Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

differences between deletion


  • Please log in to reply
19 replies to this topic

#1 vickyDSA

vickyDSA

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 31 March 2015 - 12:56 PM

Hey guys,

 

 

I recently stepped over security matters and some programs which you guys appear to use for cleaning other people's pc's.

 

now i've read somewhere that you HAVE TO use such programs, although obiously you could remove the files manually, it wouldn't be safe to do at all.. but this is where they stopped - they didnt write why these programs - or a non-manually-deleting - is so important.

or whatever would be wrong with just deleting the files manually... where's the difference??? 

 

anyone?

 

 

Vicky



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:38 AM

Posted 31 March 2015 - 01:30 PM

Hello there,

When you delete a file (by selecting it and choose "Delete", Windows only removes the reference to the file - the actual contents is still on the hard disk. This makes it possible to retrieve the contents via data recovery tools.

On the other hand, using secure delete programs will permanently erase files by overwriting the contents on the disk with zeroes, making it impossible to recover.

Hope this helps :)

Regards,
Alex

#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 PM

Posted 31 March 2015 - 02:15 PM

Hi vicky,

You mention "programs you guys use" in your post but never mention which ones exactly, is it possible to have an example or a list of the ones you're thinking of?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 vickyDSA

vickyDSA
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 31 March 2015 - 03:29 PM

When you delete a file (by selecting it and choose "Delete", Windows only removes the reference to the file - the actual contents is still on the hard disk. This makes it possible to retrieve the contents via data recovery tools.

On the other hand, using secure delete programs will permanently erase files by overwriting the contents on the disk with zeroes, making it impossible to recover.

 

 

thanks that already explaines something :))) 

do you speak of the reference in the windows registry to that file?

im just reading here and there some threads here since i had a problem with my laptop. before i wasnt really aware of this forum  :D

 

@aura OTL i think its called



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 PM

Posted 31 March 2015 - 03:47 PM

So you want to know why the malware removal helpers uses powerful scripting removal tools like OTL, ComboFix, FRST, etc. to remove malware, right? I would say mostly because it's more efficient. It allows you to have an overall look of a system to detect an infection and also you can do a "clean" removal, removing entries and files precisely without worrying too much about breaking anything on the system (there's still risks, but anyway). I guess that a member of the MRT here can give a better explanation than me :P

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 PM

Posted 31 March 2015 - 04:20 PM

OTL i think its called

Tools like DDS, FRST, OTL, Zoek and RSIT provide comprehensive logs with specific details about areas of a computer's system, files, folders and registry keys which may have been modified by malware infection. Unless you know how to read and analyze logs from DDS, FRST, OTL, Zoek or RSIT there's no point in downloading and using them. If those tools are needed for a malware infection you should seek assistance from an expert who will advise you accordingly. These are powerful tools which rely on trained experts to interpret the log entries, determine what needs to be fixed and plan a strategy for disinfection. Using such tools requires advanced knowledge about the Windows Operating System and can cause system damage if used incorrectly. If you do not have advanced knowledge about computers or training in the use of these tools, you should NOT attempt to use them or fix anything without consulting a expert as to what to fix.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 vickyDSA

vickyDSA
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 31 March 2015 - 04:45 PM

ok so is there any reason at all why one would delete a file manually rather then getting this done by a program? 

because this all sounds like there is no advantage in it 

 

good night :)


Edited by vickyDSA, 31 March 2015 - 04:46 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 PM

Posted 31 March 2015 - 04:49 PM

It depends on the file. If it is malicious, it could be protected from manually deletion by other malware and more powerful methods would be necessary.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 PM

Posted 31 March 2015 - 04:50 PM

It's because tools used here uses method of secure deletion that will allow the file or entry to be deleted without being stopped by things such as Admin Rights or Ownership issues. Hence why they are most suited to delete malicious entries than deleting them manually where you have a chance to encounter these issues.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 31 March 2015 - 05:14 PM

ok so is there any reason at all why one would delete a file manually rather then getting this done by a program? 

 

There is one advantage: if you do a simple delete, the file is moved to the recycle bin. So if you make a mistake (the file was essential, deleting it was a mistake), restoring it is simple.


Edited by Didier Stevens, 31 March 2015 - 05:15 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 rp88

rp88

  • Members
  • 3,048 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:38 AM

Posted 31 March 2015 - 06:16 PM

I would suggest there are 6 "levels" of deletion:

1. You delete the file from the folder but it's still in the recycle bin, these can be recovered by most people within seconds.

2. You delete the file from the folder and then from the recycle bin, there is a high chance that it can be found using commerically and freely available data recovery programs if someone decides to try and look for it within a few days of deletion.

3. You securely delete the file with a secure deletion program, this should have overwritten it's "space" on your hard drive with random junk or all 1s or all 0s, the file is effectively irrecoverable BUT temporary copies of it may still be recoverable using data recovery programs to search through free space of the drive. Temporary copies are made when files are copied between locations, written to CD s or DVD s, extracted from zip archives. There is also a chnace that older versions of the deleted file migth be lying around on the hard drive.

4. You securely delete the file and wipe free space, or do 2 and then wipe free space. The file is efectively gone forever, as are any temporary or older copies. There is a chance that the most advanced data recovery programs with the most skilled of users could recover these, perhaps from copies or referencs to them stored in files of the operating system, but it's only a chance.

5. You deete the file, wipe free space, the fully erase everything on the hard drive, before finally reinstalling the operating system. The file is effectively gone forever, there is a small chance of there being something left, but this is good enough for all but the most damaging of secrets being hunted by the kost determeined of snoopers.

6. You securely delete the data, wipe the free space on the drive, the wipe everything else on the drive, then physically destroy it and ensure the pieces of it (and probably of the computer it was in) are all ruined far beyond ever being useful again, burn them with fire, drown them in water, expose them to the strong magnetic fields (like around an NMR/MRI machine). No-one, no corporation, no nation, would ever be able to recover data disposed of like this, nless of course there were remnants left on another device which wasn't destroyed, or it had been captured and copied by an eavesdropper if it was ever transferred between computers.

What you do for data depends on the secrecy of the data, and how likely you think people are to be trying to find it.

If you're not even sure you want it gone (1) is enough, but that won't give you the extra free space that (2) would.

If it isn't a secret that needs to be deeply secret then (2) is enough, as long as no-one is looking for it.

If it's something fairly secret (like any of your financial data) then (3) should be done, and atleast (4) should be done before thinking of selling or throwing away the machine. For routine preventions against loss of theft of a device (3) is often enough, unless it's had a lot of financial info on it, as a note it's a good idea to atleast keep all your fincancial stuff within an encrypted 7z archive ( http://www.bleepingcomputer.com/download/7-zip-for-windows/ ). Having these encrypted archives means any thief would be unable to get at the main copies of secret data, he could try and find deleted copies and temporary copies but (3) is enough for normal protection.

If you are getting rid of a computer (4) should be done if it's ever had anything reasonably private on it, maybe even (5) if you think there is something really personal which might have somehoe been stored in other places than the file.

(6) is what militaries and governments do when they've finished with computers in their more sensitive branches, if something on your computer is secret enough that it needs (6) then you have a problem because it might be stored in other places too, like yout ISP's records, or somehow it accidentaly got onto a removbale device.

Edited by rp88, 31 March 2015 - 06:20 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 PM

Posted 31 March 2015 - 06:46 PM

Rp the question here isn't really about how to delete files in a way where they can't be removed, but how does malware removal tools used by the MRT here use deletion methods that are most conventional then the manual deletion of a file :P

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 PM

Posted 01 April 2015 - 04:55 AM

Specific discussions about most MRT tools...how they work, the routines they perform, what they can or cannot do, what the log results mean, etc, are only available in private discussion areas not intended for the general public to read.

This is intentional in order to safeguard and protect the integrity of our tools from malware writers. They read public forum topics looking for clues (knowledge) on how to circumvent our tools and removal techniques. We don't want to provide any information they can use against us so we deliberately do not provide specific information on the specific inner workings of our tools and how we use them in areas where attackers can see that information. As such, our discussion in public areas is limited and sometimes may appear vague or not fully address a specific question so it should not be taken personally.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 rp88

rp88

  • Members
  • 3,048 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:38 AM

Posted 01 April 2015 - 05:51 AM

Sorry, I interpreted the original post as being about secure deletion tools and that the poster wanted to understand if and when they are needed. I though he was asking in the context of "is my sensitive information safe if I just delete it" rather than the context of "X won't delete, what can I do". Secure deletion tools usually exist for that former purpose rather than the latter.

Edited by rp88, 01 April 2015 - 05:52 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 PM

Posted 02 April 2015 - 04:48 AM

Misinterpretation happens from time to time. When in doubt ask for clarification.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users