LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Interview: Kristen Carlson Accardi

LWN.net Weekly Edition for July 24, 2008

Tracing: no shortage of options

Interview: Wind River's John Bruggeman

LWN.net Weekly Edition for July 17, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Recovering deleted files from ext3

Recovering deleted files from ext3

Posted Mar 16, 2008 4:27 UTC (Sun) by elgordo123 (guest, #51081)
Parent article: Recovering deleted files from ext3 

Well it's nice to see that Linux is now officially no more secure than windows.

(Log in to post comments)

Recovering deleted files from ext3

Posted Mar 16, 2008 12:39 UTC (Sun) by dlang (subscriber, #313) [Link] 

please explain.

if you were ever under the impression that any linux filesystem completely overwrote the file
with zeros (let alone did a secure delete by overwriting the file multiple times with
different patterns), you are sadly mistaken.

it's still significantly harder to recover files from ext2 than it is from windows file
systems, but that's not a security measure, and it never was.

Recovering deleted files from ext3

Posted Mar 16, 2008 13:00 UTC (Sun) by nix (subscriber, #2304) [Link] 

Also, if you can read the journal directly you have access to the block 
device and thus have lost the game regarding security of data on that 
device anyway.

Recovering deleted files from ext3

Posted Mar 18, 2008 23:45 UTC (Tue) by jquirk (guest, #51079) [Link] 

Ext2 is not really that hard to recover files from provided you stop and unmount the disk as
soon as you realize you have a problem. Its all there have a look at my stuff I contributed to
LDE you can see all deleted entries on ext2 volume, ext2 just unlinks the directory entry for
a linked list, marks the inode as deleted and frees the blocks in the bit map. It is as you
stated ext2 zeros nothing of value. Most forensics tools know this so if you are security
concerned standard files system are not for you. Ever wonder why if purchase you ex military
computers they have no hard drives.

Recovering deleted files from ext3

Posted Mar 20, 2008 3:13 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

Try

$ man shred :-)

Or better yet,

$ alias shred='shred -u -n1'

And use that alias like rm. It'd be nice if the ext* 's' attribute were implemented too.

Recovering deleted files from ext3

Posted Mar 20, 2008 4:51 UTC (Thu) by gdt (subscriber, #6284) [Link]

Why would shred work on a journaling filesystem like ext3? A point noted in shred's man page.

Recovering deleted files from ext3

Posted Mar 20, 2008 10:21 UTC (Thu) by Cato (subscriber, #7643) [Link] 

Actually shred works fine on ext3 in default configurations, i.e. as long as you are only
doing 'writeback' of data, meaning that filesystem metadata is journalled but file contents
metadata is not.  See http://en.wikipedia.org/wiki/Ext3 and in particular
http://wiki.linuxquestions.org/wiki/Talk:Shred

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.