Samuel Tardieu @

Wiping unused space in a file system


A perverse hacker friend of mine has written a clever yet scaring Windows utility. Each time a USB key is inserted into his computer, the whole content of the key is silently dumped and stored on the machine. It doesn’t copy the existing files; it makes an image of the key.

After that, when the unsuspecting person has gone away, he can run various utilities such as undeletion tools or recoverjpeg and retrieve files that were previously deleted from the key. Doing so, he was able to get confidential documents, job offers, cracked software, music and pictures that their owner thought they had been deleted.

My friend is probably not the first one to have had this idea, however he is the first one who told me about it. Since then, I have discovered at least one other implementation of it, called USBdumper.

Being able to recover deleted files is nothing new. But silently dumping the content of a USB key is clever. I won’t discuss the legal, moral and ethical implications here, I want to focus on ways to protect one’s deleted data from being recovered by a casual attacker, that is one who only temporarily gains access to the device. Also, if you delete a file without using this utility, you have no way to wipe it afterwards, especially if some blocks have been reused in the meantime.

Wiping utilities have existed for a long time. They write random data over an existing file before deleting it. This way, the previous content of the file cannot be recovered. However, when using journaling file systems, there is no guarantee that the data will really be erased; it could still be at another place on the disk.

What we need is a tool that wipes all the unused blocks in a file system. This tool would probably have to run in kernel space to avoid race conditions if the computer is accessing the file system at the same time. To avoid writing needlessly and repeatedly on a device which might tear off, such a tool should first read those unallocated block and write them back only if they do not contain a recognizable pattern (such as all zeroes). Remember that we are not interested here in fighting post-mortem analysis using dedicated forensics tools to analyze the disk surface or some flash memory characteristics, we want to protect data from being recovered using a regular computer.

It would also be useful to have an option at mount time to erase the data being unallocated in a file system. Every time the operating system woud mark a previously used block as free on the disk, it would also erase its content with the same pattern. This would make deleting files slow and accidental mistakes would not be forgiving anymore, but in some environments it would make the system much more secure. To give only one example, on a server, this would prevent an attacker gaining remote root access from accessing the content of previously deleted emails. I would certainly use it.

blog comments powered by Disqus