Security of the hard disc file system / deleted files
How does the linux file systems allocate the hard disc space when I delete and rewrirte the files.
Does it always write on “fresh” location that has not been written before or does it write on just deleted area or maybe allocate the writing location with some other criteria.
The file system is ReiserFS....is the situation similar with NTFS system ?
If the deleted files do not get overwritten, the disc collects huge amount of deleted but readable data. Then if someone steals the computer he could scan the whole 20 GB of “deleted” hard disc space and find all company projects and secrets.
How do you attack this problem ? Which software can be used in “sweeping” the deleted hard disc space in linux. My distro is Mandrake 10.1.
Not that big problem, just to know the right tools
Thanks for all of you who commented this interesting issue.
Absolute is of course absolute and the only really complete thing is to destroy the media. However, I believe that the whole issue somewhat mystified by the security sales pitch and a quite simple approach would be enough even for 007 – of course under certain conditions.
Some Norvegian shaman (Norman) claims to recover 6 times overwritten data. With the sales pitch factor taken into account 3 times could be tough for their most sophisticated in the world lab. For my company purposes even single pass overwrite, if done properly would be enough.
So the question is how safe is for example the:
cat /dev/urandom > /tempfile; rm /tempfile
Does it leave some parts (how big and where ?) of the data not overwritten ? Or does is default in some other way ?
I have looked at software to do the same, but not as simple to find as for windows. Maybe the above string is enough.
Any comments ? I am really not at all an expert on OS and programming.
This ReiserFS seems problematic,,,,,,,,,,
First thanks for everyone...participated
Has anyone used bcwipe ? Is that freeware or commercial product ? Is the performance better than with discussed “overwrite all empty” script ?
I considered also this idea of USB stick as an alternative to avoid the magnetic media. However, with my expertise there is no proof that the files would not finally be written to the disc in some situation (swap, temp, log, crash...) anyway. Also the convenience of using the normal hard disc is important.
Another similar type solution is to keep the confidential data encrypted and shred the decrypted files. However, with my expertise.....the same comments as above.
Why is then overwriting not efficient on ReiserFS ? As far as I have understood the the file system uses allocation units or tables (are they called inodes) that can actually hold more than one file linked to it.
Inode would not make the file space available as an empty space for shred or cat /dev/urandom > /tempfile; rm /tempfile until all the files (links) to the inode has been deleted.
That would explain why filling the empty space by overwriting may leave some data intact. Am I right ?
How much data could be left in this case ? Are big files always deleted or is there some other criteria how inodes are deleted and filled again – if they are ? Gets bit theoretical, but someone who is deep enough in these things could probably tell.
Then couple more words about the magnetic media. Is it absolutely clean if overwritten? At least military tends to destroy mechanically all used magnetic media and not sell them for example after overwriting (not much value anyway).
I believe – but do not know – something can be recovered under single pass overwrite, probably even under double pass with suitable lab equipment. Only those guys that have actually been working on data recovery do know what is possible and what is not. One thing is for sure, the sales talk or those companies is not to be trusted.
Single pass overwrite is enough for me if it is done on all the deleted files. Seems that the problem is far more complex than I thought when writing the first question.
Thanks for the comments.