Working as a security consultant, my laptop contains a lot of confidential data: corporate data (emails, procedures, contacts list, etc) and, even more critical, temporary customers data (reports, documentations, network topologies, packet captures, etc ). That’s why data protection is a key point for me.

First, data are encrypted using Truecrypt. This keep data secret and unreadable to a potential thief or hacker if my laptop is stolen. At the moment, my system partition is not (yet) encrypted. This means that temporary files (mainly created by applications) are often stored in system directories which are not encrypted. That’s why I use another tool to erase files in a safe way. I’m using Eraser to perform this task.It’s a nice tool which completely remove sensitive data from the hard drive by overwriting it several times with carefully selected pattern. Why do you need such tool? To prevent files to be recovered by unauthorized people (intrusion), to prevent forensics investigation – even if I don’t have things to hide ;-) or to mitigate the risk if the disk is lost or sold without being fully cleaned. An example will show you what can be easily recovered:

# cd /tmp
# echo "John Doe|1234-1234-1234-1234|2008-10" >cc_numbers.txt
# cat cc_numbers.txt
John Doe|1234-1234-1234-1234|2008-10
# rm cc_numbers.txt
# cat cc_numbers.txt
cat: cc_numbers.txt: No such file or directory
# df /tmp
Filesystem        1K-blocks      Used Available Use% Mounted on
/dev/sda5           3842376     77248   3569940   3% /tmp
# strings /dev/sda5 | grep -i -A 5 cc_number
.cc_numbers.txt.swp
Certification_Report-06-104302.pdf60
cc_numbers.txtt.swx00
cups-bsd.template.248362
cups-bsd.config.248363
samba-common.template.248364
samba-common.config.248365
%PDF-1.6
--
/tmp/cc_numbers.txt
U3210#"! 
John Doe|1234-1234-
)Nh&
<|g5
rmx.b\
^C
#

When you erase a file using the standard system call (unlink() on UNIX), the file entry is removed from the file system but data are kept. Only the index listing where the file is stored is destroyed, and the storage is made available for reuse. I'll not give more information here, just refer to an excellent page about the ext3 file system.

And what about Linux? I also use alternate notebooks running Ubuntu or specific distributions to perform audits and penetration tests (BackTrack or Samurai). On those systems, I also need a tool to safely erase data. What are the tools available on Unix?

srm

srm ("secure rm") is a command-line compatible with the standard rm which destroys file contents before unlinking. The goal is to provide drop in security for users who wish to prevent command line recovery of deleted information, even if the machine is compromised. srm is available on SourceForge.

wipe

wipe is another similar command line. The homepage has interesting information about the best way to wipe files: "For wipe to be effective, each pass must be completely written. To ensure this, the drive must support some form of a write barrier, write cache flush, or write cache disabling.".

shred

shread is part of the GNU Core Utils package. shred invocation is explained here.

BCWipe

BCWipe for UNIX software is intended to give you a confidence that your deleted files cannot be recovered by an intruder. BCWipe repeatedly overwrites special patterns to the files to be destroyed. Note that it supports US DoD 5220.22-M standard (7 passes with verification). Available here.

Kriptor

Kriptor is a bit different. Its primary purpose is to encrypt files. Secure file deletion is only an option. More info here.

scrub

And how to clean up the free space available on a disk? Sometimes, files are created and removed via the classic way (via the system call). scrub will help you to achieve this! How?

# scrub -X /filesystem/foo
# rm /filesystem/foo

It will create the file on the target file system and will extend its size to completely fill the disk. Warning: such operation can take a long time depending on the file system size. Also, the disk will be full during some time: take care if you're monitoring the free space! You could receive false alerts.

Automatic cleanup

It can be useful to automate the cleanup of directories like /tmp, /var/tmp via a cron job:

0 0 * * * find /tmp -type f -atime +3 -exec shred --remove {} \;

The command above will be executed every day at midnight and delete all files in /tmp which do not have been accessed (-atime) for three days.

Finally, keep in mind that all tools reviewed here rely on the way the file system overwrites the data! Recent systems have extra features which can break the data overwriting process. Examples:

• Journaled file systems (Ext3, ReiserFS, XFS, ZFS, AdvFS, ...)
• Snapshot feature on storage systems
• RAID systems
• Mirrored filesystems (rsync'd)
• Compression or remote file systems (NFS)

Happy (and safe!) cleanup...