Some users believe that once you delete a file it is gone. The reality is much more complicated.
In the old days of FAT the file deletion was implemented as a replacement of the first byte in the file name by 0xE5 and marking the storage as free, as a result, it was simple to undo the deletion (undelete was part of DOS). In the modern days, recovering a deleted file is much more complicated and thus UI usually implements some kind of recycle bin to help the user think twice before deleting some important information.
While in most cases users sorry that they have mistakenly deleted something and cannot recover it, for professional paranoids it is much more important that what is deleted, cannot be recovered by an adversary.
Secure deletion may seem simple: just overwrite the information in the file with junk data. This strategy works for simple file systems (e.g., FAT), but the more advanced ones try to increase file integrity by creating a new version of the file data instead of overwriting the previous data (log-structured file systems). Even for FAT, the underlying “disk” may be a flash that relocates position of “disk sectors” for wear-leveling.
Smartphones contain a lot of confidential information and thus the new research is worth reading (PDF):
We address the problem of secure data deletion on log-structured file systems. We focus on the YAFFS file system, widely used on Android smartphones. We show that these systems provide no temporal guarantees on data deletion and that deleted data still persists for nearly 44 hours with average phone use and indefinitely if the phone is not used after the deletion. Furthermore, we show that file overwriting and encryption, methods commonly used for secure deletion on block-structured file systems, do not ensure data deletion in log-structured file systems.
We propose three mechanisms for secure deletion on log-structured file systems. Purging is a user-level mechanism that guarantees secure deletion at the cost of negligible device wear. Ballooning is a user-level mechanism that runs continuously and gives probabilistic improvements to secure deletion. Zero overwriting is a kernel-level mechanism that guarantees immediate secure deletion without device wear. We implement these mechanisms on Nexus One smartphones and show that they succeed in secure deletion and neither prohibitively reduce the longevity of the flash memory nor noticeably reduce the device’s battery lifetime. These techniques provide mobile phone users more confidence that data they delete from their phones are indeed deleted.
On the other hand, an ounce of prevention is worth a pound of cure
: instead of trying to delete the confidential information, it may be wiser to not store the plain-text (i.e., non-encrypted) data at all. If all your data is encrypted, then to securely delete it, it is enough to forget the key.
Tags: Android, encryption, secure deletion
