COMP 4027 Forensic and Analytical Computing

ANTIFORENSICS: Secure deletion and disc cleansing (sanitisation)

"Secure" deletion

As you will know, just dragging a file to the trash (recycle bin) does not actually remove all traces of the file. In fact, the file is completely recoverable still, while in the trash. Even emptying the trash does not necessarily remove all traces of the file because the file system does not actively remove or overwrite the memory used to store the file, unless the space is required for another file. With the large quantities of storage space standard on many machines now, it is feasible for a file to never actually be overwritten in the machine's lifetime.

For forensic purposes this is extremely useful, as we can recover deleted or superseded files. However, the community is becoming aware of the potential privacy issues represented by the total lack of "data cleansing" (also known as "data sanitisation"). There are no many tools to assist the casual user with removing all traces of files, often to a very high degree of non-recoverability.

The usual approach to data cleansing is to overwrite the data to be deleted with meaningless data, for example all 0 values in every bit, or random values in every bit.

The Macintosh OS X operating system supports disk cleansing with its "secure delete" facility:

However not all operating systems support similar tools so one has to find external applications to achieve the same purpose.

There are two classes of disc cleansing tool: cleansing individual files (sections of the disc), and cleansing an entire disc. The Mac OS X secure delete facility only works for individual files, and is effected by the operating system itself. Hence it is not suitable for a complete disc cleansing. Cleansing an entire disc must be done by a software running on an external device. However Mac also has a Disk Utility tool that performs a number of disc-related operation, including taking an image of a disc, formatting the disc or overwriting the entire disc with zeroes.

Note that formatting a disc does not intrinsically overwrite all the contents. This is why disposal of a hard disc or other data storage device should not be done until the contents are cleaned off. A popular software tool for wiping entire hard discs is DBAN (or Darik's Boot and Nuke, which uses one or more "passes" of overwriting of memory - usually 3 passes is deemed to be adequate for most domestic purposes.

One single pass of overwriting means to overwrite every bit with some values, for example all zeroes or all ones, or with a random sequence of bits. Of course, an algorithmically-generated sequence of "random" numbers is not random at all, but are known as "pseudorandom".

Why do we need more than one pass of overwriting? It's said to be needed because there is often some residual magnetic signal that can still be detected even after the memory has been overwritten - see this discussion here about how this happens. Note that it is claimed that "a low frequency signal will, in theory still be detectable even after it has been overwritten hundreds of times by a high frequency signal". Of course this is a theoretical risk, and probabilistically there will be very few bits with readable residues after frequent overwriting and hence it is unlikely that enough parts of a file will be recoverable for forensic use.

On the other hand, other work suggests that a single pass of random overwriting is adequate (see the Wikipedia entry for data erasure).

DBAN operates with up to seven passes of overwriting. The recommendation is for three passes of overwriting, which should render the disc "safe" from all but physical inspections with expensive methods such as with a magnetic force microscope. Seven levels are recommended for more sensitve information. It is notable that the explanation of this seems to have disappeared from the DBAN website since it went commercial.

Some people recommend using brute force to render discs unreadable - see for example Disk Sanitizers. This can only be reliable if the disc is pulverised into sufficiently small pieces, and perhaps burnt in a furnace for good measure. Larger pieces of disc can still render data, if fragmentary.

Some other secure delete methods and standards include


Clearly, any kind of disc sanitisation is going to cause problems for forensic analysts. However some will be less problematic than others.

In many of the cases where someone is under investigation, the target is continuing to use the devices, and will not be using a complete disc erasure tool like DBAN. This means that they are selectively erasing any files they want to remove evidence of. If they forget to do this one day, or evidence is collected in the time before erasure, something can be recovered. They also have to remember all of the files they wish to securely delete, and as we heard from the HeuristicDelta lecture recently, someone was convicted partly with some evidence from a file the target had forgotten to clear. In fact, the guest speaker also pointed out that the very "cleanness" of the target's disc was itself a reason for suspicion, since most people do not think it necessary to daily clean their discs, so doing this suggested there was something the target wished to hide.

As for physical destruction of the device, it may still be possible to recover data, although it may be fragmentary.

Generally, the rule is that data can often be recovered, but that the amount may not be useful, nor will the reason for recovering it justify the cost. Sometimes other forms of evidence-gathering are more useful.

Last update hla 2009-05-10