Why 'rm -R star' Isn't Enough

zdburke writes: "Short but interesting article in the New York Times (free reg req'd) about how difficult it is to cover your digital tracks because electronic documents are so well distributed -- on your lap top, on your workstation, on the server... Yes there are tools to thoroughly delete files on your computer, rather than just unlinking them when they're put in the trash, but it's the distributed nature of content these days that poses a special problem to the Ollie North's of the world."

Wrong approach

[Rostoff]

Don't try to cover your tracks, delete every little bit of info about you, that's waaay too much time and effort. Want you want to do is put sooo much crap out there, no one can tell the real info from the synthetic.
Also, it's the internet. Make up shit. The only thing you really can't lie about is online purchases with a credit card (well...), anything else is open territory for your imagination!

Does anyone really have a problem with this?

[Uttles]

I personally don't keep anything around on my computer that has any incriminating information. If I did, I'd be damn sure that it's not in a shared space that gets copied onto any server or anything like that. I think any computer savy person already knows that you just don't keep digital records of things you don't want people to find out, and you definitely don't keep them anywhere there's a remote possibility the data could be duplicated. This will probably only jump up and bite the illiterate "business major" types, and I really don't have a problem with that.

Re:Does anyone really have a problem with this?

[stripes]

I think any computer savy person already knows that you just don't keep digital records of things you don't want people to find out, and you definitely don't keep them anywhere there's a remote possibility the data could be duplicated.

Criminal masterminds are pretty few and far between. Mostly criminals are kinda dim. Plus if people have been caught cheating on their wives/husbands (not illegal as far as I know, but not a stunningly good idea) by looking at their supermarket club records (catching them buying wine or condoms are the wrong shopping market, that were not used with their spouse)...well, I can imagine you could look at their palm desktop app and find a record for their hot date!

That's why I own

[hrieke]

A big 'old electromagnet.
Degauss the disk and it's gone for good.
Accually, does anyone else remember the movie Blue Thunder?
The video tape jackets had electromagnets build into them, and thus could delete any tape that the bad guys wanted.[1]

I wonder when IBM or someone will build a HD with a self delete 'fail safe' system. When the drive powers down without a password, wipe.

[1] There is some ironny here somewhere folks. Just can't think of a witty remark.

Plausible Deniability

Which doesn't really help for trade secrets, and such. If it is the informatin that you are trying to hide, it is a problem.

If it is the accountability to the document (ala Ollie North's shredding), that is a different thing entirely.

Unless it is digitally signed, though, any copy laying around has built in, plausible denyability. It wouldn't have tripped up Ollie or Reagan at all.

Electron Microscope

[GigsVT]

It is possible to take a disk apart and use an electron microscope to read information from the individual magnetic spots on the surface of a disk that may have been intentionally erased, Mr. Patzakis said.

I monitor the forensics list on securityfocus, and there was discussion that this might be mostly a myth.

Re:Electron Microscope

[WNight]

Well, it appears to be somewhat true.

First, it's difficult. It involves removing the platters from the drive and mounting them in a machine designed to read from that platter density.

Then, the machine can read from 0 to N generations of older data. This is dependent on the quality of the medium (I guess, better drives are less secure in this fashion) and the repeatability of the data used for overwrites.

If you overwrite something with all zeros (or ones), it's almost guaranteed to still be there later because all you did was weaken (strengthen) the signal, the variation between two signals with the same current value represents the original value.

This is why the idea is many secure overwrites. Perhaps all zeros once or twice, but interspersed with "secure" random noise. As soon as they lose track of layer N, they can't get N+1.

However, the task usually doesn't depend on getting the contents of the whole disk back, usually they can still read the meta data and know what to concentrate on (and if they can't, they know where the meta data sits, so they concentrate on that) and then they go after certain files likely to be the most useful.

Most common "secure delete" utils use low-grade PRNGs and non-random seeds. If you can figure out the output of these and then deduce the seed, you can figure out the data used for any portion of the overwrite and from that, have a pretty good chance of recovering the data.

Now, this is what I've heard, from people in the field, so don't take it as gospel. The one thing they all agreed upon though is that this level of analysis is hideously expensive. Not $500 / hour like "normal" data recovery, more like $500k up front and then $5k / hour... It involves cryptanalysis to crack the "random" overwrites and a host of other professionals. It also wouldn't be used to bust a kiddy pornographer (is that a kid who makes porn, or ...) or the logs of a mob boss. It'd be used in espionage type issues, where there's more than money on the line.

