From owner-freebsd-security Thu Jun 24 19:11:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id EC78014E25 for ; Thu, 24 Jun 1999 19:11:11 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.8.8) id WAA07810 for freebsd-security@freebsd.org; Thu, 24 Jun 1999 22:12:34 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199906250212.WAA07810@cc942873-a.ewndsr1.nj.home.com> Subject: Secure Deletion To: freebsd-security@freebsd.org Date: Thu, 24 Jun 1999 22:12:34 -0400 (EDT) Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I looked through a long thread from last month on this topic, but was unable to get an operable answer to my problem. Problem: A file came onto a FreeBSD system. All traces of this file will (probably) need to be destroyed. The error was on someone else's part, so we did not find out until this file had propagated. There is presently an existing file that needs to be destroyed. In addition, there are existing files that had this information in them, but have since had the 'offending' part removed... OK, OK, if you have not guessed, it was some email. One person got it, forwarded it, and someone else stored it in an IMAP mailfile. The offending stuff is 'gone' from the existing mailspools, but the IMAP file exists. So, the question is... 1) Is there a way for me to securely destroy the file that still exists? For example, if I were to do something like (this is just an example), # BADLEN=`ls -l | awk '{ print $5 }'` # dd if=/dev/zero of= bs=1 count=$BADLEN # dd if=/dev/urandom of= bs=1 count=$BADLEN # dd if=/dev/zero of= bs=1 count=$BADLEN Would I know for sure that the writes physically went over the bad data? If they do, a procedure like that should be fine. 2) Now... for the files that /had/ the data, but deleted it... My suspicions here lean towards the worst case, i.e. there could be fragments of the offensive data _anywhere_ on the partition[0]. Is there a feasible way to destroy that data while preserving the other data on the partition? If not, what would be the equivalent of the above for a full partition? # umount /dev/wd1f # dd if=/dev/zero of=/dev/rwd1f count= # dd if=/dev/urandom of=/dev/rwd1f count= # dd if=/dev/zero of=/dev/rwd1f count= # newfs /dev/rwd1f Thanks for any help on this. [0] I'm pretty sure this is the case. I exec'ed grep in a find search to see where this data might have snuck off to[1], and accidently went through /dev. The file that exists is on /usr, and there was a hit on /dev/rwd0s2e. The data that exists but was 'deleted' would have been on /var. There were no hits searching /var, but I _did_ get a hit on /dev/wd1f, /var's raw device. :( [1] I did a grep for an innocent, but fairly improbable 15 character string that I knew occured in the offending data. Someone tell me there was a realistic chance of hitting that randomly? Please? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message