Secure wiping insecure?

Discussion in 'privacy technology' started by SafetyFirst, Apr 11, 2008.

Thread Status:
Not open for further replies.
  1. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    I've been using Eraser for years. It's become a habit to me not to delete but always to erase files with 35 overwrites, no matter how unimportant that file is. Eraser is scheduled to wipe unused disk space every day.

    Sometimes I also use some other programs to wipe free space (like Clean Disk Security or Window Washer), but it's mostly Eraser.

    Recently I purchased Winhex specialist edition. I used it's initializing feature (free space wiping) in the strongest mode (maximum security) for several times (supposedly beats forensic software).

    Then I used Winhex search feature to see what's left on the disk unused space. To my surprise, I saw names of files erased months ago! Everything is there! Then I used another program called Disk Investigator and it found those same files. I found uninstalled programs, visited websites URLs (that should have been deleted by CCleaner, CleanCache and Window Washer), files overwritten by Eraser with 35 passes and even names of encrypted files in TrueCrypt container that weren't supposed to come to the hard disk in the first place!

    This experience was quite shocking and eye opening to me. Now I am wondering if such thing as secure deletion exists at all...
     
  2. rookieman

    rookieman Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    409
    Are you just getting the names of the files or can you actually open them?
     
  3. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    994
    Location:
    Hawaii
    Assuming you have an NTFS filesystem, the filenames are probably obsolete MFT entries. It's very difficult for a wiping utility to clear old MFT entries without damaging the filesystem. Even Eraser doesn't do this - it allows the obsolete filenames to remain as 'ghosts', although there is no attached data. I suggest you give Jetico's BCWipe a try, as I've heard it can manage this trick.

    Another approach would be to backup your data (using a file-based, not an image-based backup), wipe and reformat the partition, and then restore the data. A brand-new MFT will be created with none of the obsolete entries. Of course, this isn't particularly convenient if your data is stored on Drive C, so it's always best to store sensitive data on a separate drive or partition that can be wiped more easily.

    I'm not sure how your TrueCrypt-encrypted filenames leaked onto an unencrypted portion of your drive, but there are several possibilities. Temp files, for example. Or, perhaps you temporarily moved or copied your files into an unencrypted area. The TrueCrypt MFT remains encrypted along with the rest of the filesystem, so the only way you could view 'ghost' entries from that particular MFT would be if the volume happened to be mounted when you ran the recovery software.

    (edit): PS: It might be wise to image your drive before attempting to clean the MFT, just in case something unexpected happens.
     
  4. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I keep all of my data on a separate FAT32 formatted hard drive.
     
  5. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Many programmes will wipe a file, however, some leave the filename behind, even though the file has gone.

    You dont need to wipe a file 35 times. Writing over it just once is enough and will prevent any software based recovery.

    Files can be recovered due to seepage of the magnetic polarisation. - a section of the disk (say for example a square micron) may be magnatised as part of storring a file. If this is left in place for a while, the magnatism seeps out to cover the surrounding area. If the file is erased by having another file written on top, there is a possibility the old file can be recovered by reading the area around the file where the old file seeped to. This cant be done by software - only hardware tools.

    Leaving filenames behind of wiped files can be dodgy if the filename gives away the meaning of the file - eg "where I hid the body and murder weapon.doc"!!

    I believe in FAT files, the filename can be hidden in the directory structure and in NTFS is hidden in some similarly hard to erase place.

    Another interesting point is that if you dont believe wiping a file once is good enough - you may want to be aware that there will be files on your hard drive that were occupying sectors that are now occupied by other files - eg, only written over once. Files are being moved and erased all the time. What are you going to do about the fact that an unknown number of files are now covered by other files (effectively wiped once)?

    The other thing to consider is - does it matter. Unless you are up to something dodgy, who is going to go to the trouble of spending thousands on having your hard disk taken to bits and examined with some flashy bit of kit?

    Just wipe your files once!

    Im off to make a tin foil hat to stop the goverment reading my thoughts.
     
  6. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    Thanks to all of you for your answers.

    No, I haven't tried to restore the files I found (I don't know how to do it), but even if it is just the filenames and not the actual files themselves, still it is a major security risk.

    Since I am no expert I have to ask some other questions.

    I was planning to buy an external HD, to make a copy of my present system to it using Acronis True Image and then to encrypt that new HD using this new version of TrueCrypt that supports full disk encryption. After having it tested several times to make sure everything works fine (since FDE can often be problematic), then I would encrypt the whole system on my primary HD.

