A secure way of file deletion?

Discussion in 'privacy technology' started by wyginwys, Nov 30, 2011.

Thread Status:
Not open for further replies.
  1. wyginwys

    wyginwys Registered Member

    Joined:
    Nov 30, 2011
    Posts:
    2
    Hi
    I want to take your opinions about the following way of file deletion.
    Create a TrueCrypt container and a file in it (say a word document). Keep it as long as you need. Then shift delete the container. If you wish you can use a tool like Eraser for deleting the container.
    Is this a secure way?
    Are there any file parts,remnants,slacks left after deletion? Or are those remnants etc recoverable?

    Ps: I realised that I posted this under privacy software topic. Sorry for this.
     
    Last edited: Nov 30, 2011
  2. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    OK, first, I'm not a security expert, but I think I know a fair bit about this, so I'll try to answer.

    I would be sure that the Word document in the container would be safe as long as a very long password is used. Use a "passphrase" or "pass-sentence" (and nothing like "to be or not to be, that is the question"). (Passphrases are a nightmare; if they are long enough to be uncrackable, chances are you will forget them and lose your data entirely).

    If you shift-delete the container, the container itself will still be recoverable, unless it is overwritten, but I have read somewhere that file-erasing software leaves "signatures" that it has been used. Still, this leaves the actual data in the Truecrypt container safe - whether the container is deleted or not, or overwritten.

    Do you know about the Windows Swap File / Windows Paging file issue?

    While the Word document in the Truecrypt container is safe, the Windows Swap File or Windows Paging File will record chunks of your Word document, and leave parts of it there to be easily recovered on your hard drive.

    The windows Swap file / Paging File is always, quite normally, in operation and writes bits and pieces of whatever you are doing to your hard drive, and this can be recovered, and can help towards decrypting a Truecrypt container that has not been erased with Eraser or such like. I think the Swap File is your main danger here.

    There are solutions to this problem, Jetico BestCrypt Container Encryption can encrypt the Swap File so that no bits and pieces can be recovered, but it is not freeware, maybe 80 dollars / 60 Euro to buy. Maybe Truecrypt has a similar solution, or maybe try "Free OFTE" or "Diskcryptor" .

    You could also use Truecrypt to encrypt the entire C: drive, including the Swap File, but if anyone forces you to give the password, everything will be decrypted. (No password is needed to encrypt the Swap File with BestCrypt, so there would be no point in anyone pressurising you for it - you're safer that way). I think the Swap File is your man risk here, please ask more about it if you dont understand.

    Maybe ask here also about turning off System Restore and Hibernation in Windows; I think these can save copies of what you work with to hard drive, I am not fully sure.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    A few points to add to Pryvate's :thumb: comments from me.

    If you can do without System Restore and/or Hibernation, so much the better :)

    I've always got rid of my Swap/Page file by renaming it, as far back as 98SE days ;) If you have enough RAM you don't need it, & i've Never had Any problems :)

    Sure you can use a tool like Eraser for deleting the container, but how about using such to delete the file/folder etc inside it first :thumb:
     
  4. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    Your way will work fine, but in my opinion, the most secure way to deal with sensitive files is to ensure they never get written to the hard disk in the first place. For that purpose, a RAM disk is the ideal tool. That way there's no need to worry about insecure file deletion, since all data on the virtual disk completely self-destructs upon every shutdown/reboot.

    Since you mentioned a Word document, in that case you would also need to make sure your software is NOT auto-saving a copy (automatic backup) of the file outside of its secure location. And yes; those security loopholes such as Paging file, Hibernation, System Restore, Volume Shadow Copy, etc. should all be disabled/turned OFF.
     
  5. wyginwys

    wyginwys Registered Member

    Joined:
    Nov 30, 2011
    Posts:
    2
    I dont understand the issue with BestCrypt. It encrypts without a password silently.Doesnt it? So interfers with windows in some way when writing to swap?

    Yes system restore,hibernation,swap/paging file,shadow copy are the main obstacles here. And I see that encrypting swap file is not a complete solution. Are there any ways deleting the remnants on swap file? or other solutions for this? Are those known Erasers delete all the traces of a file in this sense?

    Using ramdisks seems a good solution. But what is the way of using them? Using them as usb sticks or an external hard drive, poses the aforementioned risks (swap file etc). How can they be used without interfering with hard drives?
     
  6. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Yes, if switched on, it will encrypt the swap file at every reboot with a new encryption key, no password is used- the encryption key is generated automatically at reboot. The BestCrypt Help file goes into some detail about this, I will try to post more on this later.

    You can also initialise the swap file with randon data when Windows starts.

    See screenshot attached, I have both tickboxes checked.
     

    Attached Files:

  7. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Ramdisks do indeed seem a good solution but I am afraid I don't know how they can be used without relying on the hard drives, as you say. However, I don't know much about them. Maybe someone else could shed more lght on the issues you raise?
     
