Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 14
How does the linux file systems allocate the hard disc space when I delete and rewrirte the files. Does it always write on “fresh” location that has not been written ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2005
    Posts
    4

    Security of the hard disc file system / deleted files


    How does the linux file systems allocate the hard disc space when I delete and rewrirte the files.

    Does it always write on “fresh” location that has not been written before or does it write on just deleted area or maybe allocate the writing location with some other criteria.

    The file system is ReiserFS....is the situation similar with NTFS system ?

    If the deleted files do not get overwritten, the disc collects huge amount of deleted but readable data. Then if someone steals the computer he could scan the whole 20 GB of “deleted” hard disc space and find all company projects and secrets.

    How do you attack this problem ? Which software can be used in “sweeping” the deleted hard disc space in linux. My distro is Mandrake 10.1.

  2. #2
    Linux Engineer
    Join Date
    Nov 2004
    Location
    Montreal, Canada
    Posts
    1,267
    Very intersting question! I know ext3 and reifers dont get fragmented, probly cause they dont "re-allocate" the free space like NTFS/fat/etc does...
    depending on your "need" this problem is very easy to solve, I had done this in many occasion to "test" the security of many system... and they proved very usefull.

    write a bash file, that simply create very small file with or without data, since they are really smal, they will fit anywhere on the disk, without causing fragmentation AND write over existing deleted file. this way, I use to create those small bash, back in the days, some friends of mine had nice program on there pc... anyway... doing this, ensure that whatever was deleted, got overwritten and isnt going to be accessible no more...
    \"Meditative mind\'s is like a vast ocean... whatever strikes the surface, the bottom stays calm\" - Dalai Lama
    \"Competition ultimatly comes down to one thing... a loser and a winner.\" - Ugo Deschamps

  3. #3
    Just Joined!
    Join Date
    Jan 2005
    Posts
    4
    cat /dev/urandom > /tempfile; rm /tempfile
    If you do this three times, you are pretty safe (though it is'nt totally safe on journaling filesystems like reiserfs, ext3, xfs, etc). This makes you write random data to a file on root until there is no more room on the partition. This takes some time though.

    you can also get a copy of secure-delete: http://www.thc.org/

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    In essence, though, the only real way to make sure your data cannot be read is to destroy the platters (physically).

    As far as making sure the 'layman' cannot recover your deleted data, the above methods are quite sufficient (unless said layman has large monetary reserves ).
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  6. #5
    Just Joined!
    Join Date
    Jan 2005
    Posts
    4

    Not that big problem, just to know the right tools

    Thanks for all of you who commented this interesting issue.

    Absolute is of course absolute and the only really complete thing is to destroy the media. However, I believe that the whole issue somewhat mystified by the security sales pitch and a quite simple approach would be enough even for 007 – of course under certain conditions.

    Some Norvegian shaman (Norman) claims to recover 6 times overwritten data. With the sales pitch factor taken into account 3 times could be tough for their most sophisticated in the world lab. For my company purposes even single pass overwrite, if done properly would be enough.

    So the question is how safe is for example the:
    cat /dev/urandom > /tempfile; rm /tempfile

    Does it leave some parts (how big and where ?) of the data not overwritten ? Or does is default in some other way ?

    I have looked at software to do the same, but not as simple to find as for windows. Maybe the above string is enough.

    Any comments ? I am really not at all an expert on OS and programming.

    Thanks
    Juuzzo

  7. #6
    Linux Engineer
    Join Date
    Nov 2004
    Location
    Montreal, Canada
    Posts
    1,267
    Some Norvegian shaman (Norman) claims to recover 6 times overwritten data. With the sales pitch factor taken into account 3 times could be tough for their most sophisticated in the world lab. For my company purposes even single pass overwrite, if done properly would be enough.
    once a progam si written over, (wich data) it is impossible to read over....


    if I take "1110 1110 0011 1001 0001 0001" lets say that the first 4 are the file lenght/path/name... if the rest is untouched, you would still have to "recover" the file header... THEN if you overwritten actual data over this... impossible to read that norvegian guys is either smoking some bad ass stuff or the data wasnt overwritten with actual data, and he was a real real lucky guys to know the exact file header for what he was looking for...

