Securely delete files...

David Shaw dshaw at jabberwocky.com
Fri Aug 22 05:12:05 CEST 2008 

On Aug 21, 2008, at 5:08 PM, Faramir wrote:
> Chris De Young escribió:
>> Robert J. Hansen wrote:
>>> Faramir wrote:
>>>> lets say I just want to avoid recovery software like "get data  
>>>> back"
>>>> being able to recover a file. Is there a reliable way to do it
>>>> without going to "extreme" solutions?
>>> No.
>>
>> It's not clear to me why this is the case; it seems to me that if  
>> you're only
>> worried about access that uses the drive's own process for getting  
>> bits off the
>> platters, then a simple overwrite (and only once) would be  
>> sufficient. If you're
>> going to try to read the drive using the drive's own read/write  
>> heads and
>> firmware (which all of these software applications do, right?), the  
>> most
>> recently written bits are the only ones that should be available.
>
>  That's is what I am no longer sure I can do, I mean, it seems I can
> tell the disk "overwrite that file", and the disk can write somewhere
> else, not over the sectors containing the file I want to "destroy" (at
> least, that is what I have understood from this thread). But maybe  
> there
> is some app capable of telling the disk "write this random patter  
> right
> over the place where the original file is, and not in other places".

That's exactly the problem - given modern disks, and modern  
filesystems, there is not a perfect guarantee that you'll hit the same  
disk blocks that the original file landed on.  The disk could  
invisibly remap a block out from under you at any time (it does this  
automatically when the disk firmware detects a bad block), the  
filesystem could be doing journaling games, etc, etc.  A program  
running on the computer the disk is attached to can't really do much  
about disk block remapping since it doesn't see this.  It always asks  
for (for example) block 100.  If the file was written when block 100  
pointed to block 100, but by the time the overwrite happens, block 100  
has become 12345, then the computer doesn't know it needs to overwrite  
both 100 and 12345 to get all traces of the file.

>   Well, the original question did not include any context (and I was
> not the one making the question), so it was very reasonable to talk
> about physical destruction of the drive, but since I am sure some  
> people
> is not concerned about NSA or KGB trying to recover the info, just  
> about
> low budget people, I added that context... something like "I want to  
> be
> sure my room mate won't be able to recover the picture portraying my
> girlfriend naked, which I just deleted" (it is just an imaginary
> context, I don't have that problem).

Let's simplify things this way: you have regular people and forensics  
lab people.  You have single file shredding, and whole-disk  
shredding.  Regular people only have access to the disk that a  
computer can have.  That is, they are reading the disk using the disk  
interface.  Forensics labs can do things like remove the platters and  
go for the electron microscopes.  Single file shredding is just that -  
you pick a particular file on the disk and shred it.  Other files are  
not affected.  Whole-disk shredding shreds the whole disk at a block  
level, and the entire contents of the disk are lost.  The disk would  
need a reformat / re-mkfs before using it again.  This is a  
simplification, of course, but it's a reasonable one.

We've discussed forensics lab stuff elsewhere in this thread, so I'll  
skip it here.  That leaves only two cases:

Regular people + single file shred: This may or may not be safe  
depending on whether the filesystem you are using overwrites in place  
or not.  Many modern filesystems (Reiser, XFS) do not necessarily  
overwrite in place.  More primitive filesystems (like the FAT FS that  
is used on many external disks) do overwrite in place.  Linux systems  
most commonly use ext3, and that may or may not overwrite in place,  
depending on how it is configured.  Then there is the fact that many  
programs create temp files here and there which wouldn't get  
shredded.  On top of that there is the fact that many programs save  
files in ways that can defeat shredding.  Bottom line: it can be safe,  
but you have to really know details of your OS and what programs  
generate the files you want to shred.  In practice, it's a little iffy.

Regular people + whole disk: This is pretty safe.  The disk might be  
doing magic underneath you, but given that the attacker is only able  
to read the disk via the disk interface itself, the magic is not  
visible (or rather, it is equally visible or invisible to both you and  
your attacker).  Any temp files are blown away just like everything  
else is.

Bottom line is, yes, you can protect yourself from your roommate with  
shredding (assuming your roommate doesn't work for a computer  
forensics lab).  Of course, you'd better make sure your shred program  
is a good one.  I've seen some pretty silly bugs that make some of  
them not actually protect you particularly well...

David

More information about the Gnupg-users mailing list