Thursday, June 4, 2009

Validating secure erase

For a while, BleachBit has supported a secure erase feature by invoking the external program shred ubiquitous on Linux systems. (The secure erase feature overwrites the contents of files to prevent data recovery.) Of course, Windows doesn't come with shred, so BleachBit 0.5.1 now includes internal code to do the same. It's important to validate the new code, so we know it works as advertised.

First, the new code includes a unit test (as does much of BleachBit code). The unit test creates a file with a short, repeating pattern "abcdefghij," securely erases the file, and checks for remnants of the pattern. The unit test passes on Fedora 10 and on Windows 7.

The unit test has limitations, so I also performed a more sophisticated test. On Linux, I executed these commands to create and mount a fresh ext3 loopback filesystem:

dd if=/dev/zero of=/tmp/testfs bs=1M count=5 # 5 megabytes
/sbin/mkfs.ext3 /tmp/testfs
sudo mkdir /mnt/testfs
sudo mount -o loop /tmp/testfs /mnt/testfs/

Then, I executed this Python code to create a 3,000,000-byte file with the same repeating pattern and securely delete it with BleachBit.

import FileUtilities
import tempfile
import os

fn = "/mnt/testfs/wipeme"
f = open(fn, 'wb+')
f.write("abcdefghij" * (3 * 1000 * 100))


Don't forget to unmount the file system:

sudo umount /mnt/testfs/

If the secure file eraser worked, there should now be zero copies of the repeating pattern. Indeed, there are none!

[a@z bleachbit]$ grep abc /tmp/testfs
[a@z bleachbit]$ grep efg /tmp/testfs
[a@z bleachbit]$ strings /tmp/testfs

Compared to Gutmann-35

BleachBit's secure erase method is a single pass with zeros, so why doesn't BleachBit use the Gutmann-35 method? The Guttman secure deletion method gives some people a false sense of security. A long time ago (in the technology timeline) the 35-pass Gutmann method was designed for MFM/RLL hard disk drives. My last computer to include a MFM hard drive was purchased in 1989. Time has passed and technology has changed. Today's PATA/IDE and SATA hard drives are much more dense, and NIST, the NSA, and other experts now agree that a single pass to overwrite data is sufficient.

However, there are two exceptions. First, erasure of individual files (by any erasure method) is not effective in some situations such as using ext3 with the non-default option data=journal. Also, modern hard drives sometimes move data transparently to the operating system. In such cases, it is necessary to either securely wipe the entire disk (in the case of the former) or physically destroy it (in case of the latter).

That said, BleachBit's method is much quicker than Guttman-35 and generally equally effective for everyday use. Generally files deleted securely by BleachBit cannot be recovered by any undelete or other file recovery methods. If you are worried about highly-motivated and well-resourced people watching you, don't forget to take your prescription. Besides, "they" have more convenient ways of watching you.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.