Anti forensics scrubber

You want full disk encryption if you're partaking in activities which justify that sort of paranoia. On-disk metadata leaks don't matter if the entire drive is unreadable to an offline attacker.

That said, any method to overwrite "unused" space like suggested is also important with FDE to prevent malware or online attackers from getting this deleted data while the computer is on.

sure it is. maybe they didn't have much time? idk but the way to do it would've been to dd with random data, then with zeros, and reinstall the OS and associated software

meant to link

they could still get metadata by extracting the key with a cold boot or similar

otherwise if encryption was enough why bother with zeroing shit

I'm a brainlet and I don't know shit about computers, but when Mrs. Clinton deleted the info from her servers they used something called "bleach" for it, the data as from official sources can't be recovered

yeah, and my point is his command wasn't good enough, because small files (a few kb long) can be stored in filesystem structures than aren't technically free space such as would be used for bigger files. but that few kb file might be the most compromising one for all we know

>bleach
what, like with a cloth or something?

bleachbit has a "erase free space" option, which is what you want

no man, it was supposed to be a software that did that

is that a brand of cloth? like a particularly soft kind?

yes it is

Attached: 1535059972142.jpg (300x369, 37K)

can it be done from a shell on linux/*bsds or is it gui trash

Attached: 1546895327927.jpg (480x360, 36K)

both, it has a gui and cli

this creates mustard gas btw
i e overwrites all the files in /home

>babby's first command line
how new are you?

Attached: 1378514369842.jpg (463x600, 71K)

The question is SSD or HDD. For SSD, I can assure you the answer is no. There are blocks that can not be accessed within software.

>babby's
baby's

If the FBI wanted the data, they would have been given a warrant by Republicans.
>start a comitee on benghazi, end on a server
>whine about russian meddling getting them
Precedent!

you have to go back

You could make a script that hardlinks all files on your drive into a directory and then regularly checks which of the hardlinks don't have a pair anymore and call a tool to securely erase them.
This is actually the most performant option if we don't count that you could theoretically use events to track when files get deleted or created.

this is actually genius
there's actually no reason we couldn't combine both approaches too
only edge case would be files that are created and deleted too quick.
maybe would be faster to have inotify listening and save inode+start byte+end byte for each file modified, and for deletions to scrub, but then we could run into the risk of scrubbing space that is already being reused by the filesystem, so we would need to reserve that space somehow before scrubbing
so your solution+occasional file growth scrubbing is probably the best one until that problem of reserving free space I mentioned is solved

well, I mean, for each of the inode's blocks (forgot about fragmentation)

bump because fuck the CIAniggers

You can't unless you operate within kernel mode.
Alternativly, use 'shred' for files you want gone forever.

how can we mark some range of sectors in the block device as "don't use for future allocations" to the filesystem? that's all that would be required at the kernel level, everything else can be done user space

Thanks it worked!

so who wants to help me on this project boyos?

Attached: Symbos21msx.gif (512x424, 32K)

you can actually do this to the whole disk and your distro will keep working until reboot

that's more or less something that some operating systems do with the heap- when a process ends, its memory is zeroed out so a new process put in its place can't see anything the last process may have left behind.

yup. but for some retarded reason filesystems haven't implemented that shit. probably cuz disks are slow as fuck

Attached: 1581438467978.jpg (1200x675, 73K)

if you're using a journaling filesystem, or a ssd with wear leveling (so all SSDs) the data could still be somewhere, it just wouldn't be possible to get to it without extremely low-level (i.e. kernel) access

some user in another thread mentioned e2fsck -l, but we need a more general solution, that one only works for *ext filesystems

brainlet pajeet

Attached: makes you think.png (562x446, 342K)

the best approach is to just encrypt the whole disk, and put the key on a cheap usb drive
when you want to 'erase' the contents, destroy the usb drive
if you're too cheap for a discardable usb drive, or like to change your key often, then consider perhaps printing the key onto paper as a QR code, and capturing it with a webcam when mounting

>destroy the usb drive
>implying this is anywhere near easy to do at a moment's notice, especially when having backups

that and it can actually cause wear. RAM doesn't give a fuck if you constantly write to it over and over again. Non-volatile memory, be it flash or a mechanical hard drive, or whatever else, actually has a non-negligible expiration date. Such a feature can be detrimental to the life of your hard drive.

trips of truth
hope I don't bork my hd

flash needs to be erased before it can written to again, so it's not harmful to erase blocks when a file is deleted (this is called TRIM)
however, this isn't forensically secure, as files may not necessarily align with your ssd's erase blocks, for example, if you delete an 800k file, which is located across 2 512k erase blocks, only one of them can be safely erased, with the other possibly being shared with another file, to clean it, you'd need to read the block, erase it, then write the other file back to the block (a minor case of write amplification)

you can think of it as being the same amount of wear as filling up your entire hard drive from empty. You can do it a few times, but more than a dozen or so and you're just asking for trouble.

>flash needs to be erased before it can written to again, so it's not harmful to erase blocks when a file is deleted
I suppose that's true, it will have to be done eventually, so why not do it when a page rotates. Makes sense. That's something that SSD manufacturers should be implementing in firmware. I've actually written firmware for a microcontroller that used ~16K of its internal flash to store data, and I implemented that. It had other ways of recovering data, though (redundancy everywhere for failure recovery)

they already did
there's a talk on youtube about sdd forensics and most of them tend to delete some of the data to make room for new data. some of them are eager than others though, depends on the firmware

what about /dev/urandom instead of /dev/zero?

it's a meme
whether you set a bit to one or to zero, the previous bit modulates the magnetism level

microSD cards are incredibly easy to hide and also to destroy quickly.

just use FDE with a detached luks header on a small drive with an encrypted keyfile

not really
they can restore anything you do to it

not if you snap it in half and flush it down the toilet

yeah, good luck doing that when there's a van parked in your driveway

chew on it