Remove Data Permanently (HDD/SSD/Memory)


Remove Data Permanently (HDD/SSD/Memory)

Introduction

Deleting  data is very important activity in day to day life, especially if we have some sensitive information there. We frequently take deletion for granted, not paying enough attention or are simply lazy. F***, at times I don’t even know what’s where. Enourmous amount of projects and endeavours, TBs of stored data on multiple drives, servers or flash sticks. I’m trying to counteract that by not holding any sensitive data (especially personal), or encrypting it immediately. That’s just in case those get into the wrong hands. Encryption should make access somewhat difficult, if not impossible. Deletion is not enough. Formating is not enough. The only proper way to Remove Data Permanently is to physically destroy that drive (drill, fire and other creative ways).

Remove Data Permanently Drill Hdd

 

Here we’ll not go that far. We’ll keep the drive, but we’ll make life a bit harder for data forensic guys.

Point is, be careful if you’re selling or giving away your drives. There are numerous ways to recover data from “clean” drives, from simple recovery tools to highly scientific measurements and techniques (difference in magnetic fields, with knowledge on firmware algorithm). For instance, Magnetic Force Microscopy (MFM) allows any moderately funded person to recover the last two or three layers of data written to disk. Data recovery might be easier than what many people would like to believe.

Few Windows Options

To simply overwrite free space, open an Administrative Command Prompt, and type:

C:\> cipher /w:<DRIVE_LETTER>

This sill overwrite free space with three passes:

  • First with all zero’s (0x00)
  • Second with all 255’s (0xFF)
  • Finally with random numbers

Another option is to use SDelete:

C:\> SDelete -c <DRIVE_LETTER>:

Tool Options (Linux)

There are numerous tools at our disposal to Remove Data Permanently. We’ll cover some of them. As a “guinea pig” I’ll use an antique 13GB HDD Fujitsu model from year 1999 (dug from the basement, corroded but still kicking):

[email protected]:/media/unknown# lsblk -l
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

sdc 8:32 0 12,7G 0 disk 
sdc1 8:33 0 12,6G 0 part /media/unknown/5CA0AEAFA0AE8F58

Remove Data Permanently Sys

Shred (Favorite)

Overwrites a file to hide its contents, and optionally delete it

Options:

  • -f / –force
    • change permissions to allow writing if necessary
  • -n / –iterations=N
    • overwrite N times instead of the default (3)
  • –random-source=FILE
    • get random bytes from FILE
  • -s / –size=N
    • shred this many bytes (suffixes like K, M, G accepted)
  • -u / –remove=HOW
    • truncate and remove file after overwriting
  • -v / –verbose
    • show progress
  • -x / –exact
    • do not round file sizes up to the next full block;
      this is the default for non-regular files
  • -z / –zero
    • add a final overwrite with zeros to hide shredding
  • –help
  • –version

Remove single file with 5 iterations:

# time shred -zvu -n 5 OllyDbg/OLLYDBG.EXE
shred: OllyDbg/OLLYDBG.EXE: pass 1/6 (random)...
shred: OllyDbg/OLLYDBG.EXE: pass 2/6 (000000)...
shred: OllyDbg/OLLYDBG.EXE: pass 3/6 (random)...
shred: OllyDbg/OLLYDBG.EXE: pass 4/6 (ffffff)...
shred: OllyDbg/OLLYDBG.EXE: pass 5/6 (random)...
shred: OllyDbg/OLLYDBG.EXE: pass 6/6 (000000)...
shred: OllyDbg/OLLYDBG.EXE: removing
shred: OllyDbg/OLLYDBG.EXE: renamed to OllyDbg/00000000000
shred: OllyDbg/OLLYDBG.EXE: removed

real 0m0,682s

To shred entire partition/volume, just specify it:

# time shred -vzn 3 /dev/sdc1

time shred -vzn 3 /dev/sdc1
shred: /dev/sdc1: pass 1/4 (random)…
shred: /dev/sdc1: pass 1/4 (random)…84MiB/13GiB 0%
shred: /dev/sdc1: pass 1/4 (random)…183MiB/13GiB 1%
shred: /dev/sdc1: pass 1/4 (random)…282MiB/13GiB 2%

shred: /dev/sdc1: pass 2/4 (random)…11GiB/13GiB 87%
shred: /dev/sdc1: pass 2/4 (random)…12GiB/13GiB 94%
shred: /dev/sdc1: pass 2/4 (random)…13GiB/13GiB 100%
shred: /dev/sdc1: pass 3/4 (random)…
shred: /dev/sdc1: pass 3/4 (random)…70MiB/13GiB 0%
shred: /dev/sdc1: pass 3/4 (random)…169MiB/13GiB 1%

shred: /dev/sdc1: pass 4/4 (000000)…11GiB/13GiB 87%
shred: /dev/sdc1: pass 4/4 (000000)…12GiB/13GiB 94%
shred: /dev/sdc1: pass 4/4 (000000)…13GiB/13GiB 100%

real 49m45,951s


Wipe

A tool for securely erasing files from magnetic media. It repeatedly writes special patterns to the files to be destroyed, using the fsync() call and/or the O_SYNC bit to force disk access.  In normal mode, 34 patterns are used (of which 8 are random). A quick mode allows you to use only 4 passes with random patterns, which is of course much less secure.

Debian

# sudo apt-get install wipe

RedHat

# sudo yum install wipe

Flags:

  • -r – (recurse into subdirectories)
    • Will allow the removal of the entire directory tree. Symbolic links are not followed.
  • -f – (force; disable confirmation query)
    • By default wipe will ask for confirmation. You can disable the confirmation query with the -f (force) option
  • i – (informational, verbose mode)
    • This enables reporting to stdout. By default all data is written to stderr.
  • -q – (quick wipe)
    • If this option is used, wipe will only make (by default) 4 passes on each file, writing random data. See option -Q
  • -Q N
    • Sets the number of passes (N) for quick wiping. Default is 4. This option requires -q.

Check man page for more details.

To remove everything under the directory (in this case OllyDbg, remove all proofs):

# wipe -rfi OllyDbg/*

Remove Data Permanently Wipe Clean

In respetive to directory size (3.7 MB), it’s relatively slow. Probably due to the number of iterations and/or HDD speed (an old girl).

Note: Wipe only works reliably on magnetic disks, therefore use the other methods for solid state disks (memory)

Secure-delete:  Toolkit for linux

A collection of secure file deletion tools. Some of them are:

  • srm – Used to delete files and directories from you disk
  • sfill – Wipes all data from free space on your disk. This makes sure there are no more recoverable files on the disk.
  • sswap – wipes all data from swap partition

Before we continue, install:

Debian:
# sudo apt-get install secure-delete

RedHat:

# sudo yum install secure-delete

SRM (Secure Remove)

Similar to rm, srm removes files an directories, but it first overwrites the file(s) multiple times with random data, renames the file(s) multiple times and then finaly deletes them. As specified in man info, srm steps:

  • 1 pass with 0xff
  • 5 random passes. /dev/urandom is used for a secure RNG if available
  • 27 passes with special values defined by Peter Gutmann
  • 5 random passes. /dev/urandom is used for a secure RNG if available
  • Rename the file to a random value
  • Truncate the file

Example, simple file deletion (1.1 MB deleted in 1 min 7 sec):

# srm OLLYDBG.EXE

Directory deletion (3.7 MB):

# time srm OllyDbg/*
real 3m50,960s

Options:

  • -d : ignore the two dot special files “.” and “..”
  • -f : fast (and insecure mode): no /dev/urandom, no synchronize mode
  • -l : lessens the security (use twice for total insecure mode)
  • -r : recursive mode, deletes all subdirectories
  • -v : is verbose mode
  • -z : last wipe writes zeros instead of random data

sfill – Secure Free Disk/Inode Space Wiper

This tool checks selected partition for space marked as free/available, and then fills it up with random data. As srm, it performs 38 writes by default:

  • 1 pass with 0xff
  • 5 random passes. /dev/urandom is used for a secure RNG if available.
  • 27 passes with special values defined by Peter Gutmann.
  • 5 random passes. /dev/urandom is used for a secure RNG if available.

afterwards as many temporary files as possible are generated to wipe the free inode space. After no more temporary files can be created, they are removed and sfill is finished.

Example, simply by specifying a directory that resides on a partition, will clean free space on it:

# sfill /home
or
# sfill /home/unknown

Usefull when you’re giving away your computer, but don’t want to re-install OS.

sswap – Secure Swap Wiper

It your swap partitions. The swap is storing data of currently executed processes when RAM gets full. It can potentially store very sensitive data and info. Before runing sswap, the swap partition must be disabled. Process and parameters are similar to sfill. Check man page.

# cat /proc/swaps
Filename Type Size Used Priority
/dev/sdc2 partition 2097148 2092540 -1
/dev/sda2 partition 2097148 2089012 -2

# swapoff /dev/sdc2
# sswap /dev/sdc2

sdmem – Secure Memory Wiper

It securely removes data present in your memory (RAM), which can not be recovered by thieves, law enforcement or other threats. With the new SDRAMs, data will not wither away, but will be kept static. It’s easy to extract the necessary information. The wipe algorithm is based on the paper “Secure Deletion of Data from Magnetic and Solid-State Memory” presented at the 6th Usenix Security Symposium by Peter Gutmann. Simply run it:

# sdmem

Options:

  • -f fast (and insecure mode): no /dev/urandom
  • -l lessens the security. Only two passes are written: the first with 0x00 and a final random one
  • -l -l for a second time lessons the security even more: only one pass with 0x00 is written
  • -v verbose mode
Note: Wiping the memory is very slow. You might use sdmem with the -ll option

Additional Info (alternatives and SSD)

I’ve seen couple of places where people mentioned dd as a good way to wipe the hdd. Write it with zero values (replace X with your volume letter):

# dd if=/dev/zero of=/dev/sdX bs=512

or write random patterns:

# dd if=/dev/random of=/dev/sdX bs=512

Using smaller block size (down to bs=4) will write slightly more random, but would take longer.

Tools above might not be good/ideal for SSDs for multiple reasons:

  • Writing a flash-based memory (especially multiple times) is not healthy for the memory itself. You don’t want to dd your SSD on a daily basis, but few times per year, is not a big deal.
  • Commercial SSDs usually come with additional replacement cells. Initially they’re not being used by the drive, but when they start to wear out, damaged cells are being replaced with those in the reserve. That can lead to SSD controller unmapping such damaged cells (possibly containing sensitive informations) and making them inaccessible from low-level tools.

Available options, destroy it or rely on manufacturer’s ATA_SECURE_ERASE command implementation. The hdparam command using --security-erase option (man):

# hdparam --user-master u --security-erase p /dev/sdX

Another “newbie” method I’ve seen for wiping free space, is to fill it with “random” values.

# yes "pattern" > /path/on/the/volume/huge_file

Things to work on: