Secure File Deletion with nrm

Background

Most users believe if they delete a file (rm file, empty the Recycle bin, etc.), the file is gone forever. Unfortunately this is not the case. Rather a file which is deleted, simply has the disk space orginally marked for the file is marked as available and the directory entry for the file is removed. However the file is still accessable along with its contents to a person with access to the hard disk and the appropriate forsenic tools.

The solution to this problem is to use a delete utility which employs file shredding. File shredding is a method of secure file deletion which usually involves overwriting a file multiple times. The defacto standard for file shredding is the Gutmann method. The Gutmann method involves overwritting the file with a series of 35 patterns.

For 'Nix based systems, nrm provides a secure file deletion utiltity using the Gutmann method. Another nice feature is nrm will when used to delete multiple files will immediately write a pass of random data to all the files before doing the second pass. The advantage this provides over serial writes is in time sensitive scenarios (i.e. kill switches as the authorities kick in the door). Serial passes securely delete on file at a time, which can be a lengthy process.

Installing nrm

First download the nrm tarball and install it according to the instructions in the README. The below commands demonstrate the default method of installation.

# wget -c http://www.synacklabs.net/projects/nrm/nrm-1.0.tar.gz
# tar zxvf nrm-1.0.tar.gz
# cd nrm-1.0
# ./configure
# make && make install

After installation, a user can call nrm as long as /usr/local/bin is in the user's PATH. Furthermore, nrm can replace rm transparently through the use of aliases.

Important Notes

As noted by the author,

"Note that nrm is probably somewhat ineffective on journaled filesystems. It will delete the files, and it will write crud onto the disk, but there is no guarantee that the crud it writes onto the disk is actually overwriting your old file data." [1]

Journaling filesystems include JFS, XFS, ReiserFS, Reiser4 and ext3. Even though these filesystems journaling methods may reduce the effectiveness of nrm's secure deletion methods, one should still use nrm to delete files as it offers much more protection against forensic attacks than the standard rm utility. Additional methods of protection for journaling filesystems is to either physical destroy the hard drive (limits the ability to reuse), use disk encryption on the journaling filesystem (recommended even if you don't use journaling filesystems) and setting the journal mode for ext3 to ordered data mode.

Before setting your ext3 journal mode to ordered, you need to understand the consequences of such an action. While this action will protect you against foresnic attacks which attempt to recover your data, it no longer allows you to recover your data through the use of the journalling filesystem. To set the journal mode for ext3 filesystem, you will need to add "data=ordered" to /etc/fstab for the appropriate mount point. The section below details the changes which you need to make.

This is the line before the changes
/dev/hda1 / ext3 defaults,errors=remount-ro,atime,auto,rw,dev,exec,suid,nouser 0 1

The line after changes
/dev/hda1 / ext3 defaults,errors=remount-ro,atime,auto,rw,dev,exec,suid,nouser,data=ordered 0 1

Next, change the filesystem manually to ordered through the use of the tune2fs.

# tune2fs -o journal_data_ordered /dev/hda1

The "-o" option overrides the options previously set in /etc/fstab with the ordered data journal option. Once this is complete, reboot your system and your ext3's data mode will be ordered.

Nrm will not overwrite files on flash cards (CF, SD, etc). Flash cards can dynamically re-map sector numbers. If you send five "write to sector #12345" commands to a flash card, with five different blocks of data, you will find all five blocks present in different physical blocks on the card. A flash card does not overwrite a block until a block is the oldest (in terms of when it was written) un-used block on the card.

2008-05-06 Thanks to John Simpson for providing the information regarding flash media's resistance to overwrites.