Date: Thu, 24 Jun 1999 22:12:34 -0400 (EDT) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: freebsd-security@freebsd.org Subject: Secure Deletion Message-ID: <199906250212.WAA07810@cc942873-a.ewndsr1.nj.home.com>
next in thread | raw e-mail | index | archive | help
I looked through a long thread from last month on this topic, but was
unable to get an operable answer to my problem.
Problem: A file came onto a FreeBSD system. All traces of this file
will (probably) need to be destroyed. The error was on someone else's
part, so we did not find out until this file had
propagated. There is presently an existing file that needs to be
destroyed. In addition, there are existing files that had this
information in them, but have since had the 'offending' part
removed...
OK, OK, if you have not guessed, it was some email. One person got it,
forwarded it, and someone else stored it in an IMAP mailfile. The
offending stuff is 'gone' from the existing mailspools, but the IMAP
file exists. So, the question is...
1) Is there a way for me to securely destroy the file that still
exists? For example, if I were to do something like (this is just
an example),
# BADLEN=`ls -l <bad_file> | awk '{ print $5 }'`
# dd if=/dev/zero of=<bad_file> bs=1 count=$BADLEN
# dd if=/dev/urandom of=<bad_file> bs=1 count=$BADLEN
# dd if=/dev/zero of=<bad_file> bs=1 count=$BADLEN
Would I know for sure that the writes physically went over the bad
data? If they do, a procedure like that should be fine.
2) Now... for the files that /had/ the data, but deleted it... My
suspicions here lean towards the worst case, i.e. there could be
fragments of the offensive data _anywhere_ on the partition[0]. Is
there a feasible way to destroy that data while preserving the
other data on the partition? If not, what would be the equivalent
of the above for a full partition?
# umount /dev/wd1f
# dd if=/dev/zero of=/dev/rwd1f count=<size of partition>
# dd if=/dev/urandom of=/dev/rwd1f count=<size of partition>
# dd if=/dev/zero of=/dev/rwd1f count=<size of partition>
# newfs /dev/rwd1f
Thanks for any help on this.
[0] I'm pretty sure this is the case. I exec'ed grep in a find search
to see where this data might have snuck off to[1], and accidently
went through /dev. The file that exists is on /usr, and there was
a hit on /dev/rwd0s2e. The data that exists but was 'deleted'
would have been on /var. There were no hits searching /var, but I
_did_ get a hit on /dev/wd1f, /var's raw device. :(
[1] I did a grep for an innocent, but fairly improbable 15 character
string that I knew occured in the offending data. Someone tell me
there was a realistic chance of hitting that randomly? Please?
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906250212.WAA07810>