0
Why Not Trust "rm -Rf" When I Delete Sensitive Data?
14 June 2011
In this article i will describe terms such as rm, unlink, inode, file system
I will focus especially on the removal of files in Unix / Linux, and how
to undelete them.
The description will be essential to have a better idea of how things
work you will have to study the structure of the filesystem.
What is an inode?
An inode is a data structure, it stores all the information about a regular
file, directory except its name and its actual data
What is a data structure?
A data structure is a way of storing data so that it can be used efficiently,
there can be different types of data structure.
The access to the contents of a file on disk is passing through its inode,
and this is the structure used by the kernel that uniquely identifies it
within a single filesystem.
When a file is created ,his name in the directory is just a label kept
within the directory but associated with a pointer that points to the inode
When a search is performed on the system for a specific file name,
the system will use that name to look up the corresponding inode.
At this point, the system obtains the information of the file and can
perform different operations requested by the user such as delete,
move, rename etc.
To perform the various options on the file , the user will have to use
the shell utility available such as mv,cp,rm etc.
Suppose that a user needs to delete a file, at this point he will use
the shell utility rm .
But what about rm ?, What does it do?
rm is a shell utility that calls unlink.
Let's see some options:
-f, --force ignore nonexistent files, never prompt
-r, -R, --recursive remove directories and their contents recursively
So usually the user will do rm -rf filename_to_delete .
At this point we know that rm calls unlink which is a system call.
What does the unlink function when is called by rm?
The function deletes the file name and decreases the number of references
in its inode
NOTE:
If the file has other remaining names it remains accessible under those names.
"Function: int remove (const char *filename)
This is the ISO C function to remove a file. It works like unlink for
files and like rmdir for directories. remove is declared in `stdio.h'."
Remember that a file is not deleted from the disk as long as all
references to it have been deleted
Only when the inode link count becomes zero the disc space is removed
The conditions described above will also fail if there are processes
that have the file open (even if it was deleted).
Most users wonder if they really deleted a file when they are
using the rm utility .
How to bring the data back?
Suppose you have deleted a file that contains your username and password
,code blocks, etc.
Example file:
username=pyth0n3
password=abc123
Umount the file system ext2
Try to use the strings utility
cat /dev/sda1 | string > big_file
cat big_file | grep password
You can use also some regex to find some more specific data.
But what about ext3 with journaling enabled?
There are a good utility called extundelete
http://extundelete.sourceforge.net/
There are also some low-level debugger like debugfs
References:
man rm, man unlink,man debugfs, wikipedia
No Security
Link: srm (Unix) Secure Remove
I will focus especially on the removal of files in Unix / Linux, and how
to undelete them.
The description will be essential to have a better idea of how things
work you will have to study the structure of the filesystem.
What is an inode?
An inode is a data structure, it stores all the information about a regular
file, directory except its name and its actual data
What is a data structure?
A data structure is a way of storing data so that it can be used efficiently,
there can be different types of data structure.
The access to the contents of a file on disk is passing through its inode,
and this is the structure used by the kernel that uniquely identifies it
within a single filesystem.
When a file is created ,his name in the directory is just a label kept
within the directory but associated with a pointer that points to the inode
When a search is performed on the system for a specific file name,
the system will use that name to look up the corresponding inode.
At this point, the system obtains the information of the file and can
perform different operations requested by the user such as delete,
move, rename etc.
To perform the various options on the file , the user will have to use
the shell utility available such as mv,cp,rm etc.
Suppose that a user needs to delete a file, at this point he will use
the shell utility rm .
But what about rm ?, What does it do?
rm is a shell utility that calls unlink.
Let's see some options:
-f, --force ignore nonexistent files, never prompt
-r, -R, --recursive remove directories and their contents recursively
So usually the user will do rm -rf filename_to_delete .
At this point we know that rm calls unlink which is a system call.
What does the unlink function when is called by rm?
The function deletes the file name and decreases the number of references
in its inode
NOTE:
If the file has other remaining names it remains accessible under those names.
"Function: int remove (const char *filename)
This is the ISO C function to remove a file. It works like unlink for
files and like rmdir for directories. remove is declared in `stdio.h'."
Remember that a file is not deleted from the disk as long as all
references to it have been deleted
Only when the inode link count becomes zero the disc space is removed
The conditions described above will also fail if there are processes
that have the file open (even if it was deleted).
Most users wonder if they really deleted a file when they are
using the rm utility .
How to bring the data back?
Suppose you have deleted a file that contains your username and password
,code blocks, etc.
Example file:
username=pyth0n3
password=abc123
Umount the file system ext2
Try to use the strings utility
cat /dev/sda1 | string > big_file
cat big_file | grep password
You can use also some regex to find some more specific data.
But what about ext3 with journaling enabled?
There are a good utility called extundelete
http://extundelete.sourceforge.net/
There are also some low-level debugger like debugfs
References:
man rm, man unlink,man debugfs, wikipedia
No Security
Link: srm (Unix) Secure Remove
