[ Thanks to LinuxSecurity Contributors for
this link. ]
“It is common knowledge that what is deleted from the computer
can sometimes be brought back. Recent analysis of security
implications of “alternative datastreams” on Windows NT by Kurt
Seifried has shown that Windows NTFS filesystem allows data hiding
in “alternative datastreams” connected to files. These datastreams
are not destroyed by many file wiping utilities that promise
irrecoverable removal of information. Wiping the file means
‘securely’ deleting it from disk (unlike the usual removal of file
entries from directories), so that file restoration becomes
extremely expensive or impossible.“Some overview of what remains on disk after file deletion, how
it can be discovered and how such discovery can be prevented are
provided in Secure Deletion of Data from Magnetic and Solid-State
Memory by Peter Gutmann. The author recommends overwriting files
multiple times with special patterns. Against casual adversaries,
simply overwriting the file with zeros once will help.“Linux has no alternative data streams, but files removed using
/bin/rm still remain on the disk. Most Linux systems uses the ext2
filesystem (or its journaling version, ext3 by Red Hat). A casual
look at the design of the ext2 filesystem shows several places
where data can be hidden…”