, you know. (We laugh, we already know we share similar excellent taste in men.)
"I say go for it." She says, "just be aware that he's human. Not perfect."
I don't want to hear it.
Don't want to know the reality of him.
Find myself running away from all the what might have been's towards it'll never work what what I thinking's.
It's all or nothing. Perfect or awful. It'll work or it'll be a disaster.
And I realize that my bubble, the one that's been growing and floating inside me will burst on its own, without anyone's help if I get too far into imagining just how great Cary is, how great we'd be together, how perfectly perfect it all will be.
I'm Icarus. My friends don't want me flying too close to the sun.
But I like the feeling.
I like the soaring giddiness of how utterly fantastic this thing I've found will be.
Every single time I meet someone I like that feeling.
And I ride it higher and higher until I'm flapping my bare arms, feathers fallen into the sea and the crash is coming, the relationship splintering and I'm left staring at the brokenness wondering how on earth I could have been so wrong again.
The extremes are familiar. Addictive perhaps.
But I'm trying to learn to ride in the middle.
Safer. A shorter distance to fall.
A smaller bubble to burst.
Expectations that can be met and exceeded.
A safe, yet joyful and giddy flight. Wings intact.03/09/10 - Icarus
![[icon]](http://nationeldiablo.wordpress.com/favicon.ico)
  This was possibly the most ridiculous show I have seen in a long time and I can get Sky 1 I know ridiculous. It could be summed up in three sentences Do you know what's in your cereal? Want to? Read the label. Instead it went on for a hour about how evil the [...]27/10/09 - Dispatches ? do you know what?s in your breakfast? (warning...
Blogroll generated by MagpieRSS
My links
Strange, how the only people who ever seem to complain that Linux sucks or doesn't work well are people who don't like using the CLI...
03/09/10
Dominic tried to explain how circular references can cause a memory leak to a colleague this morning, and got told off for not working. Apparently, the analogy of a madman shooting anybody who isn't being pointed at by somebody else was NOT the boss-safe way to go..
01/09/10
![[Icon]](http://static.last.fm/matt/nice_favicon.png)
I last listened to:
The Offspring - She's Got Issues
Most recent photo:
Submersible houseboat
![[Icon]](https://www.amazon.com/favicon.ico)
![[FSF Associate Member]](http://geekblog.oneandoneis2.com/media/getButton.png){kind=small}
![[Valid RSS feed]](http://geekblog.oneandoneis2.org/media/valid-rss.png "Validate my RSS feed feed")
Unless otherwise stated, all articles/files on this website are licensed under a Creative Commons License. This page's URL must be supplied in attribution.
b2evolution skin based on a design by Séverine Landrieu & François Planque
©2010 by Dominic Humphries • Credits: blog software | blog hosting | Francois