    Then I would try to erase slack space and MFT entries on my old HD using BCWipe. If I do so, will I be able to boot from the new HD if my old HD crashes?

    Also, if I change the file system on this new HD from NTFS to FAT32 will I have to resize partitions?
    From wikipedia:
    The FAT32 formatting support in Windows 2000 and XP is limited to volumes of 32 GB, which effectively forces users of modern hard drives either to use NTFS, to partition the drive into smaller volumes (below 32 GB), or to format the drive using third party tools. What does it mean?

    Please, help me to solve this and feel free to give some other advice.

    So far, I see the system encryption with pre-boot authentication as the only way to ensure privacy of the data on my PC.
     
  7. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @Safety first: those are good answers:
    Why dont you tell us what you want to wipe
    ..heh heh..
    Then we may be able to assist better :shifty:

    ?? yes: something wrong with your methodology/protocols ??
    sounds like you might have to?

    If you have used winhex: http://www.x-ways.net/winhex/forensics.html
    then you know this can do a sector by sector wipe and replace : this is about as good as software erasing gets.
    There are issues with many 'wipers' and file remnants, file names and the MFT

    This might help you feel better: http://www.snapfiles.com/get/restoration.html

    If you plan on doing a disk-wipe http://dban.sourceforge.net/ is as good as most.

    google Peter Gutmann for a better understanding of 'wiping'
    http://www.cs.auckland.ac.nz/~pgut001/

    You probably cant completely defeat the latest and greatest lab based hw recovery techniques. MAybe only a superdegauss might work: got one of those ? Even physical destruction of HD is/can be difficult.

    If you really have commercially sensitive data or such then get your employer to at least provide some validated system for you.
    Dont connect to the web with that box :D
    Dont pick up any USB drives from 'friends' ;)

    Keep your sensitive data off your hd, encrypted, on a medium that can be physically destroyed.
    Search here for any other threads: https://www.wilderssecurity.com/search.php?searchid=2192829

    Damn these tin hats get hot.
    :)
     
    Last edited: Apr 13, 2008
  8. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    SafetyFirst, based upon conversations that I have had with CyberScrub technical support, here is my understanding of the situation.

    Some erase utilities (e.g., Privacy Suite by CyberScrub) will erase both the file name and the file contents of existing files, if stored on a NTFS volume. The file name is erased by renaming the file, so as to overwrite the original $MFT entry. However, on a FAT volume, a file rename operation will not overwrite the same entry – rather, a new entry is created and the old entry is marked as “deleted.”

    However, Privacy Suite can erase these FAT entries when an “erase free space” operation is performed (using the “scramble file and folder properties” option), because all of the free space on the volume is temporarily occupied and therefore the file table can’t expand – allowing the utility to directly overwrite unused entries. This same process also works on NTFS volumes, to erase the names of previously deleted files.
     
  9. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    Where does Windows store renamed filenames? Only in $MFT or in $LogFile too? If i rename existing sensitive files, where will be the old filenames stored?

    Are you saying that Privacy Suite by CyberScrub would easily solve my problem?
     
  10. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    Wouldn't Eraser be able to do the same thing, but for free?
     

    Attached Files:

  11. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    I used to think it would but now I don't know what to think.
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  13. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    OOI: be very very cautious with ERASER and free space/cluster tip wipes.
    AFAICR the forum is full of users who crashed a disc and lost (in a disorganised way) all their data and MBR with various versions after 5.7

    That may have changed: i'm still on 5.7 ;)
     
  14. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    I am very interested in learning more about the specific reason why Eraser 5.8* is not as good as 5.7. In the interest on not hijacking this thread, could you please PM so we can discuss this further?
     
  15. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    SafetyFirst, if you rename a file on a NTFS volume, the same $MFT record will be reused – and, in that way, the original file name is overwritten. On a FAT volume, you need to first erase the contents of the file, and then run a utility like CyberScrub Privacy Erase to erase the file table (using the “scramble file and folder properties” option) in order to destroy the file name entry.

    I have not used Eraser, but it may provide functionality that is equivalent to Privacy Suite. I can say, however, that I have used Privacy Suite to wipe the free space of drives on many, many occasions, and it has never caused a problem on Windows XP or Vista.
     
