Jump to content
pyth0n3

Why not trust "rm -rf" when i delete sensitive data?

By pyth0n3, in Tutoriale in engleza

Recommended Posts

pyth0n3 Newbie

pyth0n3

Posted
Posted (edited)

In this article i will describe terms such as rm, unlink, inode, file system

I will focus especially on the removal of files in Unix / Linux, and how

to undelete them.

The description will be essential to have a better idea of how things

work you will have to study the structure of the filesystem.

What is an inode?

An inode is a data structure, it stores all the information about a regular

file, directory except its name and its actual data

What is a data structure?

A data structure is a way of storing data so that it can be used efficiently,

there can be different types of data structure.

The access to the contents of a file on disk is passing through its inode,

and this is the structure used by the kernel that uniquely identifies it

within a single filesystem.

When a file is created ,his name in the directory is just a label kept

within the directory but associated with a pointer that points to the inode

When a search is performed on the system for a specific file name,

the system will use that name to look up the corresponding inode.

At this point, the system obtains the information of the file and can

perform different operations requested by the user such as delete,

move, rename etc.

To perform the various options on the file , the user will have to use

the shell utility available such as mv,cp,rm etc.

Suppose that a user needs to delete a file, at this point he will use

the shell utility rm .

But what about rm ?, What does it do?

rm is a shell utility that calls unlink.

Let's see some options:

-f, --force ignore nonexistent files, never prompt

-r, -R, --recursive remove directories and their contents recursively

So usually the user will do rm -rf filename_to_delete .

At this point we know that rm calls unlink which is a system call.

What does the unlink function when is called by rm?

The function deletes the file name and decreases the number of references

in its inode

NOTE:

If the file has other remaining names it remains accessible under those names.

"Function: int remove (const char *filename)

This is the ISO C function to remove a file. It works like unlink for

files and like rmdir for directories. remove is declared in `stdio.h'."

Remember that a file is not deleted from the disk as long as all

references to it have been deleted

Only when the inode link count becomes zero the disc space is removed

The conditions described above will also fail if there are processes

that have the file open (even if it was deleted).

Most users wonder if they really deleted a file when they are

using the rm utility .

How to bring the data back?

Suppose you have deleted a file that contains your username and password

,code blocks, etc.

Example file:

username=pyth0n3
password=abc123

Umount the file system ext2

Try to use the strings utility


cat /dev/sda1 | string > big_file
cat big_file | grep password

You can use also some regex to find some more specific data.

But what about ext3 with journaling enabled?

There are a good utility called extundelete

Undelete removed file

There are also some low-level debugger like debugfs

References:

man rm, man unlink,man debugfs, wikipedia

Source:No Security: Why not trust "rm -rf" when i delete sensitive data?

Edited by pyth0n3

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...