Files and partitions left with possible file recovery of sensitive data.
There are three utilities we are going to look at which mitigate the chance of malicious users recovering sensitive data.
This article was tested on SUSE Linux Enterprise Server and SUSE Linux Enterprise Desktop.
Introduction to disk cleaning
In this article we are going to look at three methods to securely wipe partitions and deleting sensitive files making it difficult for malicious users to recover. The three tools we will be looking at are; “scrub”, “shred” and “dd”, these tools all provide a means of overwriting data multiple times.
We will have a blank Linux partition “/dev/sda3″ which we will format with a Reiser file system and there will also be multiple files with simulated sensitive data which we will try and recover. We will be using the “strings” command to perform simple data recover of the simulated sensitive data from the partition.
The first step we need to do is format our partition with the Reiser file system. The command we will use to format the partition is “mkfs.reiserfs” followed by the partition we are using “/dev/sda3″, as shown in Figure 1.
linux-a2f6:/media # mkfs.reiserfs /dev/sda3 mkfs.reiserfs 3.6.19 (2003 www.namesys.com) ... ... Format 3.6 with standard journal Count of blocks on the device: 1311296 Number of blocks consumed by mkreiserfs formatting process: 8252 Blocksize: 4096 Hash function used to sort names: "r5" Journal Size 8193 blocks (first block 18) Journal Max transaction length 1024 inode generation number: 0 UUID: 052cb24f-6db8-4733-b722-4add425fa69d ATTENTION: YOU SHOULD REBOOT AFTER FDISK! ALL DATA WILL BE LOST ON '/dev/sda3'! Continue (y/n):y Initializing journal - 0%....20%....40%....60%....80%....100% Syncing..ok ReiserFS is successfully created on /dev/sda3.
Figure 1: Formatting “/dev/sda3″ partition with Reiser file system.
Once you have formatted the partition you will need to mount the partition to write some test files, Figure 1.1 shows the command used to mount the “/dev/sda3” partition.
linux-a2f6:/media # mkdir /media/sda3 linux-a2f6:/media # mount /dev/sda3 /media/sda3
Figure 1.1: Mounting the “/dev/sda3″ partition.
Once you have mounted the partition you can write some simple test files. In this article we will create one file called: “credit_card.db” which will contain some simulated credit card information as listed in Figure 1.2.
Damian Myerscough 1234-1234-1234-1234 Jason Myerscough 0000-0000-0000-0000 Andrey 5555-5555-5555-5555
Figure 1.2: “credit_card.db” sample file.
Once the file has been created you can create even more files, when you have finished creating the test files you can unmount the partition using the “umount” command as shown in Figure 1.3.
linux-a2f6:/media # umount /media/sda3
Figure 1.3: Unmounting the “/dev/sda3″ partition.
Once you have have unmounted the “/dev/sda3” partition, you can reformat the partition with the Reiser file system as we did in Figure 1, if you remount the partition you will notice that the file no longer exists on the disk, However its still there just marked as delete.
Once you are satisfied that you think the file has been delete you can issue the “strings” command against the partition and also use the “grep” utility to filter out filenames as shown in Figure 2.
linux-a2f6:/media # strings /dev/sda3 | grep -i credit_ /media/sda3/credit_card.db
Figure 2: Retrieving the “credit_card.db” file.
As you can see in Figure 2 we were able to retrieve the “credit_card.db” filename, you maybe thinking “well thats only the filename there is not contents revealed”. Well applying two more qualifiers, we are able to retrieve the contents of the file, as shown in Figure 2.1.
linux-a2f6:/media # strings /dev/sda3 | grep -i credit_ -A 5 /media/sda3/credit_card.db U3210#"! Damian Myerscough 1234-1234-1234-1234 Jason Myerscough 0000-0000-0000-0000 Andrey 5555-5555-555-5555 I *q~ linux-a2f6:/media #
Figure 2.1: Recovering the file contents.
As you can see in Figure 2.1 we were able to retrieve the file content thus showing sensitive data even tho the partition had been reformatted.
Secure erase with shred
Now that you have retrieved your sensitive data from your formatted partition and you now know that the “mkfs.reiserfs” command does not wipe all your files from the partition. The first utility we are going to look at is the “shred” utility which can be used to securely erase the partition.
