SUSE Conversations


Securely Erasing Partitions



By: DamianMyerscough

December 14, 2007 10:10 am

Reads:2594

Comments:7

Rating:0

Problem:

Files and partitions left with possible file recovery of sensitive data.

Solution:

There are three utilities we are going to look at which mitigate the chance of malicious users recovering sensitive data.

Environment:

This article was tested on SUSE Linux Enterprise Server and SUSE Linux Enterprise Desktop.

Introduction to disk cleaning

In this article we are going to look at three methods to securely wipe partitions and deleting sensitive files making it difficult for malicious users to recover. The three tools we will be looking at are; “scrub”, “shred” and “dd”, these tools all provide a means of overwriting data multiple times.

We will have a blank Linux partition “/dev/sda3″ which we will format with a Reiser file system and there will also be multiple files with simulated sensitive data which we will try and recover. We will be using the “strings” command to perform simple data recover of the simulated sensitive data from the partition.

Partition preparation

The first step we need to do is format our partition with the Reiser file system. The command we will use to format the partition is “mkfs.reiserfs” followed by the partition we are using “/dev/sda3″, as shown in Figure 1.

linux-a2f6:/media # mkfs.reiserfs /dev/sda3 
mkfs.reiserfs 3.6.19 (2003 www.namesys.com) 
...
...
Format 3.6 with standard journal 
Count of blocks on the device: 1311296 
Number of blocks consumed by mkreiserfs formatting process: 8252 
Blocksize: 4096 
Hash function used to sort names: "r5" 
Journal Size 8193 blocks (first block 18) 
Journal Max transaction length 1024 
inode generation number: 0 
UUID: 052cb24f-6db8-4733-b722-4add425fa69d 
ATTENTION: YOU SHOULD REBOOT AFTER FDISK! 
        ALL DATA WILL BE LOST ON '/dev/sda3'! 
Continue (y/n):y 
Initializing journal - 0%....20%....40%....60%....80%....100% 
Syncing..ok 
ReiserFS is successfully created on /dev/sda3.

Figure 1: Formatting “/dev/sda3″ partition with Reiser file system.

Once you have formatted the partition you will need to mount the partition to write some test files, Figure 1.1 shows the command used to mount the “/dev/sda3” partition.

linux-a2f6:/media # mkdir /media/sda3
linux-a2f6:/media # mount /dev/sda3 /media/sda3

Figure 1.1: Mounting the “/dev/sda3″ partition.

Once you have mounted the partition you can write some simple test files. In this article we will create one file called: “credit_card.db” which will contain some simulated credit card information as listed in Figure 1.2.

Damian Myerscough 1234-1234-1234-1234
Jason Myerscough 0000-0000-0000-0000
Andrey 5555-5555-5555-5555

Figure 1.2: “credit_card.db” sample file.

Once the file has been created you can create even more files, when you have finished creating the test files you can unmount the partition using the “umount” command as shown in Figure 1.3.

linux-a2f6:/media # umount /media/sda3

Figure 1.3: Unmounting the “/dev/sda3″ partition.

Once you have have unmounted the “/dev/sda3” partition, you can reformat the partition with the Reiser file system as we did in Figure 1, if you remount the partition you will notice that the file no longer exists on the disk, However its still there just marked as delete.

Recovery

Once you are satisfied that you think the file has been delete you can issue the “strings” command against the partition and also use the “grep” utility to filter out filenames as shown in Figure 2.

linux-a2f6:/media # strings /dev/sda3 | grep -i credit_
/media/sda3/credit_card.db

Figure 2: Retrieving the “credit_card.db” file.

As you can see in Figure 2 we were able to retrieve the “credit_card.db” filename, you maybe thinking “well thats only the filename there is not contents revealed”. Well applying two more qualifiers, we are able to retrieve the contents of the file, as shown in Figure 2.1.

linux-a2f6:/media # strings /dev/sda3 | grep -i credit_ -A 5 
/media/sda3/credit_card.db 
U3210#"! 
Damian Myerscough 1234-1234-1234-1234 
Jason Myerscough 0000-0000-0000-0000 
Andrey 5555-5555-555-5555 
I *q~ 
linux-a2f6:/media #

Figure 2.1: Recovering the file contents.

As you can see in Figure 2.1 we were able to retrieve the file content thus showing sensitive data even tho the partition had been reformatted.

Secure erase with shred

Now that you have retrieved your sensitive data from your formatted partition and you now know that the “mkfs.reiserfs” command does not wipe all your files from the partition. The first utility we are going to look at is the “shred” utility which can be used to securely erase the partition.