It's almost always destructive analysis too; they destroy the media getting the data and they don't get 100% so they can't put it on a new drive and put it back in the computer. If this happens you're gonna know it, at best they'd substitute a different drive to make it look like yours crashed. (Maybe that's why so many potential spies were sold the IBM 75GXP series drives - plausible crashes... :)

Syncronize with a file encrypted version

[taliver]

Syncronize all of your files with a version encrypted with a randomly generated key. Not instant, but they all become effectively "erased". (Unless your using some type of versioning system)

PGP wipe does a very poor job. (See this link)

[SomethingOrOther]

PGP is a brillient tool for encryption (esp. e-mail) and PGP disk or Scramdisk are great for secure archiving on windoze machines. However the PGP wipe isn't very good. This link explains why and gives good alterantives for windoze users.

Linux users already have encrypted filesystems and secure file wipeing as standard in all(?) common distro's. (I know that SuSE even lets you overwite the wiped files with zeros to hide its very existance)

Some old BugTRAQ posts on this subject

[Effugas]

Bit busy -- finishing up The Book(TM) -- but I wrote a bit about this subject some time ago. Head over to: http://www.doxpara.com/read.php/security/secure_de letion.html

There's a Part 2, and some other stuff over there too. yeah, the site needs to be updated desperately. Wait till feb.

There's one piece of information that's very new and very, very cool: Apparently, some company has been going around the WTC crash site, picking out hard drives from crushed servers, and (though I can't imagine this) actually recovering data from the drives through all the crush damage and dust. I mean, yes, the concept that a non-portable, super expensive, very labor intensive read head would be able to recover significantly more data redundancy than some mass produced mag-head is unsurprising, but...damn.

--Dan

Re:Not a problem...

agreed. did you know, if you start with a blank disk, there is nothing there. If you write it to 10101010101... and then to 11111111..., you can tell which one used to have a one under it and which one had a zero. In fact, it's been postulated that if you had a very high-resolution scan of the media (not even anywhere near atomic level is necessary), you could piece together every read and write that had ever occured on it, together with the order, and possibly also (roughly) the timing. (Since the extent to which an area is magnetic fades over time.

The answer, of course, remains not "several passes from dev/random" but rather, several swipes past a BFM.

Undelete on various operating systems

[yerricde]

I ask this since there are unerase utils in windows, could they be using a vfs? If they are, wouldn't they have to stay resident forever monitoring all content?

DOS 6.x had an undelete.exe TSR that patched the DOS call to remove a file. It had two modes: Delete Tracker (remember deleted directory entries) and the stronger Delete Sentry (similar to the Mac's trash can and to the forthcoming Windows 9x's recycle bin). When using the Delete Tracker or non-TSR mode, it would look at the directory entry of the deleted file (from the directory in non-TSR or from a database in Delete Tracker) and then follow the FAT chain to retrieve as much of the file as it could. Delete Sentry simply moved files into a folder C:\SENTRY, no matter what program deleted them, ignoring *.tmp and a few other file types.

Mac OS 7 or later and Windows 4 or later, on the other hand, have two separate delete calls (for discussion, call them unlink() and ShellDelete()). The unlink() call actually deletes a file and should be used on tmp files, in uninstallers, etc. ShellDelete(), on the other hand, moves a file to a folder called vol:Trash (on Mac) or vol:\Recycled (on Windows); the shell (Finder or Explorer) provides a command Empty Trash... to do what is essentially an rm -rf on the Trash folder.

In UNIX systems and their clones, merely make a shell command alias that maps a command to move the file to the ~/.trash folder.

shred

[nzhavok]

so what about shred then? From the man page:

Delete a file securely, first overwriting it to hide its contents.

By default it overwrites it 25 times, IIRC DoD standard is 7 times so it should be enough.

Re:Mirrors

[SuiteSisterMary]

That's why you make it stated policy to delete ANYTHING AND EVERYTHING with 'youcannotseemeehahahahaha'. Then, it's not incriminating, it's standard practice. This is why companies have 'document retention' policies; if you don't, but you've destroyed documents that a court wants, you're in trouble. If you DO, and you've destroyed documents the court wants, too bad, you're following the published policies of your company. The corallary to that is, I believe, that you need to follow your policy religiously, or it's not a viable defense.