  8. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Here is an nice Free RAM DISK solution:


    Dataram RAMDisk v3.5.130R20
    http://memory.dataram.com/products-and-services/software/ramdisk


    The software is Digitally Signed (Monday, September 19, 2011 8:13:50 PM), complete with User Guide,
    and McAfee Online SightAdvisor Safe.


    McAfee Online SiteAdvisor for dataram.com
    http://www.siteadvisor.com/sites/dataram.com



    HKEY1952
     
  9. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    Encrypt Your Windows Pagefile To Improve Security

    I'm using Windows 7 Home Premium x64 and this works for me! But I have it set in East-Tec Eraser to erase the Page-File and NTFS Log files when I run Scheduler or Privacy Guard in East-Tec! I thought about just disabling the PageFile altogether since I have 8GB Ram but i always hear so many different stories about doing it? I haven't got around to testing it out for myself!

    Anybody here have Windows 7 x64 and 8GB ram and have disabled their PageFile? how is your experience?
     
    Last edited: Dec 1, 2011
  10. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Clear the Paging File At Every System Shutdown or Reboot

    Navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\

    Highlight 'Memory Management' and in the Right Hand Pane look for 'ClearPageFileAtShutdown'

    Right Click 'ClearPageFileAtShutdown' and Choose 'Modify'

    Change the 'Value data' to: one (1) then Click 'OK'

    Scroll back up to the top of the Registry Hive and Highlight 'My Computer'

    From the Registry Tool Bar Click 'View/Refresh' then Close the Registry
    (this action will collapse the Registry Tree when closed)

    From now on every time the Computer is Rebooted the Paging File will be Deleted and Re-created Clean and Fresh.
    If you are really concerned, Zero Write the Free Space afterwords.

    To reverse the change, change the one (1) back to zero (0)


    By the way, Welcome to Wilders Security Forums wyginwys


    HKEY1952
     
  11. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    For the less Advanced user or users who dont want to bother with tweaking their registry through the registry editor, you can use a free tweaker to enable Windows Clear PageFile on shutdown like

    XTweaker XP/Vista/Windows 7
    or
    Windows 7 Little Tweaker
     
    Last edited: Dec 2, 2011
  12. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    In XP there's a very simple way to clear the pagefile on shutdown/reboot via a setting in Local Security Policy: "Shutdown: Clear virtual memory pagefile" - set to Enabled. Not sure if there's a similar thing in Vista/7.

    Do that, disable System Restore, Hibernation, Volume Shadow Copy. I also wipe free space once in awhile with 7 overkill passes, just to be on the safe side.
     
  13. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    When Windows clears the page file, does it Zero it out or is it just released to free space?
     
  14. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    Yes windows overwrites the page file with 0s when you enable windows to clear page file at shutdown! IMO you should also Encrypt your pagefile for an added level of security so it will be overwriting encrypted data with 0s on shutdown!
     
    Last edited: Dec 2, 2011
  15. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    You mean the swap file can contain the password that you type in to open a TrueCrypt folder?
     
  16. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    So what does a "ram disk" do? What if you were running a portable browser from a USB stick, sandboxed? Would that prevent the swap file from storing information?

    Is "Volume Shadow Copy" a normal function of windows, like hibernation and system restore?
     
  17. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    No, I was thinking that the swapfile might contain both plaintext and ciphertext, of the encrypted file.

    Actually, I think what I said might apply more to file encryption programs, such as Cryptext, rather than TrueCrypt, which encrypts on-the-fly.
     
  18. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Or maybe Axcrypt? I found a copy of something that I had encrypted with Axcrypt after running recuva. I was really surprised.
     
  19. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    After you securely delete the files, to be certain that no unallocated space contains data (very possible especially on SSDs) you must completely fill the file system by creating large files and writing them to disk. This is very important.

    So, here are the steps:

    1. Securely delete the files.

    2. Completely fill the filesystem with a large file or several large files. I wrote a tool that can be used for this on Windows (http://16s.us/big/). On Linux/Mac, just use dd to fill the filesystem, then sync and remove the large files you created to overwrite unallocated/slack space.

    3. Reboot.

    No forensic analyst or software (encase, helix, etc.) or special hardware (tableu data acquisition units, etc.) will be able to recover the file after this.
     
  20. marktor

    marktor Registered Member

    Joined:
    Dec 4, 2011
    Posts:
    143
    Interesting. Wouldnt a free space wiper do the same thing or is this better? I have always had great sucess with Active Boot Disk: http://www.ntfs.com/boot-disk-win.htm I can never recover anything with recuva, diskdigger etc.
    Correct link: http://16s.us/big/
     
  21. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    The only way to know for certain that data in unallocated space has indeed been overwritten is to completely fill the drive yourself.

    If the "free space wipers" you speak of do this then you are fine. If they do not, then data are still recoverable. If they fill the disk, you should get disk space warning errors while running them. Do you? If not, I would be suspect about their claims.

    Many of these softwares just make you feel good while doing nothing to actually overwrite the unallocated space.
     
  22. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I agree with this. Your method is sound. Some of the software solutions do work fine with SSDs, but it can be a hit and miss thing.
     
Loading...
Thread Status:
Not open for further replies.