The shred utility will overwrite the partition with random pieces of data multiple times making it hard for malicious users to recover your sensitive data. Figure 3 shows the command used to overwrite the partition with random pieces of data.

linux-a2f6:/media # shred -v -n 1 /dev/sda3
linux-a2f6:/media # shred -v -n 1 /dev/sda3 
shred: /dev/sda3: pass 1/1 (random)... 
shred: /dev/sda3: pass 1/1 (random)...189MiB/5.1GiB 3% 
shred: /dev/sda3: pass 1/1 (random)...421MiB/5.1GiB 8% 
shred: /dev/sda3: pass 1/1 (random)...641MiB/5.1GiB 12% 
shred: /dev/sda3: pass 1/1 (random)...875MiB/5.1GiB 17% 
shred: /dev/sda3: pass 1/1 (random)...1.0GiB/5.1GiB 21% 
shred: /dev/sda3: pass 1/1 (random)...1.2GiB/5.1GiB 25% 
shred: /dev/sda3: pass 1/1 (random)...1.5GiB/5.1GiB 30%

Figure 3: Overwriting the “/dev/sda3″ partition with random data.

The command shown in Figure 3 will overwrite the data on “/dev/sda3” once with random junk. Table 1 explains what each qualifier does.

Qualifier Description
-v This turns verbose on thus showing the shredding progress.
-n This specifies the number of times to shred the partition.

Table 1: Shred qualifiers explained.

Once you have shredded the “/dev/sda3” partition you can issue the command shown in Figure 2.1 to see if it possible to recover your data. The command shown in Figure 2.1 will return no results as the partition will just have junk written to it.

Secure erase with scrub

The second method uses a third party utility that needs to be downloaded from the Internet [1]. The file which we will use in this article is the “scrub-1.9-1.src.rpm” source RPM which will require rebuilding. Once you have downloaded the “scrub-1.9-1.src.rpm” file you will need to install the package using the “rpm” command as shown in Figure 4.

linux-a2f6:/media # rpm -Uhv scrub-1.9-1.src.rpm

Figure 4: Installing the scrub source RPM.

Once you have installed the source RPM you will need to change into the “SPEC” file and build the RPM as shown in Figure 4.1.

linux-a2f6:/media # cd /usr/src/packages/SPECS/
linux-a2f6:/usr/src/packages/SPECS # rpmbuild -ba scrub.spec

Figure 4.1: Building the source RPM.

Once you have build the source RPM you will need to change into the “RPMS/i586” directory and install the scrub binary file as shown in Figure 4.2.

linux-a2f6:/media # cd /usr/src/packages/RPMS/i586
linux-a2f6:/usr/src/packages/RPMS/i586 # rpm -Uhv scrub-1.9-1.i586.rpm

Figure 4.2: Installing scrub binary RPM.

Once you have installed the scrub utility you can reproduce the steps in section “Partition preparation” to setup the testing environment.

Once the testing environment has been setup you can begin to securely erase the partition again, this time using the scrub utility, Figure 4.3 shows the commanded used to securely erase the “/dev/sda3” partition.

linux-a2f6:/media # scrub -p dod -f  /dev/sda3 
scrub: using DoD 5220.22-M patterns 
scrub: please verify that device size below is correct! 
scrub: scrubbing /dev/sda3 5371107840 bytes (~5GB) 
scrub: 0x0     |................................................| 
scrub: 0xff    |................................................| 
scrub: random  |................................................| 
scrub: 0x0     |................................................| 
scrub: verify  |................................................|

Figure 4.3: Securely erasing the “/dev/sda3″ partition.

Once you have erased the “/dev/sda3″ partition you can issue the command shown in Figure 2.1 to see if it possible to recover your data. The command shown in Figure 2.1 will return no results as the disk has been erased to DOD (Department Of Defense) standards. Table 2 explains what each qualifier does.

Qualifier Description
-p This qualifier selects the patten writing method.
-f This qualifier scrubs the disk even if it has already been scrubbed.

This qualifier scrubs the disk even if it has already been scrubbed. Figure 4.3 qualifiers explained.

Secure erase with dd

The “dd” command is not designed for shredding partitions but it can overwrite data multiple times making it hard for malicious users to recover sensitive data. The first task you need to do is reproduce the steps in section “Partition preparation” before issuing the “dd” command.

