• When you ever delete a file, it wasn’t really erased — it continues existing on your hard drive, even after you empty it from the Recycle Bin (Windows) . That can be of course a good thing, but also a bad thing for sure. This is beneficial when you accidentally delete a file, but is dangerous when you “delete” a sensitive file and falsely feel like you’re safe.

    Malicious people can recover your confidential files pretty easily!

From the file system’s point of view, the file is no longer present on your hard drive and the sectors containing its data are considered free space.

You surely don’t wanna just delete your Bitcoin private keys and addresses or remove incriminating data that way.

How to properly delete files

You can use the shred command!

shred file

It replaces the actual file content with garbage data … So when the file is deleted The recovered files are useless.

shred -v -n 1 /path/to/your/file #overwriting with random data
sync #forcing a sync of the buffers to the disk
shred -v -n 0 -z -u /path/to/your/file #overwriting with zeroes and remove the file

Securely delete files that were already ‘deleted’ 😃

One way would be to fill up the free space with random data, forcing it to be overwritten.

You can do that with the following command

dd if=/dev/urandom of=file status=progress 

Let it runs until it’ll give an error … Which means there is no space left on the device.

# Example (Error)
dd: writing to ‘/dev/sdX’: No space left on device
7959553+0 records in
7959552+0 records out
4075290624 bytes (4.1 GB, 3.8 GiB) copied, 1247.7 s, 3.3 MB/s

A little faster method would be to use /dev/zero and blank the drive.

  • Overwriting with /dev/zero or simple patterns is considered secure in most situations. With today’s HDDs, it is deemed appropriate and fast for disk wiping.

However, a drive that is abnormally fast in writing patterns or zeroing could be doing transparent compression. It is obviously presumable not all blocks get wiped this way. Some Flash memory devices do “feature” that.

  • To setup block device encryption afterwards, one should wipe the area with random data to avoid weakening the encryption.
dd if=/dev/zero of=file status=progress
# Or with shred
shred --verbose --random-source=/dev/urandom -n1 --zero /dev/sdX
  • Note urandom is safer but slower. It is recommanded tho when you want to wipe out your disk. It is slow because it needs to build entropy, safer because it prevents the attack of amplifying the read signal to recover and differentiate a 1 from a 0.

Securely wipe out your drive

Before your partition your disk, it’s a good practice to fully wipe it first.

dd if=/dev/urandom of=/dev/YourHardDrive
# Or
dd if=/dev/zero of=/dev/YourHardDrive

How to protect against that

An easy solution is to simply encrypt your drives! It doesn’t matter if it’s a USB stick or your old dusty Desktop.

To do that you can use cryptsetup to manage and access encrypted devices. This tool relies on the Linux kernel device-mapper and the cryptographic modules. The most notable expansion was for the Linux Unified Key Setup (LUKS) extension.

Format your device

cryptsetup luksFormat /dev/device

You will then be prompted to enter a password and verify it. You can then check the results with:

cryptsetup luksDump /dev/device

Open LUKS encrypted partitions

cryptsetup luksOpen /dev/device encrypteddrive
mkfs.ext4 /dev/mapper/encrypteddrive # Create a file system on it

You can mount it with the following command

mount /dev/mapper/encrypteddrive /mnt

Recover insecurely deleted files

1. ⚠️ Before you attempt to rescue the data make sure to clone it first!

Let’s clone it with ddrescue

2. ⚠️ If you erroneously deleted some files/folders, do not turn off your computer. For best results (actually, for decent results) you must save the ext4 journal somewhere.
  • Immediately open a terminal and dump a copy of the filesystem journal:
sudo debugfs -R "dump <8> /some/safe/path/sdXY.journal" /dev/sdXY

Depending on whether the deleted files are on your root partition, you’ll want to save the journal do different locations: for root partitions, mount an external drive and dump the journal there; for non-root partitions, any other partition will do. Avoid saving to /tmp, because your data may be cleaned up.

Let’s clone it first with ddrescue

  • Clone Disk A to Disk B, creating a log file:
sudo ddrescue --force --no-scrape /dev/sdX /dev/sdY path/to/log.txt

Now we can work on it safely 🤓

  • For ext3 and ext4 file system you can use ext4magic

List recoverable files:

ext4magic /dev/sdXY -a "$(date -d "-2hours" +%s)" -f deleted/folders/root -j /some/safe/path/sdXY.journal -l

-a specify the date (the last 2,3,10 hours …) -l list the deleted files

Recover all the files

ext4magic /dev/sdXY -a "$(date -d "-2hours" +%s)" -f deleted/folders/root -j
/some/safe/path/sdXY.journal -d /recovery/path -r

Text file recovery

grep -a -C 200 -F 'Unique string in text file' /dev/sdXN > Results.txt

Data recovery tools

Testdisk This particular data recovery tool doesn’t actually try to copy data. Instead it attempts to correct partition-level issues that might be preventing you from accessing or recovering your data. Testdisk can:

  • Recover lost partitions
  • Make disks bootable again
  • Fix a partition table
  • Restore the master boot record
  • Restore boot sectors
  • Restore filesystem tables
  • Undelete files from NTFS, FAT, exFAT, and ext2 filesystems
  • Copy files from deleted NTFS, FAT, exFAT, and ext2/3/4 filesystems.

Photorec

  • If you’re looking to recover lost files, photos, videos, etc. Photorec is what you want. This tool is part of Testdisk, so once you’ve installed Testdisk, Photorec is ready to serve. This particular tool completely ignores the file system and looks directly at the underlying data. This means, if your file system is damaged, there’s a chance the data can still be recovered.

</ Enjoy 🤓!>

If you have any insights or suggestions, I would love to hear them 🙂.