When you delete a file in Windows, Ubuntu, or any other operating system, what it actually does is delete the pointer(s) within the disk index indicating where on the hard disk the file is stored. The file, and therefore the data contained therein is still sitting there.
Which is how certain file recovery tools are able to un-delete things. At least, until they are overwritten with something else.
If you overwrite the data, then it is generally unrecoverable. Modern hard drives have higher densities and less redundancy, which makes recovery more difficult. Which is probably enough for most people discarding old hard drives.
However, the data paranoid, who don’t want their bank details and passwords to end up in one of those ‘technical colleges’ in Lagos, may need a little more assurance that their data is wiped securely.
In the past there was redundancy on old, low capacity disks that allowed recovery if you had the right equipment and software.
A whole industry has sprung up around exaggerated claims for data recovery, providing software to securely over-write disks. Don’t believe Spooks, 24, Mission Impossible or anything similar from Hollywood. There is no evidence that, on a modern disc, there is ANY way of getting anything back that’s been overwritten once.
So how to manage that one simple pass?
There are utilities around. In typical overkill fashion, Apple’s Disk Utility is capable of 1, 7 or 35 overwrites. 7-times overwrite is supposedly what the US Dept of Defence use and 35 appears to be for the tin-foil hat brigade.
On Linux (under the GNU license) the Shred utility is a standard data wipe tool. You can use it natively on a Linux machine, but booting from a Linux Live CD means you can wipe data from Windows machines as well.
The most important thing is to figure out the correct hard drive to wipe. If you wipe the wrong hard drive, that data will not be recoverable.
In the terminal window, type:
sudo fdisk -l
This will list the hard drives available. Identify the right hard drive to wipe – narrow it down by file system and size – file system is found in the System column of the list, where Windows hard drives are usually formatted as NTFS (which shows up as HPFS/NTFS).
Make a note of the label found under the the Device column heading. If you have multiple partitions on this hard drive, then there will be more than one device in this list.
sudo shred /dev/sda
(where sda is the disk identifier. Make sure you choose the right disk – sda, sdb, sdc, or the alternate identifiers hda, hdb, hdc – and don’t wipe the wrong one!)
If you want to be more specific, with some additional command switches:
shred -vfz -n 10 /dev/hda
-f forces the write by changing the permissions wherever necessary
-z overwrites the entire hard disk with zeros, but only after:
-n 10 is the number of passes overwriting with data from /dev/urandom (probably overkill, as I’m not aware of a single confirmed example of someone recovering data from an erased disk even after 1 pass)
and /dev/hda is the whole hard disk to wipe.
Shred will even protect from forensic magnetic analysis of the disk.
Shred Individual Files
You can also use it to wipe individual files or groups of files, by mounting the disk, navigating to the chosen files and folders and issuing the command:
sudo shred <filename>
specifying the file(s) to wipe. For example:
sudo shred /home/robin/creditcard.txt
Note that the creditcard.txt file still exists. Shredded, as a quick look at the contents of creditcard.txt will show that the file has been securely overwritten.
To securely delete the file, we can use some more command-line switches to delete the file from the hard drive entirely.
In the terminal, type:
shred –remove creditcard.txt
By default, shred overwrites the file 25 times; we can alter this with the iterations switch:
shred –remove –iterations=50 creditcard.txt
creditcard.txt is securely wiped on the physical disk, and no longer shows up in the directory listing.
However, shred will not wipe everything if you are using a journalling filesystem which has change logs and data redundancy. There is a disclaimer in the manpage for shred that highlights issues wiping data from certain types of file systems:
- log-structured or journalled file systems, such as those supplied with
AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)
- file systems that write redundant data and carry on even if some writes
fail, such as RAID-based file systems
- file systems that make snapshots, such as Network Appliance’s NFS server
- file systems that cache in temporary locations, such as NFS version 3 clients
compressed file systems
“shred relies on a very important assumption: that the file system overwrites data in place. This is the traditional way to do things, but many modern file system designs do not satisfy this assumption.”
If it’s possible to reconstruct the contents of a file from the journal, or from the redundant copies in a RAID array, then clearly you want to wipe the entire disk to be safe, and probably the entire array.
As an alternative, there is another Linux utility actually called wipe. This is not included in Ubuntu by default, so we have to install it, but this can be done even using a Live CD.
The wipe developers recommend wiping each partition separately.
It’s another command-line utility requiring the following terminal command:
sudo wipe <device label>
sudo wipe /dev/sda1
This is the point of no return and the hard drive will be completely wiped. Don’t think you can interrupt the process as this will just leave an unholy mess of the disk.
There is another Linux utility that many hardcore users swear by which is the multi-purpose DD (Disk Dump) command. The terminal command:
dd if=/dev/zero of=/dev/sda
Will overwrite the entire disk with zeroes quickly, quietly and efficiently. Again, exercise caution and don’t think you can cancel or interrupt it once it starts. RC
Related: How-to: Secure those USB Sticks