LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Deleting and recovering files (https://www.linuxquestions.org/questions/linux-security-4/deleting-and-recovering-files-538399/)

jhsu 03-17-2007 09:06 PM

Deleting and recovering files
 
Before you get rid of a computer, you're supposed to do more than just delete your files, because that means only deleting the references to them. From what I've read, you can only truly get rid of deleted files by overwriting them many, many times. (I've read a few articles that claimed that deletions in the ext3 format are secure but deletions in other formats, especially Windows formats, are not secure.)

So what software do you use to get rid of old files?

Is there any software that will wipe out deleted files but leave all other files alone?

And how do you verify that your wiped out files are truly unrecoverable? What software tools are used to find deleted files?

Mizzou_Engineer 03-17-2007 10:16 PM

Files can be recoverable after they're supposedly deleted because files are not truly deleted until they are overwritten with new data. On a big hard drive, that may take a while. Note that reformatting a drive does not necessarily delete the magnetic 1s and 0s pattern for the data- just all references to it in the file system. Here's how to securely delete ALL files on an old hard drive so that they are not recoverable.

1. Get a Linux live CD, boot computer from it.
2. Find the device node where the hard drive is that you want to delete. For an IDE hard drive, this is probably /dev/hda and a serial ATA drive would be /dev/sda. If you have questions as to which one yours is, feel free to ask later.
3. Open a terminal on the live CD desktop and type in the following with no quotes:

shred -n 2 -z -v /dev/hda

Replace /dev/hda with the actual hard drive device node. This writes random junk over the entire hard drive twice (-n 2) and then writes zeros over the entire hard drive (-z) and tells you the progress (-v.) This will render the hard drive completely blank and any data is unrecoverable.

If you just want to overwrite certain files on your hard drive, that is MUCH harder. Your best bet is to delete the files, make an image of the hard drive using dd or Ghost, then shred the hard drive like I said above, then replace the dd or Ghost image on the hard drive. Modern file systems make actually overwriting only a certain area extremely difficult, so the pitch, image, shred, reimage is about as good as you can do (and it does work, but is a lot of work.)

You can verify if your data was successfully deleted by either getting your hands on some professional HDD forensics tools or by taking your drive to a drive data recovery specialist and seeing if they can recover it. If you did what I suggested correctly, they won't be able to see anything.

Electro 03-17-2007 11:27 PM

Quote:

So what software do you use to get rid of old files?
I just delete the files using rm.

Quote:

Is there any software that will wipe out deleted files but leave all other files alone?
To remove them with some security, write a script that notes the size of the file and use dd that includes /dev/urandom to write garbage to the file several times. Then delete the file.

The dd syntax that I would use.

dd if=/dev/urandom of=desire_file bs=size_of_desire_file count=1

This method does not take into count of how Linux filesystems saves data. Another way is encrypt the files with either pgp or gpg and then delete.

Quote:

how do you verify that your wiped out files are truly unrecoverable? What software tools are used to find deleted files?
Use foremost, testdisk, grep, hex viwers, and many others.

To secure yourself that the data is completely gone for good, look up Darik's Boot and Nuke.

I recommend do not use dd to put an image onto a hard drive. Each hard drive has different geometries even if they are the same capacity. Use Ghost for Linux.

You can use hardware encryption that attaches between the controller and the hard drive. Any dummy you give your hard drive to will not be able to read your data. Though a smart and patient user can probably decrypt the data.

syg00 03-18-2007 03:13 AM

Quote:

Originally Posted by jhsu
Is there any software that will wipe out deleted files but leave all other files alone?

Not that I'm aware of.
As per others suggestions,when I need to be sure, I trash everything. I've never needed to sell a working O/S, but if I did it'd be Linux, and it'd be reloaded after I had wiped the entire system.


All times are GMT -5. The time now is 11:33 AM.