Extreme Hacking | Sadik Shaikh
Advanced Ethical Hacking Institute Course in Pune
Credits: Jako
I will use Kali linux version 1 all along this tutorial, but the tools used here are compatible with many distributions.
Shred
Shred is a command that comes into most Linux OS. It’s useful for wipe entire drives but it can be used to remove files in a secure way. Let’s see what it can do. I’ve created an evidence.txt file to show you how the tool works:
As you can see, the file content has been overwritten with random data but the file is still there. To remove the file, use the option -u:
shred -u evidence.txt
You can select a number of iterations with the -n option:
shred -u -n 10 evidence.txt
You can add an extra iteration that overwrites zeros with the -z command:
As you see shred adds the extra iteration that we were talking about (11), it also renames the file a few times. I’ve used the -v (verbose) option to show the entire process.
Secure-Delete
This package comes with 4 tools: srm (the secure version of remove),sdmem (to wipe your RAM), sfill (to wipe your hard disk’s free space) andsswap (obviously, to wipe your swap partition). It isn’t installed by default, you can install it from the repositories:
apt-get install secure-delete
It’s quite simple to remove a file with secure-delete, type:
srm <path to the file>
By default, srm overwrites the content 38 times. You can add a final iteration of zeros as before, with the -z option:
srm -z <path to the file>
To remove a folder, use the -r (recursive) option:
srm -r <path to the folder>
To wipe your RAM (it’s a volatile memory, but stores residual information until overwritten too) use the sdmem command:
sdmem
To wipe your disk’s free space use sfill:
sfill <device mount point (in my case “/”)>
To wipe your swap partition, first you must deactivate it :
cat /proc/swaps
Deactivate swapping by typing:
swapoff </dev/XXX>
Wipe the swap partition:
sswap </dev/XXX>
When you are done, reactivate swapping:
swapon </dev/XXX>
Note: All above processes may take some time, cause all of them are based on Gutmann Method.
Test
Let’s make a quick test to see if we can recover deleted files on a thumb drive. Plug the memory into your computer and navigate to the mount point directory (in my case is mounted on /media/DATA, type df -h to see where is it mounted).
cd <path to your flash memory mount point>
Create a file and put some content inside.
nano evidence.txt
Save the file (Control + O) and exit nano (Control + X). Make two copies of that file:
cp evidence.txt evidence1.txt
cp evidence.txt evidence2.txt
Remove one of that copies with shred:
shred -u -n 10 -z evidence1.txt
Remove the other copy with srm:
srm -z evidence2.txt
Remove the last file with rm:
rm evidence.txt
Now we are going to make an image of the flash drive to do a forensic investigation with Autopsy. Type:
dcfldd if=<path to device /dev/XXX> of=flashimage.img bs=1M
This process may take a while (depends on the size of the flash memory), be patient.
Once we have the image, open a case in Autopsy and analyze it:
As you see, the only file we could recover is the one we’ve removed with rm! (Note: this wipe techniques won’t always work, cause sometimes hard drives don’t write the data where we expect, especially in Solid State Drives).
Conclusion
Don’t use rm if you really want to remove a file!
www.extremehacking.org
CEHv9 CHFI ECSAv9 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE,Certified Ethical Hacking, Center For Advanced Security Training in India,IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune