type here...
Anti-ForensicsDigital Forensics

Simple File Wiping on Linux using shred and dd

By Max
0
1112
Use coupon code: "antiforensics" for 20% off!

Simple File Wiping

This is a demo of creating a file, writing a filesystem to that file, mounting this filesystem, performing operations, including deletion and wiping of data. Then viewing the results to understand what has happened to the data after wiping. Linux shred, rm, and dd are used for file deletion and data wiping.

The Software

dd – is a powerful command-line utility in Linux used for copying and converting data with precise control over input and output parameters. It operates at the block level, making it versatile for tasks such as disk cloning, disk imaging, and low-level data manipulation. With dd, you can specify input and output files or devices, block sizes, byte offsets, and data transfer rates, offering granular control over data operations.

shred – is a command-line utility designed for securely deleting files by overwriting their contents with random data, making it virtually impossible to recover the original data. It’s commonly used to ensure sensitive information cannot be retrieved from storage media once deleted. shred offers various options for customization, such as specifying the number of overwrite passes, the method of overwriting (random data or zeros), and whether to remove the file after shredding. This tool is particularly useful in situations where data confidentiality is paramount, such as when disposing of storage devices or securely erasing sensitive files.

rm – is a command-line utility used for removing files and directories from the filesystem. It is a fundamental tool for file management in Unix-like operating systems. By default, rm deletes files without any confirmation prompts, making it efficient for batch operations. However, it also offers several options for more controlled deletion, such as prompting for confirmation before removal (-i), recursively deleting directories and their contents (-r), and forcibly removing files without prompting (-f). While rm is a powerful tool, caution is advised when using it to prevent accidental deletion of important files.

The Setup

The goal is to create an empty file, create a filesystem, mount the filesystem, and run a variety of file creation, file deletion, and file wiping techniques. The results are then viewed at the end.

Use dd to create a zero-filled file named data01.

$ dd if=/dev/zero of=data01 count=1 bs=512M        
1+0 records in
1+0 records out
536870912 bytes (537 MB, 512 MiB) copied, 1.47341 s, 364 MB/s

The count switch is used to specify how many blocks of data should be written. The bs switch specifies how large each block is in “M” or MiB’s. Together, these options are used to create a single 512MiB file.

-rw-r--r--  1 user user 512M Mar  5 15:33 data01

Next, use mkfs.exfat data01 to write the exfat file system to the file.

┌──(user㉿nox)-[~/demo]
└─$ mkfs.exfat data01
exfatprogs version : 1.2.2
Creating exFAT filesystem(data01, cluster size=32768)

Writing volume boot record: done
Writing backup volume boot record: done
Fat table creation: done
Allocation bitmap creation: done
Upcase table creation: done
Writing root directory entry: done
Synchronizing...

exFAT format complete!

Verify that the file system has been written using hexdump with the -C option. This option sets output to be a: canonical hex+ASCII display as seen below.

┌──(user㉿nox)-[~/demo]
└─$ hexdump -C data01 
00000000  eb 76 90 45 58 46 41 54  20 20 20 00 00 00 00 00  |.v.EXFAT   .....|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Now mount the file as a loop device using losetup. First, use the -f switch to look for the first available loop node.

┌──(user㉿nox)-[~/demo]
└─$ losetup -f
/dev/loop0

The next available loop node is /dev/loop0. Next, mount the file as a loop device (create loop device).

┌──(user㉿nox)-[~/demo]
└─$ sudo losetup /dev/loop0 data01

Verify the loop device(s) using losetup -a to list all used devices. The loop device that was created should be listed.

┌──(user㉿nox)-[~/demo]
└─$ losetup -a
/dev/loop0: []: (/home/user/demo/data01)

Next, mount the loop device (in this case “/mnt” is used as the destination).

┌──(user㉿nox)-[~/demo]
└─$ sudo mount /dev/loop0 /mnt

$ mount
/dev/loop0 on /mnt type exfat (rw,relatime,fmask=0022,dmask=0022,iocharset=utf8,errors=remount-ro)

$ df -h
/dev/loop0      510M   96K  510M   1% /mnt

Create two files on the mounted filesystem. The first, “test” with “TEST456” as the content. Another, “best” with “BEST123” as the content.

Verify the content using GNU strings.

$ strings data01
EXFAT   
EXFAT 
BEST123
b0VIM 9.1
root
/mnt/test
utf-8
U3210
#"! 
TEST456
EFI PART
ziD|

Next, delete the test file using rm.

┌──(user㉿nox)-[~/demo]
└─$ sudo rm /mnt/test

Running the strings command will show that the data still exists.

$ strings data01
EXFAT   
EXFAT 
BEST123
b0VIM 9.1
root
/mnt/test
utf-8
U3210
#"! 
TEST456
EFI PART
ziD|

---

┌──(user㉿nox)-[~/demo]
└─$ ls -l /mnt  
total 32
-rwxr-xr-x 1 root root 8 Mar  5 16:43 best

The Shredding

Now, using the shred command, delete the “best” file. We use the -u switch to remove the file after shred, and the -z switch to zero-fill the file.

Below, notice that the file contents are now gone. Also notice that the “TEST456” associated content that was deleted through rm still exists on the drive.

┌──(user㉿nox)-[~/demo]
└─$ sudo shred -u -z /mnt/best

┌──(user㉿nox)-[~/demo]
└─$ strings data01 
EXFAT   
EXFAT 
b0VIM 9.1
root
/mnt/test
utf-8
U3210
#"! 
TEST456
EFI PART
ziD|

The Wiping

After successfully wiping (shred) the “best” file, the free disk space will be zero-filled using dd in order to erase the deleted file data (“TEST456”) for the old “test” file.

Use dd to wipe free space on the file system.

┌──(user㉿nox)-[~/demo]
└─$ sudo dd if=/dev/zero of=/mnt/BIGFILETOWIPEFREESPACE
dd: writing to '/mnt/BIGFILETOWIPEFREESPACE': No space left on device
1044289+0 records in
1044288+0 records out
534675456 bytes (535 MB, 510 MiB) copied, 7.99443 s, 66.9 MB/s

┌──(user㉿nox)-[~/demo]
└─$ strings data01                                     
EXFAT   
EXFAT

Run the strings command again on the data01 file and notice that all of the plaintext file content has been overwritten in free space.

So it’s done! … Not quite.

Use the strings command again, but specify the encoding option strings data01 -e {b,l}. Remember when the “test” file was deleted? The rm command was used, not shred. The file name data still resides in the file table and is recoverable because of this.

┌──(user㉿nox)-[~/demo]
└─$ strings -e {b,l} data01


Atest

The -e switch is for the encoding selection. Used here is the 16-bit encoding selection{b,l}. This way the data residing in the file table can be displayed.

Previous article
Reading the Notepad Tab Cache
Next article
Python cryptography Package Updated 2/23/2024

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -spot_img

Latest article

Privacy Policy

asdfasdfasdfasdf