afo - Aggressive file obliterator

[april]

Even with data overwrite on magnetic disks it is possible (though expensive) to retrieve prior data after a few passes. That is why DOD standards say seven overwrites with different random data each time.
It is also very difficult to "clean" SSD type storage media because of the randomising. The only sure way is to delete the whole disk and force full garbage collection.

I have an associate that is a DOJ certified Forensic IT Specialist. These guys have really expensive hardware and software designed to do just exactly what you said.

According to this individual, the assertion that data can be retrieved after a disk has been overwritten, even with just one pass of zeros, is largely just a theory.

There aren't any actual proofs of this. Anywhere. Think about that. Someone would have published by now.

FWIW the theory I read was they shift the read head just slightly to one side or the other and as some shake is always present the sides can be read and distinguished from the new data.

Seems to me it could only be on hard disks and rewritable CD's and USB sticks would be safe from that.
Heard anything about prior data on USB sticks?

[Burn_IT]

As far as I am aware, if a USB stick is overwritten there is no way of recovering prior data.
I did however see an article that said with very very expensive electronics it is possible to detect the previous state of a cell if all the cells had been overwritten with a single value.

[april]

Fabrices app is a tad confusing

What does first icon with the red arrow do?
Nothing it seems
Where do the logs appear? Nothing in /var/logs/
So you select the line with the file on it , Select how many times you want it overwritten and then press delete. Thats the only one that does the deed?

So whats all the rest of the box needed for?

Couldn't you just leave it as jafadmin had it and it works intuitively from the command line .

Guess hes gotta say good but I think the extra app is a pointless complicated time waster or at least it needs tidying up if its meant to be a safety thing..

[april]

As far as I am aware, if a USB stick is overwritten there is no way of recovering prior data.
I did however see an article that said with very very expensive electronics it is possible to detect the previous state of a cell if all the cells had been overwritten with a single value.

Well Good , not much chance of them being in that state is there!

[Burn_IT]

Well yes there is!
The null state after a format is a single value.
That is why any decent scrubber uses random changing values.

[musher0]

@jafadmin

You wouldn't know of an afmo (aggressive forum member obliterator),
would you? (Just kidding. I'm thinking of no one in particular...)

TIA.

[april]

Well yes there is!
The null state after a format is a single value.
That is why any decent scrubber uses random changing values.

As I have mentioned elsewhere and I think it is mentioned here . Formatting clears the addresses it doesn't clear the data . The data remains until something like AFO comes along to overwrite it with something else .

At least thats my understanding and it seems to be upheld by what I have seen in using recovery programs on both Unix and Windows .

Perhaps if you you feel otherwise you might explain as I would like to know if I am wrong . I don't think null values are written anywhere except in FAT tables and perhaps Inodes which I have yet to find and study.. Are they used anywhere else?

[Burn_IT]

A quick Format clears the indexes as you say.
A Full Format, which takes some time, clears the data as well. (If I remember correctly, on hard drives it is not null but something like X'F0')

Normally nowadays the quick format is default as a full format can take hours on a large volume.

I always recommend a full format on a new volume or one that is being re-purposed as it also checks for bad sectors/cells ,marks them and substitutes spare sectors.

With an SSD that is left plugged in the garbage collection routines will clear empty cells anyway.

[april]

I've got a few hard drives and USB's lying around . I'll test that out because I have not seen what you say happens ,actually happening in practice . The full format I mean .

jafadmin refers to that also and says it does not happen . I too have found original data still on supposedly fully reformatted drives
It will take me a bit to get to it though .

A Word To The Wise: None of these following things got rid of the original file data.
1) Reformatting failed.
2) Reformatting to a different filesystem failed
3) Deleting the partition failed.
4) Deleting the partition table failed

The only thing that worked was overwriting the partition with dd Code:
dd bs=1M if=/dev/zero of=/dev/"partition descriptor", or
dd bs=1M if=/dev/random of=/dev/"partition descriptor"

[Burn_IT]

Don't use a big disk!!
It is a while since I did these tests, so I too am interested in what is done nowadays.

[scientist]

I really like Afo.

Would it be hard to have it work with Thunar ?

[april]

I was cleaning a USB stick that had a puppy install ansd a few other files . You will see all the things I tried (sorry lost this fixing size of attachment-bloody too restrictive).The rox directory picture shows nothing in there

After all of this and getting and installing the latest from the first post i still have data reading in the properties as if it is still there? How do I fix this ? Use gparted maybe but I thought after obliterating the files they would no longer show anywhere.

When I opened it in gparted the data still showed also ?

Code: Select all

# afo

	afo  - (Agressive File Obliterator)
Overwrite directories/files with random gibberish, then delete.
Usage: afo [-c N (# of overwrites, default=1)] file spec
Example: # afo -c 2 DirectoryName
Example: # afo *.bak
Example: # afo -c 5 *


# afo  /mnt/sdc1
# afo  /mnt/sdc1/*.*
# afo -c /mnt/sdc1/*.*

 ! Note this is not the correct order just copied them in now

[jafadmin]

Hi April,

Check it again with Rox and have it show hidden files. There is still something pretty big on that thumb drive (1.6Gig?).

It might be easier and faster to just use dd to wipe the flash drive and then just reformat back to Fat32.

dd bs=4096 of=/dev/sdd if=/dev/zero

afo /mnt/sdd1/*

[april]

Yes it was a movie file just to test.

I redid everything with another thumb drive and got the same result (below). Showing hidden files revealed nothing hence the two rox filers below and this was a couple of movies also. So for some reason it is not clearing them properly . I suggest you give it a try please . The files were mov and mkv if that affects anything.

I can get the drive clean by other methods OK I just thought to help get this doing it right . I like AFO and would like to rely on it . I have a use in mind in the security field which is what I do.

While you are here perhaps you can explain something to me .
/dev/zero as with many other files in /dev shows as a character file with no bytes in it so, when you use it as above, how does it write a value to the output file and what is that value?

[jafadmin]

Hi again, April.

The syntax for afo is: afo -c N filespec ('N' means a number)

afo /mnt/sdc1/* (to delete everything on the drive using defaults)

Do not use *.* as it will not delete files unless they have a "name.name". In linux, to delete everything, just use '*'.

the "-c" switch expects a numeric argument to follow (i.e 1,2,3, etc.) or ("-c2")This tells afo how many times to overwrite the file. The default value if the switch isn't specified by you is 1.

[april]

Yes I understand all that . I just used that exact command on the exact same drive and it still has content on the drive.

I was just showing you what else I tried to erase the contents . It still shows content no matter what I do with AFO

Certainly I can reformat it and have it clean but I am trying to get AFO to do it in one hit . Its supposed to read a file , write rubbish over it as many times as I wish then delete the file ,

Yes , I am trying to impress on you that doing all this still leaves something on the drive which I wish you would just try and see for yourself please .

At least then we will be on the same page!

[jafadmin]

The problem, April, is that I can't duplicate the problem.

If I type:

Code: Select all

afo /mnt/sdb1/*

Everything on sdb1 gets deleted and scrambled.

If I type: "ls /mnt/sdb1", it shows nothing. If I look in rox and tell it to show hidden files as well, it shows nothing. If I check it with "df" it shows nothing, and if I look at it with gparted, it shows nothing.

See, the thing is, if the entry for a file is deleted from the partition table, none of these utilities will show it as being there.

Try this and see if it changes anything:

Code: Select all

rm /mnt/sdb1/*

All afo does is scramble the contents of the file before deleting it.

[april]

I see . maybe its in the way I am getting the properties in precise 5.7.1
I open a rox filer for the stick , then go up a directoy in the rox so it shows sdc1 , then I right click for properties and that's the window that shows content.

If I open it with gparted it still shows content on the drive so I am at a loss why you are not seeing this ? That's the only thing I am looking at atm so its probably doing the scramble OK but the deletion is not showing up for me .

I'll have a go at recovering the deleted files and see if there is anything still recognisable on it . Strange indeed . What release are you trying a duplication on ?

[jafadmin]

Just for grins, try this, April; remove the stick then navigate to /mnt/sdc1 and see if anything is in there. If not, you may have a messed up USB thumb drive.

If rox and the "ls" commands say there are no files on the drive, but gparted is saying it's half full, I think it must be messed up. I'm all out of suggestions.

If it was mine, I'd zero it out with "dd", then reformat it.

[april]

OK I repeat ,for the 4th time , I can get it clean . That's not my problem .
What I am trying to do is understand why content is being left on the stick by afo in my precise situation (pun).

I want to use it in a script that wont work if there is content left on it in any form.
You didn't answer what system you are running to test it.
Can you give me the code that runs afo or the script .Whatever and I'll see if I can extract the pertinent parts for my script.

Nothing wrong with my USB stick .
When I went to /mnt/sdc1 I got the list of files that were last used there in april so I don't underdstand that ?

I deleted all that was there anyway and put a few small files on the stick and used AFO again . Watched them being deleted fine
Looked at results again and got the same from "properties" but I noticed "gparted" gives different "used" sizes to "properties"

With the stick unmounted and removed /mnt/sdc1 gives an empty directory now too

Also you have not answered my question

While you are here perhaps you can explain something to me .
/dev/zero as with many other files in /dev shows as a character file with no bytes in it so, when you use it as above, how does it write a value to the output file and what is that value?