1

I was reading about the Mask malware on Kaspersky. And they mentioned this:

“Several reasons make us believe this could be a nation-state sponsored campaign. First of all, we observed a very high degree of professionalism in the operational procedures of the group behind this attack. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules and using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment,”

So what is the difference?

What does a computer/OS do when a user clicks delete and how is it different from a wipe?

And how does a user do a wipe?

EDIT

Follow up questions:

Can data be recovered that is deleted? (I believe this would work as long as the data hasn't been over written?)

Can data that is wiped be recovered?

stackErr
  • 137
  • 1
  • 8

2 Answers2

7

When you delete a file, the information is not immediately removed from the disk. Instead, the OS/file system simply updates a database keeping track of files on the disk to acknowledge that the file is no longer needed and hides the file from being visible. The information is only removed when, at some point in the future, the OS decides to use the space to store another file. That could be a few minutes later, or many weeks later, depending on how the computer is used. Before then, the data is still recoverable using data recovery programs.

When you do a wipe (also sometimes called a secure delete), you are telling the operating system to not only update its file records, but also immediately overwrite the disk space with either zeros or random data, making it much harder to recover anything.

To do a wipe many operating systems support the key combination Shift+Del which will immediately overwrite the space the file occupied. For maximum security though, there are many programs out there that actually fill the entire hard drive with random data and then delete the random data, sometimes more than a dozen times. This makes it nearly impossible to recover any previously deleted files. CCleaner, for example, is one freeware program that has that ability.

So to answer your followup questions:
1. Yes, it is usually quite easy to recover deleted (not wiped) data as long as it hasn't been too long since the data was deleted. This is how most data recovery programs work.
2. That depends. If you do a single wipe (ie, you overwrite the space once with random data), you're probably not going to be able to recover anything with standard data recovery programs anymore. However, skilled investigators may still be able to recover the data by putting your hard disk platters under an electron microscope to determine what was originally there, as overwrites are not always completely clean. It's like erasing a letter with a pencil and writing another letter over it; sometimes you can still faintly see the original letter.

If you do multiple passes with a very secure wiping algorithm though (like DoD, which overwrites the data 35(!) times), even this becomes unfeasible.

tlng05
  • 10,244
  • 1
  • 33
  • 36
  • Does the OS make the decisions about "when to overwrite" or the file system software? (granted, they're often tightly linked...) – Nick T Oct 03 '14 at 00:10
  • It may be useful to add a bit about how Flash SSD is different with TRIM/UNMAP, garbage collection of partially trimmed flash blocks and eventual flash block erase. As far as I know, once a flash block is erased, there's nothing left for forensics to uncover, even with a microscope. – Zan Lynx Oct 03 '14 at 00:21
  • 2
    Overwriting your data more than once may have been useful in the 1990s, but as far as I know electron microscopes have not been a threat for a good 15 years. Modern hard drives are just too dense and precise. – Matt Nordhoff Oct 03 '14 at 00:27
  • 4
    The bit about Shift+Del wiping a file is news to me. I'm hardly an expert, but I don't know of any major operating system that does that; more commonly, in my experience, Shift+Del only deletes the file, whereas just Del _moves_ it to the Recycle Bin or Trash folder, from where it can be easily restored without file recovery software. – David Z Oct 03 '14 at 02:59
  • @DavidZ ah, I guess I may have heard wrong then. I have removed Shift+Del from my post. – tlng05 Oct 03 '14 at 03:24
  • @user54791 FYI: https://kromey.us/2013/04/the-myth-of-data-remanence-484.htmt...so with todays HDDs and SSDs there is little to no need for 35 wipes. – stackErr Dec 04 '14 at 19:14
  • By the way, 35 overwrites is the Gutmann method. DoD 5220.22-M specifies 3 passes, I believe of 1s, 0s and then random data. Another common method is the Schneier 7 Pass. – timuzhti Sep 16 '15 at 08:02
4

A lot of times these terms are used interchangeably.

Delete
This when you perform you standard delete from a disk. The thing to remember is that the data is still sitting in memory. The delete operation has just told the operating system that that space is now available again to be written over. And the operating system removes its reference to that chunk of memory. But the original data is still sitting there.

Wipe
Before performing the delete operation the block of memory is overwritten in some way. When you generally thinking of wiping you think of overwriting the space with zeros. Some might say to overwrite with another constant value, or even with random data. Then once the delete happens the operating system loses its reference to that data. And the left over data is not the original data that piece of memory contained. It is suggested to overwrite the data multiple times to ensure any errors in writing are compensated for.

There are programs out there that will wipe partitions or portions of memory. Some modern operating systems do perform some type of wipe for data in RAM, but not necessarily on a hard disk. The user would have to manually overwrite the data themselves.

Data Erasing Tools

Follow-up Questions

Can data be recovered that is deleted?

Yes. Since only the reference the OS uses for memory management is removed, the data still sits there. Most forensic data and recovery tools are able to scan freed memory, and attempt to find known file patterns to restore data.

Can data that is wiped be recovered?

The point of overwriting data is so it cannot be recovered after wiping. The reason to overwrite data multiple times is more of a physics issue when dealing with magnetic harddrives. Flipping bits once isn't as effective on a magnetic strip. With certain forensic instrumentation parts of the original data can be recovered. However, flipping bits a lot over and over again kind of mashes the bits, and it is almost impossible to determine what original bit was stored.

Why overwrite data multiple times?

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
  • Thanks for all the information! I have edited the original question with some more questions. Can you try and answer them? Also when you say memory, do you mean cache, RAM, HD or all of them? – stackErr Oct 02 '14 at 20:04
  • By memory I mean RAM or hard disks. I updated my answer, not that it matters so much any more. – RoraΖ Oct 03 '14 at 11:59