Bleachbit stifles investigation

Discussion in 'all things UNIX' started by Palancar, Aug 25, 2016.

  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Many times we have circulated various threads regarding a wiping program to be used on Linux. Today I was watching TV and congressman Trey Gowdy was discussing their investigation of the server that Hillary's team wiped. He went on to say that it was wiped so clean that "God cannot even see anything" and it was done using a program called Bleachbit. His investigators have been completely stifled by it.

    In general I would have to say that is quite an endorsement for Bleachbit!! I have been using it for some time now. This makes me feel good about using it.
     
    Last edited: Aug 25, 2016
  2. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    238
    Location:
    Neo Tokyo
  3. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    This is good news! It means BleachBit is doing its job.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Wipe it, wipe it good (Devo). Well, if you do a lot of random passes, you will render the disk unreadable.
    Mrk
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    I am planning on doing a BleachBit test this week. Take a small 126 meg flash and wipe free space with BB and then run a WinHex on it for a baseline. Wipe free space again and do another WinHex and then compare them for contrast. The software is coded to do a one pass run, but the interesting thing will be to note the randomness (if much) factor. In an ideal world the two runs would be completely "off" maximizing the overwrite completeness. Wish I had more time to tear this apart.
     
  6. Holysmoke

    Holysmoke Registered Member

    Joined:
    Jun 29, 2014
    Posts:
    112
    how does BB do such a great job? by default it is set to merely delete files and not shred them at all. the average joe will think he is getting Hillary Clinton level wiping when he is not.
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Before a week ago the "average joe" had never even heard of BB. I have been using it for years. Someone with the foresight to employ BB should understand how simple it is to use. Its fantastic for wiping free space and most effective for wiping an entire drive space without files in the way. That is true of all wiping software though because it won't have to contend with cluster tips on fragmented files/sectors.
     
  8. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Note that the article talks about congressmen's investigation, and not a police investigation. I wouldn't expect congressmen to be able to use forensic tools.
     
  9. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599

    I was operating on the assumption that the Congressman was giving his "report" based on feedback from his team of forensic examiners.

    Like all examiners, I would love to have access to that disk platter to throw everything I own at it. Not going to happen.
     
  10. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    @Palanacar Looking forward to your test results.
     
  11. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    The FBI has recovered 15,000 Clinton work emails that were not released by Clinton.

    When Comey spoke in front of Gowdy's committee in July he stated they had recovered 'several thousand' emails and partial emails from the drives. Now several thousand has turned into 15,000. The fact that he used the term partial, at that time, means the drives weren't completely wiped. There were several servers and several hard drives involved.

    Gowdy never had access to the hard drives involved, he just came out with a statement saying she used BB, to try and show her intent to hide information.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I think one could use one of the 3 pass methods available, and the FBI would not be able to retrieve anything. It does not take much to make data unreadable. I think Eraser would perform better due to its more redundant eraser options, but Eraser does not have the options they needed for the email server, etc..
     
  13. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    One pass is more than enough for "modern" (post 1995-ish) hard drives.

    Gutmann, the guy who wrote about the "35-pass" (or “Gutmann method") paper that became an Urban Legend, says people misunderstand his research and says that performing 35 wipes is pointless for any drive:
    He also stated:
    So unless you have a 1 GB HD from 1995, you shouldn't do a random wipe.

    http://www.howtogeek.com/115573/htg-explains-why-you-only-have-to-wipe-a-disk-once-to-erase-it/

    I personally find random wiping pointless too, because the "attack" (with a Force Field Microscope) was only theorethical and nothing practical was ever shown. I only do one wipe with zeroes. Once there was this "Great Zero Challenge", it's a good read: http://www.hostjury.com/blog/view/195/the-great-zero-challenge-remains-unaccepted
     
  14. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    They didn't do a very good job of wiping the emails and the total number has been updated to 15,000 whole or partial emails recovered from her servers.

    http://www.bigstory.ap.org/article/...will-review-and-release-unseen-clinton-emails

    State Dept. will review and release unseen Clinton emails

    By STEPHEN BRAUN

    Jul. 13, 2016 4:28 PM EDT






     
  15. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
  16. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    I think the issue at play here is not "wiping technique" but rather how to clean a system and still leave a system on the drive. A child can delete the entire system and then do multi or single pass overwrites of every sector. We have all done that and its rock solid. You know, delete everything, reformat to Fat32 and then pick a known software to blow away via overwrites of each and every drive sector.

    A critical overlooked flaw in the process is when an older drive has bad sectors, which are no longer used. Slightly more advanced recovery software can actually get to those sectors. You can read about it at Gibson's place if you wanted to. Run of the mill wiping software will not cause the drive to overwrite those bad sectors so they don't get wiped. Therein lies risk.

    I solve that risk by ONLY using brand new drives and doing full disk encryption from the beginning of its life. When sectors go bad and the hardware driver on the disk no longer use those sectors it won't matter because the bytes there are encrypted and not plain text. I occasionally re-do the drives using completely different header keys so those bad sector components are lost forever since they will NEVER be discernible or readable in any way.

    CCleaner and BB are great products but in "amateur" hands you cannot expect them to prevent some recovery. If these servers were set up in fundamentally weak ways from the start the only safe data demolition would have been a complete wipe including the system itself. I am betting they attempted to make it look "polished" and they left the system in place, which in the end bit them in the ***.

    If you make a clean backup image of your system (at the very start) you can always do the complete destruction of the platter space and then re-image your system back to the drive. Now you have clean and forensically pure sectors with an established system in play. That would be how I would do it!