1

I have tried wipe, shred, srm, peazip's secure erase, etc. No matter with what options I securely erase the file with all those utilities and then do a search with a hex editor on disk, the contents of the file is still there remaining somewhere on the disk. I always thought if I shred the file, it is completely removed from the disk, i.e. no traces of it left at all. What I'm doing wrong?

heemayl
  • 91,753
Anonymous
  • 11
  • Maybe there has been a copy of that file or another file with similar content on your disk once which did not get shredded? – Byte Commander Jun 26 '16 at 18:32
  • No. What I do is this: I create empty text file with some text, securely erase it with one of the tools mentioned above, do a search of that text with a hex editor on disk and it finds multiple instances of that text in various sectors, in one place it is that text with some garbage in another place it is a complete file with a header. – Anonymous Jun 26 '16 at 18:41
  • 2
    This is why I don't trust any of those wiping tools. I always do several passes with dd from if=/dev/zero. – Alcuin Arundel Jun 26 '16 at 19:01
  • 1
    is the disk an SSD? If so ... SSD -NEVER- removes a file unless you use a tool specific for that disk (and those are probably not Linux tools). – Rinzwind Jun 26 '16 at 19:52
  • @rinzwind The disk is HDD. – Anonymous Jun 26 '16 at 19:55
  • @AlcuinArundel With dd the results are the same, the contents of the file are erased, but they are also relocated somewhere at the starting sectors. – Anonymous Jun 28 '16 at 12:24
  • @Anonymous Yeah, after you posted this I did some google research and apparently it's impossible to securely erase an ssd. Quite a disturbing fact. I guess the only thing to do is use full disk encryption so that even if there is data left over after erasing, it won't be human readable. – Alcuin Arundel Jun 28 '16 at 15:43

1 Answers1

2

You're probably doing nothing "wrong", but wiping data is much harder than in the floppy disk days.

Unless your filesystem is non-journalling AND you never defragment the filesystem, the only guarantee to make sure data is completely gone to software is to destroy the entire filesystem, or on an SSD, security wipe the whole disk.

See this answer (the "accepted" answer in the question is, as you discovered, not completely reliable): https://askubuntu.com/a/58420/544090

Modern file systems transparently move or copy data around for various reasons in their operation. If you overwrite and then delete the most recent location of a file on the disk, there may be an older version of the data from the file in some file fragment somewhere else on the disk. You'll be lucky to recover the whole file again, but as you saw, bits and pieces of the data may still be there. On SSDs this gets even worse because there is wear levelling, where the hardware controller very frequently remaps logical locations on the disk to physical locations on the flash.

A very rudimentary example is something like this:

  1. You create a file, and its data gets stored in location A on the disk.
  2. For whatever reason, the data is copied to location B on the disk. Now the filesystem will say your file is located at "B", but there's still an older copy of your file in location "A".
  3. Your "shred" or similar command completely obliterates location "B"'s data.
  4. You can still find a version of the data at location A. (or worse, the "shred" causes data to shift again and makes the shred happen to location "C", and you still have old bits of the file in locations A and B)

So for data stored on a mechanical hard drive, you'll need to AT LEAST overwrite the whole partition (shred can do this if you run it as root and point it to /dev/). For an SSD you'd have to use the drive's internal secure erase. See: https://serverfault.com/a/694494/354612

These methods will make sure that any access to the disk through its interface (SATA, SAS, USB, etc) can no longer see the data. However, there is no definitive answer about how well these types of methods will protect against an attacker who physically opens up your drive to scan the platters / NAND chips themselves. That's why certain organizations still physically destroy old disks.

Community
  • 1
patrickceg
  • 21