  16. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    R-Wipe overwrites the drive and then it goes back and says "Proceeding with MFT on NTFS". Then it goes over temporary files (or something like that).
     
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    This reminds me of the guy that posted a while back saying that none of the wipe utilities worked (his name was Shadow or something like that). Someone recently posted about a product called Sweepi. It also cleans out thumbs.db. I had not heard of those. But I did delete them and set my options not to allow them (and also to show hidden files). I wonder if this (thumbs.db) is what is showing up and *not* deleted items from the hard drive?

    Anyway, after reading this post last night, I decided to do an experiment. I wiped my hard drive and ran Restoration to delete the remnants that were left behind. I downloaded a folder to my desktop of some fractals (some really nice ones) . I used the right click option to wipe the folder with R-Wipe. I ran Restoration and all of the files had been renamed. I repeated the same experiment with Eraser with the same results.

    I then repeated this test on my USB stick. To my surprise, R-Wipe did not rename the files but Eraser did. However, after I wiped two other folders with Eraser, the R-Wipe files were renamed and unrecognizeable. I don't understand why.

    But back to thumbs.db, I found a bunch of them after running R-Wipe and Ccleaner the other day. And beyond that, after I did a search and deleted them from the Start menu, Sweepi found some more. I recognized the names. I am thinking that maybe the people who are running these recovery utilities and finding old files, are pulling up the thumbs.db. So disabling these and then using Restoration to permanently delete the fragments left from wiping the hard drive should do a pretty thorough job, right?
     
  18. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Once you turn off thumbs.db you shouldn't have to mess with them again. You might find this program interesting:
    http://www.itsamples.com/software/tdv.html
    As you know, the thumbs.db files are very compressed database files that keep a thumbnail of every picture viewed on your system. With the above software, you can actually look at the pictures inside those little files.
     
  19. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    If the USB stick is formatted as a FAT volume, then the only way (based upon my understanding) that Eraser could wipe the traces of the deleted file names is by erasing all of the free space on the volume first and then proceeding to destroy the file names in the metadata table.

    On a more general note, be aware that a simple erase of a file on a USB stick does not actually erase the contents of the file, because of the wear-leveling mechanism of the hardware. Unlike a hard disk drive in which a sector number will always refer to the same physical location, on a USB stick a sector number is dynamically mapped to a different physical location during a write operation. Thus, the only way to erase a file a on a USB stick is to first delete the file and then wipe all of the free space on the unit.

    For more information on this subject, please read the paper “Algorithms and Data Structures for Flash Memories” at http://www.cs.tau.ac.il/~stoledo/Pubs/flash-survey.pdf.
     
  20. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    From Eraser forums: Erasing USB Key Drives

    Hadn't actually thought about this till now:
    Erasing solid state HDs and files from same may be a tad tricky me thinks :cautious:

    Any solid info on erasing files in such drives seeing as how they are gaining traction?

    The last post references the thumb.db issue I think
     
  21. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Hi Longboard,

    I have an Asus eee PC with a solid state drive and I perform a free space wipe using Eraser frequently. Examining the disk using Winhex shows it to be successful. But remember, the hard drive (the SSD) is only 4GB so it's pretty fast.
     
  22. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    If a solid state drive incorporates a wear-leveling mechanism, then the only way to erase the contents of a file is to first delete it, and then run a “wipe free space” operation.

    Again, the rationale is that—unlike a hard disk drive—there is not a one-to-one correspondence between a logical disk address and a physical disk sector. In this circumstance, an overwrite of a logical disk address for a file won’t overwrite the actual (original) disk sector that contains the file contents, because the logical disk address is dynamically mapped to a quasi-random physical disk sector by the wear-leveling algorithm.
     
  23. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    That's why I described running the free space wipe on my SSD eee PC.

    Though frankly, the security risks of wear-leveling is overstated. 99 times out of a hundred an erase of a file is successful. Or, I should say, it erases enough of the original file to render it useless. Again, via a WinHex examination.
     
  24. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    I suspect that the “erase success rate” would be dependent upon how much free space exists on the volume. If that free space number is “low,” then the success rate would be expected to be high, since a quasi-randomly selected sector by the wear-leveling mechanism from among those that are free would more likely map to one of the sectors that contain the to-be-erased file contents. If, however, that number is “high,” then the erase success rate would be expected to be lower.
     
  25. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Thanks. I will download that right now. Much appreciated.
     
Loading...
Thread Status:
Not open for further replies.