The shred utility will overwrite the partition with random pieces of data multiple times making it hard for malicious users to recover your sensitive data. Figure 3 shows the command used to overwrite the partition with random pieces of data.
linux-a2f6:/media # shred -v -n 1 /dev/sda3 linux-a2f6:/media # shred -v -n 1 /dev/sda3 shred: /dev/sda3: pass 1/1 (random)... shred: /dev/sda3: pass 1/1 (random)...189MiB/5.1GiB 3% shred: /dev/sda3: pass 1/1 (random)...421MiB/5.1GiB 8% shred: /dev/sda3: pass 1/1 (random)...641MiB/5.1GiB 12% shred: /dev/sda3: pass 1/1 (random)...875MiB/5.1GiB 17% shred: /dev/sda3: pass 1/1 (random)...1.0GiB/5.1GiB 21% shred: /dev/sda3: pass 1/1 (random)...1.2GiB/5.1GiB 25% shred: /dev/sda3: pass 1/1 (random)...1.5GiB/5.1GiB 30%
Figure 3: Overwriting the “/dev/sda3″ partition with random data.
The command shown in Figure 3 will overwrite the data on “/dev/sda3” once with random junk. Table 1 explains what each qualifier does.
|-v||This turns verbose on thus showing the shredding progress.|
|-n||This specifies the number of times to shred the partition.|
Table 1: Shred qualifiers explained.
Once you have shredded the “/dev/sda3” partition you can issue the command shown in Figure 2.1 to see if it possible to recover your data. The command shown in Figure 2.1 will return no results as the partition will just have junk written to it.
Secure erase with scrub
The second method uses a third party utility that needs to be downloaded from the Internet . The file which we will use in this article is the “scrub-1.9-1.src.rpm” source RPM which will require rebuilding. Once you have downloaded the “scrub-1.9-1.src.rpm” file you will need to install the package using the “rpm” command as shown in Figure 4.
linux-a2f6:/media # rpm -Uhv scrub-1.9-1.src.rpm
Figure 4: Installing the scrub source RPM.
Once you have installed the source RPM you will need to change into the “SPEC” file and build the RPM as shown in Figure 4.1.
linux-a2f6:/media # cd /usr/src/packages/SPECS/ linux-a2f6:/usr/src/packages/SPECS # rpmbuild -ba scrub.spec
Figure 4.1: Building the source RPM.
Once you have build the source RPM you will need to change into the “RPMS/i586” directory and install the scrub binary file as shown in Figure 4.2.
linux-a2f6:/media # cd /usr/src/packages/RPMS/i586 linux-a2f6:/usr/src/packages/RPMS/i586 # rpm -Uhv scrub-1.9-1.i586.rpm
Figure 4.2: Installing scrub binary RPM.
Once you have installed the scrub utility you can reproduce the steps in section “Partition preparation” to setup the testing environment.
Once the testing environment has been setup you can begin to securely erase the partition again, this time using the scrub utility, Figure 4.3 shows the commanded used to securely erase the “/dev/sda3” partition.
linux-a2f6:/media # scrub -p dod -f /dev/sda3 scrub: using DoD 5220.22-M patterns scrub: please verify that device size below is correct! scrub: scrubbing /dev/sda3 5371107840 bytes (~5GB) scrub: 0x0 |................................................| scrub: 0xff |................................................| scrub: random |................................................| scrub: 0x0 |................................................| scrub: verify |................................................|
Figure 4.3: Securely erasing the “/dev/sda3″ partition.
Once you have erased the “/dev/sda3″ partition you can issue the command shown in Figure 2.1 to see if it possible to recover your data. The command shown in Figure 2.1 will return no results as the disk has been erased to DOD (Department Of Defense) standards. Table 2 explains what each qualifier does.
|-p||This qualifier selects the patten writing method.|
|-f||This qualifier scrubs the disk even if it has already been scrubbed.|
This qualifier scrubs the disk even if it has already been scrubbed. Figure 4.3 qualifiers explained.
Secure erase with dd
The “dd” command is not designed for shredding partitions but it can overwrite data multiple times making it hard for malicious users to recover sensitive data. The first task you need to do is reproduce the steps in section “Partition preparation” before issuing the “dd” command.
Once you have setup your test environment you can issue the “dd” command as shown in Figure 5 which will fill the “/dev/sda3″ partition with random junk.
linux-a2f6:/media # dd if=/dev/urandom of=/dev/sda3 dd: writing to `/dev/sda3': No space left on device 10490446+0 records in 10490445+0 records out 5371107840 bytes (5.4 GB) copied, 1231.36 seconds, 4.4 MB/s
Figure 5: Erasing the “/dev/sda3″ partition.
Once you have issued the “dd” command you can run the “strings” command as shown in Figure 2.1 to see if the data can be recovered. The command in Figure 2.1 will fail as the “/dev/sda3″ partition will have only junk written to it.
Now that you know how to securely erase your partitions you should not have a fear of throwing your hard disk drive(s) in the trash. I would also recommend that you overwrite your hard disk more than once, as some highly sophisticated forensic tools could recover your data.
If you are extremely paranoid you could run all three utilities one after the other to guarantee no forensic tools can recover your data, also be very careful that you do not overwrite important data as it is extremely hard/impossible to recover.