Most computer users don’t realize that deleting a file does not get rid of the file contents. Conventional file deletion merely drops entries for the file in the File Allocation Table (in a FAT filesystem), Master File Table (in NTFS), or similar index to allocated clusters. Clusters are marked as unallocated so they may be reused for the storage of data associated with new files in the future. To protect against unwanted disclosure of sensitive data, files must be wiped or erased rather than simply being deleted.
When a file is wiped, its contents are overwritten so that normal disk I/O and software calls are not sufficient to recover the file's data. Overwritten data is considered erased even when forensic data recovery techniques are able to detect residual recoverable data physically present on the storage device. When data recovery is a simple matter of executing software instructions to parse data structures starting with known file headers, the difference between a deleted file and an active one is little more than a limitation of perception caused by inadequate built-in data recovery features.
As programmers, it is our job to ensure that delete really means that data is gone, at least with respect to software that can control the data storage device through the normal I/O interface. Very sensitive information is supposed to be overwritten numerous times with random bit sequences, and a variety of techniques and algorithms have been defined and standardized for accomplishing thorough destruction of data. Two programs that are useful for permanently wiping data storage devices or highly sensitive files are Darik's Boot and Nuke (DBAN) and Eraser. These programs are open source and can be downloaded from SourceForge at the following URLs:
DBAN
http://sourceforge.net/projects/dban/
Eraser
http://sourceforge.net/projects/eraser/
In most cases, simply overwriting file contents with nonrandom data, such as
streams of ones or zeros, is more than enough additional protection against
software-based data recovery or forensic tools. The following .NET class illustrates
a simple, quick, and effective way to ensure that delete really means that a
file cannot be recovered using software alone. The class wipes a file by writing
zeros in place of each byte of allocated space prior to calling the regular
file-deletion API:
using System;
using System.IO;
namespace filewipeclass {
class main {
[STAThread]
static void Main(string[] args) {
FileWipe fw = new FileWipe();
fw.Wipe(args[0]); }}
class FileWipe {
// File.Delete method only drops FAT/MFT entry
// FileWipe destroys file data first.
public void Wipe(string sPath) {
FileInfo fi = new FileInfo(sPath);
try {
if(fi.Exists) {
FileStream fs = fi.OpenWrite();
for(int a = 0;a < fi.Length;a++) {
fs.WriteByte(0);
}
fs.Close();
}
fi.Delete();
}
catch(Exception e) {System.Console.WriteLine(e);}
}}}
There is no good reason to leave deleted data sitting on a data storage device just waiting to be recovered. Adding a predelete step to the file-erasing process is easy in any language, and only by wiping files that users believe they are deleting can we fulfill our obligation to users to provide them with software that does not provide a false sense of security.
Even data that may not seem sensitive to us often turns out to be very sensitive to our users. For instance, temporary files that are never seen by a normal user are often examined by forensic investigators who consider the mere existence of a file, deleted or not, to be conclusive proof that a particular person caused our software to perform some task at a particular time. Such circumstantial evidence of possible activity on a computer in the past can have significant security or legal implications for the computing public.
As a rule, if you care about producing secure software products that are safe to use, everything must be wiped rather than just being deleted.
Jason Coombs <[email protected]> works as a freelance computer forensic analyst and security incident response investigator. He also serves as a technical expert witness in civil and criminal court cases. Jason thinks he knows a thing or two about information security and forensics, but he may be mistaken; he may in fact be your typical corporate programmer geek with a slightly unusual résumé, which is mostly the result of a refusal to work in a cubicle and a desire to earn far more than he is probably worth.