This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ FEATURE
The `v’ option tells shred that you want verbose output. You
should probably leave this on, as randomising a disk can take a
/ Warning!
very long time and without seeing updates on the screen, you
Since hard drives are made of rigid, strong materials, physically
will have no idea how things are progressing or whether or not
destroying them is a hazardous activity. When bashing away at
the machine has crashed. The `z’ option tells shred to zero the
the casing with a hammer, be sure to wear safety goggles and
disk and the `n’ option tells it how many sweeps to run.
take all other safety precautions. And if you use a blowtorch
Like the other commands (although they are rarely used in
to remove the oxide, remember that the resulting fumes are
seriously toxic. Do it in a very well ventilated area!
this fashion) shred can erase individual files as well as disks.
For example using /dev/sda1 would erase only the first parti-
tion leaving any others intact. Passing it a filename will cause effectively clean the disk and permanently erase anything that
shred to fill the file with random data - but it won’t actually was deleted previously, but perhaps not securely (although
delete the file. For that you need the `u’ option. This is off by the Mac does support secure file deletion).
default, as most people erase entire disks and you don’t want By and large this process is rather effective, but there is a
to remove the disk device once you’ve finished your erase! problem. Slack space exists when data taking up a full slot
When shred removes a file, it renames it various times to is overwritten by new data that doesn’t need so much space.
ensure that it will be difficult to recover. This means that the disk space is still marked as `in use’ and
so the erasure tool cannot allocate it. So even after a complete
/ Technology Baffles Brains sweep of the disk with the OSX erase free space tool, data that
There is a catch however – and this is caused by how modern exists in the slack space will not be erased.
filesystems such as ext3 work. Ext2 used to be the standard file- This is a problem, the more so because Apple does not
system used on most Linux platforms. It was relatively basic, but mention anywhere that this is the case. In fairness this is not
it was robust and did the job. Files were written directly to disk, Apple’s fault. To reclaim and properly erase slack space is not
which caused problems if the write process was interrupted by a a simple procedure; although theoretically possible, it’s not
power failure or any other sudden fault. This lead to the infamous very practical. With that in mind, erasing free space is a good
“fsck” or “file system check” that would kick off after an unex- way of removing data that you want to be “gone for good”
pected reboot. Because the system doesn’t know exactly what – it will get the vast majority of it, but some may remain. If
was going on immediately before the failure, it has to check the the data were sensitive enough for this to be a problem, full
whole disk in order to ensure that everything is as it should be. erasure would be the best solution.
This problem isn’t limited to particular filesystems, but
When shred removes a file,
can also be affected by certain devices. For example, a single
hard disk is a known quantity. A storage area network (SAN)
it renames it various times or network-attached storage (NAS) is somewhat different.
to ensure that it Will be
The tools we’ve used work because they overwrite the data in
place. With these new technologies, the disks are effectively
difficult to recover virtual. In other words, there’s no guarantee that the place we
appear to be writing, is where we actually are writing.
Ext3 was a big improvement on ext2, with the main difference This can be a good thing in certain types of disk, especially
being that it has a journal. Before writing data to the disk, the solid-state devices, which suffer from wear and tear far more
system updates the journal, which is essentially a work log. That readily than traditional hard disks. In other words, you don’t
way, should there be a power failure, when the server reboots, want to keep reading and writing (especially writing) the same
all it has to do is consult the work log and tidy up the loose ends. place on the disk, as it will wear out quicker. To avoid this,
Microsoft’s NTFS has similar features. For the most part this most modern disks have technology to spread the data around
works to our advantage. However, when it comes to removing evenly in a way that is hidden from the host computer. This
data securely it can cause problems, because we have no way to means that when you overwrite a file ten times, although that
directly access the disk and thus no way to be sure that bits of will appear to be what’s happened from the operating system
the file haven’t remained in the journal or related areas. point of view and even if you check with low-level tools, the
Many tools on the market offer to erase `free space’. Mac data could be in ten separate physical locations on the disk.
OS X comes with built-in support for this. How it works is Another problem that’s limited to these devices is that many
straight forward enough. The tool creates a large file and of them come with a buffer zone. This is an extra amount of
then keeps on increasing its size until all of the free space on storage space used to spread data more evenly across the disk.
the filesystem is used up. At this point, every spare piece of You can’t see this extra space directly as it’s used internally
storage space is now in use. (This can have the unfortunate by the device. Based on how our erasure techniques work, we
side effect of causing other programs to crash due to lack of know that we have to overwrite everything on the disk. Say
storage space). In theory this big new file should absorb all for example that we have a 500GB disk that has a 10% buffer
data that isn’t within an existing file. This done, the program allocation. This means the disk is 550GB in size but we can only
writes random data to the file, thus overwriting all the old address 500GB of it. If we do a full erase with shred or any other
data it has swept up from the disk. The idea is that this will tool, there is no guarantee that the extra 50GB will ever be
18 Digital / ForensicS
DF1_15-19_2nd Feature.indd 18 29/10/09 5:07:35 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com