3

How to securely erase/delete files or folders in different file systems (NTFS, ext3, ext4) ? Need to delete files so it will be impossible to recover that files and no traces of metadata and traces in journaling systems remains. How should I do that ? How many passes for overwriting I should use for SSD and how many for HDD ? OS: Linux distributive

user15943
  • 31
  • 2

1 Answers1

4

This question leads me to believe that you're slightly confused about how data is stored on the drives itself, so I'll start by touching upon that first.

Filesystem type: ext3, NTFS etc. are nothing but types of file systems. The type of filesystem used (in most cases) has zero impact on your ability to securely wipe the drive since in any secure wipe, it'll be nuked.

As you probably know, just hitting the delete key doesn't really wipe the space on the disk clean. It simply marks the area of the disk as 'empty' and allows new data to be written to the area. Think of it as cubicles:

|  Joe  |  James  |       | Amy |

You can see the empty cubicle between James and Amy. That is untouched space. Now let's say that James is fired. So he clears out his cubicle and leaves - but the space he used is just empty - and not untouched. This is an important distinction:

|  Joe  |  *empty*  |       | Amy |

Why? That's because when a new employee joins (drawing parallels between new data being written to the disk here), the new employee can be given either a fresh cabin (to the left of Amy) or a used, but empty cabin (James' old room).

This leads to a important observation - although there's no one in James' old cubicle at the present, there's a chance that the new employee might find something that James' left behind - similar to what a data forensics program looks for.

Now we come to the next part of the question:

How to securely erase/delete files or folders in different file systems (NTFS, ext3, ext4)?

Since we've figured out that the filesystem type is irrelevant, the only real consideration here is how. Data destruction programs that seek to wipe the entire hard drive work on the principle that - if all the hard drive space looks the same, it would be very, very hard to identify what was present on it earlier. Data on HDDs is stored as 1s and 0s. So some types of wiping programs, go over the entire disk with 0s, writing 0s to every sector. This is commonly called zero'ing out a drive. Here's how it might look before zero'ing: 

|10101100|00110000|11001010|10101010|

And after:

|00000000|00000000|00000000|00000000|

At this stage, unless you've really got yourself into a real mess, most people might just give up. If you're being chased by a three-letter agency on the other hand might bring out their electron microscopes to figure out how the bits were aligned before you overwrote them with zeros.

So a new wiping methodology was introduced.

It involved zero;ing, writing random data and then zero'ing again, repeated several times. Each iteration was called a pass. There were several techniques that used different passes to render data unrecoverable, but I'd say that for any sort of sale to a citizen, more than 7 passes would be overkill (and probably would ruin the disk's life anyway)

As John says in his answer here:

The only NIST approved method to securely erase a hard drive is by utilizing the secure erase internal command - documented at the Center for Magnetic Recording Research (CMRR) - and that is what everyone should be doing. It is an ATA command, and covers (S)ATA interfaces.

After that, you can optionally degauss the drive to erase the firmware itself.

SSDs:

SSD erasure is trickier because of how the data is stored on flash chips instead of magnetic disks. This answer answers the best ways to erase an SSD securely:

ATA Security Erase

The only way to securely erase an SSD is to use the ATA Security Erase feature, present on all ATA6-compliant drives (i.e. virtually all modern ones). Attempting to overwrite data on an SSD will not actually remove everything due to overprovisioning space mentioned above. Unfortunately, because of this overprovisioning space, you cannot actually read everything which is present on the drive, as this space is always hidden, so you cannot verify if you have overwritten everything.

ATA Security Erase is designed to solve this problem by doing a low-level overwrite of every single sector. On some newer SSDs, an additional feature calld ATA Enhanced Security Erase can be used to destroy a master key which the drive uses to transparently encrypt and decrypt your data. Destroying the key is instantaneous, but renders all the encrypted content inaccessible.

And the commands on *nix:

# it must say "not locked", "not frozen", and "supported: enhanced erase"
hdparm -I /dev/sda | grep -A8 "^Security:"

# overwrite the drive with a repeating pattern to check for after
yes "You should not see me" > /dev/sda

# begin the erasure, without using a password
hdparm --security-set-pass NULL /dev/sda
hdparm --security-erase-enhanced NULL /dev/sda

# check if the repeating pattern is anywhere to be found
strings /dev/sda | grep "You should not see me"

I hope this helps!

thel3l
  • 3,384
  • 11
  • 24