File wipe software
Real World equivalent: a paper shredder
The process of overwriting a file, sometimes multiple times, to ensure its total deletion.
Why use file wipe software?
When files are deleted, they are not actually removed from the computer. Instead, a small part at the beginning of the file is modified so the computer treats it as free space. It is possible the file could be recovered until the area is overwritten later by new data. This information can still be found or rebuilt and sometimes months after its removal. Because sensitive information that exists in an unsecure form is vulnerable to an Undelete Attack, a file wiping program will increase security.
Negatively, wiping a file takes much longer than simply deleting it and can, over time, decrease the life of your magnetic media. For very large files (100+ megs), this can be prohibitively long.
Although file wiping is a good practice it isn't fool proof as hard disks can silently reallocate sectors to spare ones, the put out of commission sectors still being able to be read with special equipment. The best security is to never write sensitive data in clear ever, see encrypting your files.
How it works
File wipe programs work by not only unlinking a file but specifically overwriting them with garbage data. For very high security installations, overwiting the file several times is advised. Many government institutions have specific protocols for file deletion. For instance, the U.S. DoD (Department of Defence) 5200.28 standard defines a file to be 7 times overwritten before it is unrecoverable. Some researchers believe that the U.S. DoD standard is weak. Peter Gutmann outlines his reason for believing a file needs to be overwritten at least 22 times with different patterns in his Secure Deletion of Data from Magnetic and Solid-State Memory.
This high security is required as, even after being overwritten, the old file can still be retrieved later by very specialized equipment.
- Eraser - free, popular software for Windows and DOS - GPL, hosted by SourceForge.
- PGP and GPG tools often allow users to wipe files after encoding and some allow any deleted files to be wiped.
- DBAN - Derik's Boot And Nuke - wipe your hard drive quickly and painlessly with only a 3 1/2 inch floppy.
- BCWipe - Windows and *NIX - Commercial - a much more powerful file wipe utility meeting with government regulations.
- FlexiCrypt - A java program with a wide variety of algorithms provided by a reliable Java Security Provider (FlexiProvider) and the source code is available. Allows one to use symmetric, asymmetric and hybrid encryption on files. Also provides secure file deletion.
- DeepDelete - open-source, easy to use and very secure. From the makers of anti-RIAA PeerGuardian (Methlabs).
- Eraser - open-source, easy to use, recipient of numerous awards.
- Parisien File Encryption (PFE) freeware - windows - offers both an encryption tool and simple file-wipe capability.
- StompSoft's Digital File Shredder Pro - "Easily and permanently destroys files on your computer. Allows changeable government and military data sanitation standards and is compatiable with all Windows drive formats - FAT16, FAT32, NTFS." Alternately, their product DriveWasher - makes any hard drive data non-restorable.
- srm (*NIX)
- grind (Linux/FreeBSD)
- safeshred (OSX)
- shred(1) from GNU coreutils (*NIX)
- wipe (*NIX)
- Some Desktop Environments, like KDE for example, have a GUI shredder .
File wiping on different filesystems
Most modern UNIX computers do not necessarily require file wipe for security against Undelete Attacks. Non-*Nix systems such as DOS, Windows, and Macintosh OS 9 experience strong security benefits from a File Wipe program.
Due to the way UNIX and UNIX-like systems handle deleted files, it is not as vulnerable to an Undelete Attack. These deleted files are only vulnerable temporarily until the OS progressively overwrites this area. UNIX does not immediately wipe the file unless configured to do so but the area where the file resided on the HDD is soon overwritten, much more actively than other systems (where it can remain for months or even years).
Though UNIX systems may be relatively secured against Undelete Attacks, physical inspections of hard drives are more likely recapture data than undelete software (listed above). Using a secure wiping program ensures that attempts are made to overwrite data with patterns of bits that are most likely to render physical inspection useless.
Many modern operating systems such as Windows XP (NTFS), Mac OS X ( HFS+ ), and GNU/Linux with a kernel version greater than 2.4 (Ext3, JFS, ReiserFS, and XFS) have the ability to use a journaling filesystem (Wikipedia Link to Journaling Filesystems) that makes complete erasure of data unlikely. Journaling filesystems are used to increase the integrity of data in case of failures. To accomplish this, the filesystems keep meta data and logs in various places known to the filesystem; most filesystems can also journal all data, but turn this functionality off by default. The meta data and logs will not be securely wiped with a file wiping tool. To increase performance, these filesystems will often arrange I/O commands in an efficient manner and may continuously move data around the disk to prevent the need for operations similar to Windows scandisk. The performance enhancing capabilities of the filesystems makes wiping files hard because the data may only be wiped in its present location, leaving unwiped blocks of the data in other locations on the hard disk. Also, the filesystem may not execute all requests of a redundant I/O command.
There are several ways to securely wipe files when using journaling filesystems:
- Store data that needs to be wiped on a partition (slice, volume, or drive) that uses a non-journaling filesystem. For example, users of Windows can use a Z: drive formatted with FAT32, and users of GNU/Linux can use a partition formatted with Ext2.
- Store data that needs to be wiped on a partition that is encrypted using Hard Disk Encryption. This eliminates the need to use a secure wiping mechanism for individual files.
- Store data on a temporary partition using any journaling or non-journaling filesystem. When it is time to wipe all files, use a tool such as Eraser or Wipe to securely wipe the entire partition.
- Physically destroy the hard drive after use by melting the hard drive. (Passing a magnet over the hard drive will not work.)
Isn't having a file wipe tool paranoia?
- No! Most people own a document shredder to prevent their personal information from being stolen or retrieved. Similarly, a file wipe tool should be available. Some viruses have been known to send sensitive documents and it is conceivable that a backdoor could be designed to search your hard drive for deleted information. Or, more likely, someone with physical access to your computer. If you have or think you may have had illegal files on your computer, file wiping is a great way to remove any possible forensic evidence.
- In some airports, laptop theft is one of the most expensive and common crimes. (See: physical security)
I don't use my computer for anything but videogames. Is a file wiper useful for me?
- No. Most applications that do not involve personally identifyable information don't require a file wipe utility.
I may have deleted some files without using a wipe utility. How can I make sure they're gone?
- The fastest way to wipe your hard drive's free space is to write data to it until the drive is completely full, then delete and rewrite at least four more times. This can be done quickly by copying random CDs available to your hard drive until the drive is full. Another involves setting video or audio tool to record - even without an actual video or microphone connection - until the drive is full. Once the program complains about lack of memory, the temporary file can be dumped, repeated four times, and the wipe process is complete. Commercial tools/software automate this process and sometimes even rewipe up to 25x.
- No. In Windows, one has to wipe the swap file while it is not in use. This entails using a FAT32 filesystem, and wiping the swap file from a Live-CD package such as Knoppix, or alternating between two swap files or drives; one swap file/drive is wiped while the other is in use. An option for users of OpenBSD and GNU/Linux is to encrypt the swap partition using Hard Disk Encryption. An option for all operating systems is to disable swap and depend upon a large amount of RAM.
- Components and devices using a type of RAM are not completely safe. Such components and devices become more susceptible to physical inspection when data is left alone for lengthy periods. PGP avoided this problem by rotating the bits of keys at timed intervals when the keys were in RAM. For these components and devices, overwriting the memory once works to prevent finding old files. For the most paranoid, ensure that the overwriting occurs as soon as the data is no longer needed (or, do as the PGP program did and periodically move the data).
What about the information I don't delete - what about the sensitive information that's on my computer now?