Securely remove file from ext3 linux

Question

This question has been asked with varying degrees of success in the past...

Are there tools, or C/C++ unix functions to call that would enable me to retrieve the location on disk of a file? Not some virtual address of the file, but the disk/sector/block the file resides in?

The goal here is to enable overwriting of the actual bits that exist on disk. I would probably need a way to bypass the kernel's superimposition of addresses. I am willing to consider an x86 asm based solution...

However, I feel there are tools that do this quite well already.

Thanks for any input on this.

Answer 1

Removing files securely is only possible under very specific circumstances:

• There are no uncontrolled layers of indirection between the OS and the actual storage medium.

  On modern systems that can no longer be assumed. SSD drives with firmware wear-leveling code do not work like this; they may move or copy data at will with no logging or possibility of outside control. Even magnetic disk drives will routinely leave existing data in sectors that have been remapped after a failure. Hybrid drives do both...

  The ATA specification does support a SECURE ERASE command which erases a whole drive, but I do not know how thorough the existing implementations are.

• The filesystem driver has a stable and unique mapping of files to physical blocks at all times.

  I believe that ext2fs does have this feature. I also think that ext3fs and ext4fs also work like this in the default journaling mode, but not when mounted with the data=journal option which allows for file data to be stored in the journal, rather than just metadata.

  On the other hand reiserfs definitely works differently, since it stores small amounts of data along with the metadata, unless mounted with the notail option.

If these two conditions are met, then a program such as shred may be able to securely remove the content of a file by overwriting its content multiple times.

This method still does not take into account:

• Backups

• Virtualized storage

• Left over data in the swap space

• ...

Bottom line:

• You can no longer assume that secure deletion is possible. Better assume that it is impossible and use encryption; you should probably be using it anyway if you are handling sensitive data.

• There is a reason that protocols regarding sensitive data mandate the physical destruction of the storage medium. There are companies that actually demagnetize their hard disk drives and then shred them before incinerating the remains...