Re:I was hired to recover files once

Did something similar for my aunt, who was going through a divorce... her husband was one of the founders of a large consulting company in the area, but was in court claiming that he had sunk all his money into the business and that he was, essentially, broke.

My aunt had the computer he had used at home, and though he had "wiped" it, he hadn't bothered with a low-level disk format or anything more confounding that just deleting his files. A trip to CompUSA and a copy of Norton's later, we had several interesting documents for my aunt's lawyers - including a couple of Quicken files for a bank account she never knew existed, a spreadsheet detailing his stock portfolio, and various documents showing the stock and cash bonuses he had recieved from his company over the past two years.

Instead of getting next to nothing, she ended uop with the house, the cars, college trust funds for their kids, and a 50/50 split on the bank accounts; all of which ended up reflecting less than a quarter of his net worth. Yah, she went easy on him... just wanted to make sure she & the kids were provided for, and get him the hell out of her life.

Re:PGP attacks

[CharlieG]

You said

Although encryption is, in theory, breakable, the resources to do so don't exist

While the resources probably don't exist to directly attack PGP, this makes certain assumptions

• That PGP has no leaks
• That there have been no mathematical breakthroughs in factoring

Even if those are true, there are other attacks possible - Most people don't use a sufficient passphrase, so that becomes the easiest attack.
After that, you have to worry about things like "Magic Lantern" and black bag jobs
How paranoid do you want to get?

Other Technological Solutions

[signifying+nothing]

These guys have a cunning method to make sure their data can't be read:

"sensitive data is stored on hard disks which are hard-wired to physically self-destruct when tampered with"

If you're lucky it might take out the investigating officer too...

It's a real commercial problem

[Tim+Ward]

Many contracts say that at some point after the contract ends you have to delete whatever copies you've got of the confidential documents, source code, whatever.

It's not that hard to delete copies from your hard disk, shred the hard copies, and remember to "really delete" it all from your source code control system.

But who, in the real world, goes through their backup tapes, CDs, whatever, trying to erase individual files? or even parts of files? whilst not destroying other data - it just can't be done.

Re:Not a problem...

[markh1967]

If you're gonna destroy old media with sensitive data on it, make sure you thouroughly pulverize it

I second this advise. I used to work for a defence contractor back in the 80's and had the job of ensuring disk security on damaged drives. This consisted of taking a chisel to the disk platters and removing all trace of oxide from them and then sending the oxide off to be incinerated on-site and the blank aluminium platters off-site for recycling. This was taken very seriously and techniques for extracting data from disks can only have improved enormously in the intervening 20 years.

dd if=/dev/zero of=/dev/hda

[Zemran]

Having recently left a job teaching police and customs officers how to get in to other people (read criminals) computers I zeroed my pc before I left. My ex-employers are still trying to work out whether or not I was being malicous. The next user will probably want to stuff some version of M$ on it anyway so I claim I was being considerate.

Re:I was hired to recover files once

[McChump]

This stuff is usuable in court generally not as direct evidence, but as impeachment evidence. Impeachment evidence isn't subject to the same strictures of authentication and proof since it's only used to confront a witness who may not be telling the whole truth, and cannot be used to directly establish that what the evidence shows *is* true.

Did that make sense, or was I babbling too much?

My Exercises in Paranoia

[Deagol]

(For context, I run Linux 100% of the time on my machines.)

Continually write cruft to hard drive: Run a batch script that continually loops through: 1) dd from /dev/zero to a dummy file on partition; 2) delete when drive fills; 3) dd from dev/urandom to same file; delete file. As the drive will have many writes to it, it would make things very tough to recover. This never had much performance impact on the machine.

I wish I could find a utility that cleans out inode information, much like the dos/win utils that scrub deleted filenames from the FAT.

Edit documents and browse web from a virtual machine on an encrypted device:

I use the loopback patches (/pub/linux/kernel/people/hvr at your local kernel mirror) to run an encrypted device. I then use VMWare (though bochs, plex86, or User Mode Linux should work) to run Linux and Windows for browsing and email writing. Note that VMWare has a nice "undoable" disk feature, in which you can "commit" or "discard" changes to the virtual disk. So I have a pristine Win95 VM, which I log into to do my stuff, and then I discard the changes, thereby removing cached macterial, cookies, etc.

Note that this doesn't thwart traffic analysis or "rubber hose" tactics. In fact, once the loopback devices are mounted, you can perform standard file/data recovery techniques on them.

Use file encryption for email and sensitive files. I use GnuPG for this.