Killing a File (Autumn, 1999) ----------------------------- By THX1138 Getting rid of all traces of a file sounds like an incredibly simple thing to do. You get yourself a program that overwrites the file and that's it. Right? Unfortunately, getting rid of all traces of a file is far more complex than you could have imagined. You'll need to get yourself a program that does more than the DOS, UNIX, or Windows delete file command. These commands merely mark the space on the disk used by the file as available without actually erasing the contents of the file, even if the file is emptied from the Windows recycle bin. Programs that overwrite the contents of a file are called "secure delete" programs. Scorch is good and it has some interesting options. BCwipe is also good. Make sure these programs rename the file first with a name of equal or greater length! Inferior programs may erase the file data and then mark the entry in the disk table of contents as deleted without actually overwriting the filename. Or how about a filename that previously existed on a corporate computer and they would like to know how a reference to that file got on your computer (assuming it's been seized). Filenames alone may not be solid evidence against you, but wouldn't it be cleaner not to leave a trace? Several programs will rename the file with X's first, and then erase the actual file contents. But make sure your secure delete program does this. Even if you have done all of the above, the filename and its data can still exist all over the place! If you're using Win 95 or NT, click Start, then "documents." Is that your filename? Blow away the shortcut in C:\WINDOWS\RECENT using your secure delete program. If you re using Win NT blow away the shortcuts in C:\WINNT\PROFILES\ADMINI~1\RECENT\. This assumes you have the administrator account. There's another directory called C:\WINDOWS\QFNONL\RECENT\ that can contain references to your file. There may be other software that opens the file and keeps the filename on a list somewhere, such as the "last files opened" list. Use the Windows file explorer to search the software directories in question for a substring (use "contains" field) of the filename. On UNIX, cat all the files through grep and an appropriate substring. Yes, you're going to have to examine each piece of software that opened the file for any traces of it. In a state of shock yet? It gets worse. Windows 95, Windows NT, UNIX, and other operating systems use virtual memory files to extend RAM. When a process or program becomes completely inactive, the operating system puts the process with all memory (RAM) contents out on disk in order to conserve memory. This method of extending RAM is called virtual memory. When the program becomes active again its data is copied back into memory, and, yes, the data is left in the virtual memory file until it is overwritten. Your data could stay there for days or even months! Windows 95 uses the file win386.swp. You can boot into DOS and erase the file, but you'll have to change the permissions first. More robust operating systems will automatically re-create the swap file at boot time if they detect it missing. Some "secure delete" programs (such as Scorch) may have an option to leave the WIN 95 swap file intact but just erase its contents. Some operating systems like Win 95 and NT 4.0 have swap files that grow and shrink dynamically, using empty disk space as needed. Turn this option off or get enough memory so that you don t need a swap file. Wiping the swap file in its shrunken state could leave parts of your file in what was the swap file in its enlarged state, but in what is now unused disk space. For example your data got swapped out to the last 10 megabytes of the virtual memory file and then later the virtual memory file shrunk leaving your data in what is now marked as unused disk space. If you think this has already happened on your system, wipe the swap file while booted in DOS and then, before exiting DOS, fill up the disk with big null files and erase them all. Use DOS pipes to keep concatenating the null filled files until the entire disk is full. Then simply delete them all. On UNIX you can switch to an alternate swap file just long enough to erase the original swap file with a secure delete program, then re-create and switch back to the original swap file. Check /etc/fstab for references to your swap partitions. Windows NT uses a virtual memory file called pagefile.sys. Wipe its contents while booted in DOS. If you have NTFS, you'll have to temporarily get rid of the virtual memory file, fill the disk with null files, then delete them. If a DOS FAT based file system has problems, you are told to run a program called scandisk. If scandisk finds "lost" pieces of files it puts the pieces in a series of files called FILE0001.CHK, FILE0002.CHK, and so forth. These files could contain data you want erased. If so, blow them away with your secure delete program. The Windows registry can be littered with references to a file. The registry keeps all kinds of information about a Windows machine. If you are unfamiliar with the registry try browsing through it in read only mode. Use the registry editor (regedit.exe) to find references to recently accessed files that you want eradicated. (Don't use the 32 bit registry editor. The piece of crap doesn't find all strings!) Most Windows software such as RealPlayer keeps a list of recently accessed files. Use the registry editor to find these old references. While you're in there you may want to look under Netscape for "URL History" and get rid of the URL references to Hustler and Penthouse. The boss or coworker might get upset about them. So, you just hit the delete key and those registry values are gone, right? Mistake! Deleting registry values is almost like making a permanent record of them, because the registry marks the entries as deleted without overwriting them. If you run a binary editor (like HEXedit) on the registry, then search for the values, you'll see they're still there! The registry is actually a file called C:\WINDOWS\SYSTEM.DA0 and on NT it's a series of files in C:\WINNT\SYSTEM32\CONFIG. I have successfully erased these "lost" values with a binary editor. (Don t'try this on your own.) The best way to get rid of registry values is to overwrite them. Instead of pressing delete, modify the value and change it to something of equal or greater length. So, using the registry editor, find Netscape's "URL History," change www.hackFBI.com to www .paranoid.com, or change www.Hustler.com to www.barney.com. If you opened any files with Netscape, data could be stored in the Netscape cache. Use your secure delete program to delete these cache files. One way to simplify the whole business of killing files is to create a "killall" script to do a lot of the deletions and then run it just before shutdown. C2 compliant operating systems have a "secure delete" option that will overwrite a file when you do a regular delete command, but there is no undelete or wastebasket with this type of deletion. I prefer to put most stuff in the wastebasket and Scorch the files I really want to get rid of. There is a program called Shredder that attempts to kill (in real time) files and references everywhere they may be. It is good but not perfect. Every piece of software out there could keep some internal record of your file or even its contents, especially software made by Big Brother in Washington State. His software leaves references all over the place. Remember, a moderate dose of paranoia is healthy.