    single pass overwritting with a bash, is way enough, and was tested... by me :P but I'm pretty sure the data could not be reed.
    \"Meditative mind\'s is like a vast ocean... whatever strikes the surface, the bottom stays calm\" - Dalai Lama
    \"Competition ultimatly comes down to one thing... a loser and a winner.\" - Ugo Deschamps

  8. #7
    Just Joined!
    Join Date
    Jan 2005
    Posts
    4
    For erasing data (somewhat more) safely there is also bcwipe available for Linux from www.jetico.com. I think if you really want to delete safely, you shouldn't use magnetic storage devices. If your projects aren't too large probably a USB key will do, just mount it somewhere and save your files on this. However you must make sure that the files won't end up anyway on the hard disk. This means that temporary files cannot be written to disk (I suggest using Linux's tmpfs for a temp partition). Also the program editing the file must not end up in swap space. I think you can tell a program to not go into the swap, but I'm not exactly sure how to do this.

  9. #8
    Linux Guru loft306's Avatar
    Join Date
    Oct 2003
    Location
    The DairyLand
    Posts
    1,666
    well there is a nice little app called shred that can delete files and write over them an many times as you like!.....and it should be on your system. ...(they say that the D.O.D. overwrites there hdd's 7 times then 0's then on an 8th pass when deleting files) however the man for shred says it is not very efective on reiserfs...or other journaling fs's

    so that is no help...
    ~Mike ~~~ Forum Rules
    Testing? What's that? If it compiles, it is good, if it boots up, it is perfect. ~ Linus Torvalds
    http://loft306.org

  10. #9
    Just Joined!
    Join Date
    Jan 2005
    Location
    Toronto, ON, Canada
    Posts
    79
    Well seems like we are assuming the magnetic hard drives has multilayer capabilities as the latest optical devices (aka CD-R, DVD-R) which I doubt. In hard dirve if some position is over written once is gone and that set. The problem of most OS deleting files is they delete just pointers to those files to save time. In linux case it may be only cleaned and reallocated for the system the superblock and most probably the i-nodes. So if you write a program that overwrite all partitions the hard drive byte by byte, then you must be safe. Be sure to put your program in a floppy with some minimal OS image. And the swap partition you can convert it to ext2 and work with it also.


    afrolinux

  11. #10
    Just Joined!
    Join Date
    Jan 2005
    Posts
    4

    This ReiserFS seems problematic,,,,,,,,,,

    First thanks for everyone...participated

    Has anyone used bcwipe ? Is that freeware or commercial product ? Is the performance better than with discussed “overwrite all empty” script ?


    I considered also this idea of USB stick as an alternative to avoid the magnetic media. However, with my expertise there is no proof that the files would not finally be written to the disc in some situation (swap, temp, log, crash...) anyway. Also the convenience of using the normal hard disc is important.
    Another similar type solution is to keep the confidential data encrypted and shred the decrypted files. However, with my expertise.....the same comments as above.


    Why is then overwriting not efficient on ReiserFS ? As far as I have understood the the file system uses allocation units or tables (are they called inodes) that can actually hold more than one file linked to it.
    Inode would not make the file space available as an empty space for shred or cat /dev/urandom > /tempfile; rm /tempfile until all the files (links) to the inode has been deleted.

    That would explain why filling the empty space by overwriting may leave some data intact. Am I right ?

    How much data could be left in this case ? Are big files always deleted or is there some other criteria how inodes are deleted and filled again – if they are ? Gets bit theoretical, but someone who is deep enough in these things could probably tell.


    Then couple more words about the magnetic media. Is it absolutely clean if overwritten? At least military tends to destroy mechanically all used magnetic media and not sell them for example after overwriting (not much value anyway).
    I believe – but do not know – something can be recovered under single pass overwrite, probably even under double pass with suitable lab equipment. Only those guys that have actually been working on data recovery do know what is possible and what is not. One thing is for sure, the sales talk or those companies is not to be trusted.

    Single pass overwrite is enough for me if it is done on all the deleted files. Seems that the problem is far more complex than I thought when writing the first question.


    Thanks for the comments.
    Juuzzo

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •