Bug#726388: wipe: Wipe does not succeed in hiding filenames of wiped files

Timo Boettcher debian at timoboettcher.name
Tue Oct 15 08:46:55 UTC 2013 

Package: wipe
Version: 0.22-1
Severity: normal
Tags: upstream patch

The wipe man-page states:
"Normally, wipe tries to cover file names by renaming them"

However, this does not work for me for different versions of wipe.
Using fls from the sleuthkit, its easy to see the name of the wiped file
in the filesystem on the ext{2,3,4} filesystems. On vfat, btrfs and xfs
the filename can be retrieved easily, too.

My testcase was:
$ dd if=/dev/zero bs=1M count=256 of=wipeimagefile-ext2.bin;
$ losetup /dev/loop2 wipeimagefile-ext2.bin;
$ mkfs.ext2 /dev/loop2;
$ mkdir /mnt/wipetest;
$ mount /dev/loop2 /mnt/wipetest;
$ echo "very secret data that should be deleted after use" > /mnt/wipetest/secretfile.txt;
$ wipe -fc /mnt/wipetest/secretfile.txt;
$ umount /mnt/wipetest;
$ losetup -d /dev/loop2;
$ rmdir /mnt/wipetest;
$ fls wipeimagefile-ext2.bin
  wipeimagefile-ext2.bin
  d/d 11: lost+found
  r/- * 0:        secretfile.txt
  r/- * 0:        4hv06IB9SyTgVt
  d/d 2561:       $OrphanFiles

In contrast to this behaviour, shred from coreutils-8.5 succeeds in
hiding the filenames. shred was used with the parameters -fu for this
comparison.

I believe that this is from the different usage of sync() in wipe and
fsync(dir_fd, dirname) in shred.

Note that this isn't a limitation of the filesystem or the operating
system, as shred succeeds in hiding the original filename.

Used for the test were the following versions of wipe:
wipe-0.21-9 from debian squeeze,
wipe-0.22-1 from debian wheezy and sid,
wipe-0.21-5.fc15 from fedora 15,
wipe-0.21-8.fc19 from fedora 19
on ext2, ext3, ext4, vfat, xfs and btrfs.

I have written a patch that fixes the mentioned issue.
It is heavily based on the source of shred from coreutils by Colin Plumb.
While shred is now licensed under GPLv3, the parts of my patch that were
derived from shred could easily be changed to a version of shred
(git cad884a..) that was licensed under GPLv2.

For the same testcase as written in my first mail, the fls output is:
d/d 11: lost+found
r/- * 0:        0
r/- * 0:        00
d/d 2561:       $OrphanFiles

Note that this patch only keeps the filename from being readable in the
filesystem structure. For journaling fileystems, such as ext{3,4}, the
filename is still retained in the journal.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 002_hide_filenames.diff
Type: text/x-diff
Size: 7912 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20131015/d32c8f4d/attachment.diff>

More information about the forensics-devel mailing list