When you ever delete a file, it wasn’t really erased — it continues existing on your hard drive, even after you empty it from the Recycle Bin (Windows) . That can be of course a good thing, but also a bad thing for sure. This is beneficial when you accidentally delete a file, but is dangerous when you “delete” a sensitive file and falsely feel like you’re safe.
Malicious people can recover your confidential files pretty easily!
From the file system’s point of view, the file is no longer present on your hard drive and the sectors containing its data are considered free space.
You surely don’t wanna just delete your Bitcoin private keys and addresses or remove incriminating data that way.
How to properly delete files
You can use the
It replaces the actual file content with garbage data … So when the file is deleted The recovered files are useless.
shred -v -n 1 /path/to/your/file #overwriting with random data
sync #forcing a sync of the buffers to the disk
shred -v -n 0 -z -u /path/to/your/file #overwriting with zeroes and remove the file
Securely delete files that were already ‘deleted’ 😃
One way would be to fill up the free space with random data, forcing it to be overwritten.
You can do that with the following command
dd if=/dev/urandom of=file status=progress
Let it runs until it’ll give an error … Which means there is no space left on the device.
# Example (Error)
dd: writing to ‘/dev/sdX’: No space left on device
7959553+0 records in
7959552+0 records out
4075290624 bytes (4.1 GB, 3.8 GiB) copied, 1247.7 s, 3.3 MB/s
A little faster method would be to use
/dev/zero and blank the drive.
- Overwriting with
/dev/zeroor simple patterns is considered secure in most situations. With today’s HDDs, it is deemed appropriate and fast for disk wiping.
However, a drive that is abnormally fast in writing patterns or zeroing could be doing transparent compression. It is obviously presumable not all blocks get wiped this way. Some Flash memory devices do “feature” that.
- To setup block device encryption afterwards, one should wipe the area with random data to avoid weakening the encryption.
dd if=/dev/zero of=file status=progress
# Or with shred
shred --verbose --random-source=/dev/urandom -n1 --zero /dev/sdX
urandomis safer but slower. It is recommanded tho when you want to wipe out your disk. It is slow because it needs to build entropy, safer because it prevents the attack of amplifying the read signal to recover and differentiate a 1 from a 0.
Securely wipe out your drive
Before your partition your disk, it’s a good practice to fully wipe it first.
dd if=/dev/urandom of=/dev/YourHardDrive
dd if=/dev/zero of=/dev/YourHardDrive
How to protect against that
An easy solution is to simply encrypt your drives! It doesn’t matter if it’s a USB stick or your old dusty Desktop.
To do that you can use
cryptsetup to manage and access encrypted devices.
This tool relies on the Linux kernel device-mapper and the cryptographic modules.
The most notable expansion was for the Linux Unified Key Setup (LUKS) extension.
Format your device
cryptsetup luksFormat /dev/device
You will then be prompted to enter a password and verify it. You can then check the results with:
cryptsetup luksDump /dev/device
Open LUKS encrypted partitions
cryptsetup luksOpen /dev/device encrypteddrive
mkfs.ext4 /dev/mapper/encrypteddrive # Create a file system on it
You can mount it with the following command
mount /dev/mapper/encrypteddrive /mnt
Recover insecurely deleted files
1. ⚠️ Before you attempt to rescue the data make sure to clone it first!
Let’s clone it with
2. ⚠️ If you erroneously deleted some files/folders, do not turn off your computer. For best results (actually, for decent results) you must save the ext4 journal somewhere.
- Immediately open a terminal and dump a copy of the filesystem journal:
sudo debugfs -R "dump <8> /some/safe/path/sdXY.journal" /dev/sdXY
Depending on whether the deleted files are on your root partition, you’ll want
to save the journal do different locations: for root partitions, mount an
external drive and dump the journal there; for non-root partitions, any other
partition will do. Avoid saving to
/tmp, because your data may be cleaned up.
Let’s clone it first with
- Clone Disk A to Disk B, creating a log file:
sudo ddrescue --force --no-scrape /dev/sdX /dev/sdY path/to/log.txt
Now we can work on it safely 🤓
- For ext3 and ext4 file system you can use ext4magic
List recoverable files:
ext4magic /dev/sdXY -a "$(date -d "-2hours" +%s)" -f deleted/folders/root -j /some/safe/path/sdXY.journal -l
-a specify the date (the last 2,3,10 hours …)
-l list the deleted files
Recover all the files
ext4magic /dev/sdXY -a "$(date -d "-2hours" +%s)" -f deleted/folders/root -j
/some/safe/path/sdXY.journal -d /recovery/path -r
Text file recovery
grep -a -C 200 -F 'Unique string in text file' /dev/sdXN > Results.txt
Data recovery tools
This particular data recovery tool doesn’t actually try to copy data. Instead
it attempts to correct partition-level issues that might be preventing you from
accessing or recovering your data. Testdisk can:
- Recover lost partitions
- Make disks bootable again
- Fix a partition table
- Restore the master boot record
- Restore boot sectors
- Restore filesystem tables
- Undelete files from NTFS, FAT, exFAT, and ext2 filesystems
- Copy files from deleted NTFS, FAT, exFAT, and ext2/3/4 filesystems.
- If you’re looking to recover lost files, photos, videos, etc. Photorec is what you want. This tool is part of Testdisk, so once you’ve installed Testdisk, Photorec is ready to serve. This particular tool completely ignores the file system and looks directly at the underlying data. This means, if your file system is damaged, there’s a chance the data can still be recovered.