Once you have setup your test environment you can issue the “dd” command as shown in Figure 5 which will fill the “/dev/sda3″ partition with random junk.

linux-a2f6:/media # dd if=/dev/urandom of=/dev/sda3
dd: writing to `/dev/sda3': No space left on device 
10490446+0 records in 
10490445+0 records out 
5371107840 bytes (5.4 GB) copied, 1231.36 seconds, 4.4 MB/s

Figure 5: Erasing the “/dev/sda3″ partition.

Once you have issued the “dd” command you can run the “strings” command as shown in Figure 2.1 to see if the data can be recovered. The command in Figure 2.1 will fail as the “/dev/sda3″ partition will have only junk written to it.

Final Thoughts

Now that you know how to securely erase your partitions you should not have a fear of throwing your hard disk drive(s) in the trash. I would also recommend that you overwrite your hard disk more than once, as some highly sophisticated forensic tools could recover your data.

If you are extremely paranoid you could run all three utilities one after the other to guarantee no forensic tools can recover your data, also be very careful that you do not overwrite important data as it is extremely hard/impossible to recover.

Reference

  1. http://sourceforge.net/project/showfiles.php?group_id=153984&package_id=170911&release_id=504520
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: SUSE Linux Enterprise Desktop, SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

7 Comments

  1. By:Rachelsdad

    Great article. Well written and informative. However, there is always more than one way to do things…

    A commercial utility exists (probably more than one, in fact) which may be used either as a Linux, OS/2, DOS, or Win32 native executable or run from a bootable CD-ROM, USB stick, or floppy disk: DFSee. The price is quite reasonable, the utility is solid, and the support is top notch. (And BTW, DFSee does much more than just securely wipe partitions.)

    DFSee’s secure wipe option will accomplish all of this with no muss, no fuss, and with confidence (and no, I’m not the author; just a very, very satisfied user for a very long time).


    Lewis
    ————————————————————
    Lewis G Rosenthal, CNA, CLP, CLE
    Rosenthal & Rosenthal, LLC
    Accountants / Network Consultants
    New York / Northern Virginia http://www.2rosenthals.com
    eComStation Consultants http://www.ecomstation.com
    Novell Users Int’l http://www.novell.com/openenterpriseserver
    Need a managed Wi-Fi hotspot? http://www.hautspot.com
    ————————————————————

  2. By:anonymous

    `shred` is a silly command. It takes about 15 minutes to destroy a 1GB file using GNU `shred` with default options. Using `shred –iterations=1 somefile` gets you a little over 30 seconds which is far more reasonable.
    It takes only 30 seconds to destroy a 1GB file using `dd`. If I was wiping out a hard drive for security reasons I would use the `dd` command.

    This whole MYTH of the necessity for using multiple random overwrites for security came about because Dr. Peter Gutmann theorized that overwritten data could be recovered through the use of Scanning transmission electron microscopy. This is all theory — no one has ever demonstrated this. Certainly nobody is going to spend that much money just to recover YOUR data. No commercial data recovery or forensics firms offer any services that can recover overwritten data.

    If you are not part of the tinfoil-hat contingency then put this in your ~/.bashrc or aliases file and you will save yourself some trouble:

    alias shred='shred --iterations=1'

    Here is how I tested this. This is on a laptop with a 1.6Ghz dual core, 2GB RAM machine with a Seagate Momentus ST9160823AS laptop drive with ext3 filesystem — in other words, nothing fancy.


    time dd if=/dev/zero of=somefile bs=1024 count=1M # create some file
    time shred somefile # shred it with default settings
    time shred --iterations=1 somefile # shred it with sane settings

  3. By:gwayne

    Well, some thoughts about destroying data

    1) Covering data with only zero’s would make it easy to recover. So use random numbers.
    2) Overwrite at least 3 – 8 times.

    For the really paranoid. That makes it expensive to retrieve the data, but still not impossible.

  4. By:DamianMyerscough

    Hello gwayne,

    The reason for overwriting the file with zeros is to make it look like there were no previous files there.

    I recommend overwriting your sensitive data with junk and then overwriting the junk with zeros.

  5. By:Anonymous

    hey Damian

    Actually there is a reason why I say 8 times. With the right technical equipment you can look through the magnetic layers. So i agree with the approach Its just that only the shredder.. so physical destruction of the media or at least 8 time overwrite (and thats the minimum) can obscure the original data enough that the chance that it is recovered is minimal.

    Its money what decides whats possible :)

  6. By:Anonymous

    … appears little if any better than the completely free boot ‘n’ nuke

    http://www.dban.org/

  7. By:gwayne

    That was my reply, sorry forgot to log in :)

Comment

RSS