Saturday, October 31, 2009

Hack 98. Permanently Delete Files










Hack 98. Permanently Delete Files



Deleting a file typically just makes it harder to find, not impossible. Using a simple utility to write over files that you delete can help ensure that your data is gone for good.


We all store personal, secret, or potentially embarrassing data on our machines at one time or another. Whether it's last year's tax returns, instructions to your bank in the Cayman Islands, or a risque picture of your husband or wife, everybody has some data that they don't want anyone else to see, and no one keeps their computers forever. What do you do with your old machines? In business environments, they often simply get passed down the user food chain until they die. Are they wiped clean before each transfer? Rarely.


As we all know from the various Windows utilities that have been around for years to enable you to recover files (and from "Recover Deleted Files" [Hack #97] and "Recover Lost Files and Perform Forensic Analysis" [Hack #100]), just because you've deleted a file doesn't mean that it's actually gone from your disk. There's a good chance that the data blocks associated with any deleted file are still present on your disk for quite a while, and could be recovered by someone who was desperate or persistent enough.


You probably won't be surprised to hear that Linux, the OS of a thousand utilities, provides an out-of-the-box solution for truly deleting files. To recover a deleted file, you must reassemble the file, either by walking through the free list or by looking for the data that the file contained. The Linux shred utility makes files unrecoverable by overwriting all of their data blocks with random data patterns, meaning that even if you can piece a deleted file back together, its contents will be random garbage. The shred utility is part of the Linux coreutils package (the same package that brings you popular utilities such as ls, pwd, cp, and mv, which means that it is found at /usr/bin/shred on almost every desktop Linux distribution.



10.11.1. Using the shred Utility



Using the shred utility to overwrite the contents of an existing file with random junk is easy. As an example, my online banking service enables me to download information about banking transactions in Quicken Interchange Format (QIF), which gnucash can import into my personal copy of my banking records. A snippet of one of these files looks like the following:



!Type:Bank
D10/08/2004
PWIRE TRANSFER FEE
N
T-11.00
^
D10/07/2004
PPAYPAL INST XFER
N
T-217.20
^
D10/07/2004
PNAT CITY ATM CASH WITHDRAWAL
N
T-240.00
^
D10/06/2004
PGIANT EAGLE IN, VERONA,PA
N
T-11.76



Assuming that I have a copy of one of these files (named, say, EXPORT-11-oct-2004.QIF) on my laptop from work, I'd really like to make sure that this data is wiped when I trade up to a newer machine and my old laptop goes to someone else. Rather than actually wiping the entire hard drive [Hack #99], I could simply use shred to overwrite and randomize this file, using the following command:



$ shred -n 3 -vz EXPORT-11-oct-2004.QIF
The output from this command looks like the following:
shred: EXPORT-11-oct-2004.QIF: pass 1/4 (random)…
shred: EXPORT-11-oct-2004.QIF: pass 2/4 (random)…
shred: EXPORT-11-oct-2004.QIF: pass 3/4 (random)…
shred: EXPORT-11-oct-2004.QIF: pass 4/4 (000000)…



The options I've passed to the shred command cause it to overwrite the file with three passes of random data (-n 3), be verbose (v), and write a final pass of zeros over the file after completing the random overwrite passes (z). If you don't specify the number of overwrite passes to perform, shred's default behavior is to overwrite the file 25 times, which should be random enough for just about anyone.


Once this command has completed, let's look at the file again:



$ cat -v EXPORT-11-oct-2004.QIF | more
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
[much more similar data deleted]



As you can see, the contents of this file are gone.


In most cases, when shredding a file you would also use the -u option to tell shred to automatically truncate and delete the file after overwriting it, but I didn't use that option here so that I could demonstrate that the contents of the file are actually gone. One very cool thing about using shred is that it overwrites the file in place, so you're pretty much guaranteed that the contents of the file are irretrievably gone. Gee, I hope I imported that file into gnucash, now that I think about it….




10.11.2. See Also


  • man shred

  • [Hack #99]













No comments:

Post a Comment