MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
March
Sun Mon Tue Wed Thu Fri Sat
 
19
     
2010
Months
Mar


Fri, Mar 19, 2010 3:15 pm

Securely Deleting a File from a Mac OS X System

If you just use the rm command or drag a file to the trash on a Mac OS X system, then it is possible for a technically knowledgeable person to recover the information in that file. A normal delete removes what is essentially a pointer to where the file is stored on a disk drive, but doesn't overwrite the areas on the disk where the file is stored. A normal file deletion is sort of like removing an entry from a book's table of contents and index; someone could read the entire book and still obtain the information to which the entry pointed.

There is a secure way to delete the contents of a file, though, by overwriting the areas on the disk where the file is stored. If you overwrite the data on the areas with new data the old data is no longer accessible.

Note: if you only overwrite the areas occupied by the file once, it is still possible for someone to recover the contents of the file, but then it reqires not just technical knowledge, but specialized equipment. E.g. a company specializing in data recovery or a government agency with skilled forensics personnel and specialized equipment might still be able to recover the information from traces of the magnetic signals left by the old data, but for most purposes the data can be considered unrecoverable. However, if the data is overwritten multiple times, it becomes unrecoverable even with such equipment.

There is a utility that comes with the Mac OS X operating system that will securely overwrite a file. That utility is srm, which will overwrite a file multiple times making it unrecoverable. The utility is run from a shell prompt, which you can obtain by using the Finder and going to Applications, Utilities, and then double-clicking on Terminal. The syntax for the command is srm [OPTION]... FILE..., e.g. srm somefile.doc.

You can obtain further information on the utility by opening a terminal window on a Mac OS X system and typing man srm.

NAME
       srm - securely remove files or directories

SYNOPSIS
       srm [OPTION]... FILE...

DESCRIPTION
       srm  removes each specified file by overwriting, renaming, and truncat-
       ing it before unlinking. This prevents other people from undeleting  or
       recovering any information about the file from the command line.

       srm,  like  every  program  that  uses the getopt function to parse its
       arguments, lets you use the -- option to indicate  that  all  following
       arguments are non-options.  To remove a file called '-f' in the current
       directory, you could type either "srm -- -f" or "srm ./-f".

OPTIONS
       -d, --directory
              ignored (for compatibility with rm(1))

       -f, --force
              ignore nonexistent files, never prompt

       -i, --interactive
              prompt before any removal

       -r, -R, --recursive
              remove the contents of directories recursively

       -s, --simple
              only overwrite with a single pass of random data

       -m, --medium
              overwrite the file with 7 US DoD compliant passes  (0xF6,  0x00,
              0xFF, random, 0x00, 0xFF, random)

       -z, --zero
              after overwriting, zero blocks used by file

       -n, --nounlink
              overwrite file, but do not rename or unlink it

       -v, --verbose
              explain what is being done

       --help display this help and exit

       --version
              output version information and exit

NOTES
       srm can not remove write protected files owned by another user, regard-
       less of the permissions on the directory containing the file.

       The -s option overrides the -m option, if both are present.  If neither
       is specified, the 35-pass Gutmann algorithm is used.

       Development  and  discussion  of  srm is carried out at <http://source-
       forge.net/project/?group_id=3297>,  which  is   also   accessible   via
       <http://srm.sourceforge.net>.

References:

  1. Secure File Delete on Mac OS X
    Date: August 16, 2007
    Exxamine's Weblog

[/os/os-x] permanent link

Fri, Mar 19, 2010 12:55 pm

Obtaining an IP Address via DHCP

If a Knoppix system doesn't have an IP address assigned to an Ethernet interface, you can obtain one by downing the interface with ifdown eth0 and then brining it back up with ifup eth0, which will cause the system to try to obtain an address via DHCP.

[/os/unix/linux/knoppix] permanent link

Fri, Mar 19, 2010 12:07 pm

Mounting a Windows Hibernated Drive under Knoppix

After shutting down a Windows Vista laptop into hibernation mode, I wanted to copy the hibernation file, hiberfil.sys from the Windows Vista laptop's hard disk drive to an external USB drive to analyze it on another system. I removed the drive from the laptop and put it into a Thermaltake Black Widow hard dirve eSATA + USB Docking Station, which I attached the system I would use for the backup. I was unable to boot that system from a BartPE boot disc, so I booted the system instead from a Knoppix Linux Live CD. However, when I connected the docking station with the laptop drive in it to the system, I received the message below:

Error - Konqueror
Windows is hibernated, won't mount.

Failed to mount '/dev/sdb1': Operation not permitted

The NTFS partition is hibernated. Please resume WIndows and turned it

off properly, so mounting could be done safely.

OK

 

I only needed to mount the drive in read-only mode to copy hiberfil.sys from it, so I obtained a command prompt and opened a Bash shell, switched to the root account and mounted the device in read-only mode. I had another external USB drive attached, which was to hold the backup, as /dev/sda1. The laptop drive had two partitions on it: the Windows Vista partition, which was /dev/sdb1 and a recovery partition, which was /dev/sdb2.

knoppix@Knoppix:~$ sudo bash
root@Knoppix:~# mount -r /dev/sdb1 /media/sdb1

After copying hiberfil.sys from the laptop drive to the other external USB drive, I unmounted the laptop drive.

root@Knoppix:~# umount /dev/sdb2
root@Knoppix:~# umount /dev/sdb1

I checked the contents of the backup copy of hiberfil.sys with the od command. I saw that the first 4 bytes of the file were "HIBR", which indicates the system containing the file was last shutdown into hibernate mode rather than to a normal shutdown state. To view just the first 8 bytes of the file with od, you can use od -a -N 8.

root@Knoppix:~# od -a -N 8 /mnt/hdd/hiberfil.sys
0000000   w   a   k   e ht nul nul nul
0000010

References:

  1. Hibernation (computing)
    Wikipedia, the free encyclopedia
  2. Mounting a Hibernated Drive
    Date: November 27, 2007
    MoonPoint Support

[/os/unix/linux/knoppix] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo