How to quickly and reliably delete files, clean up HDD / SSD before searching

As has been repeatedly discussed, under the current conditions, almost every resident of Belarus and Russia is in danger of being physically imprisoned. Any person can receive an anonymous denunciation, for example, about funding extremists… Further, law enforcement agencies organize a search in the suspect’s apartment in the presence of attesting witnesses, opening the front door if necessary. All computers and mobile devices are seized for examination.

Naturally, a lot of evidence is found in the apartment, allowing to qualify a citizen under several articles at once.

In such conditions, it is extremely important before a search to reliably remove all information from drives and mobile devices so that an attacker does not gain access to a contact book, accounts on social networks and instant messengers – otherwise, you will frame your comrades and provide additional evidence to the investigation.

Leeway

One of the main tasks is to ensure at least a small margin of time before an attacker gains access to the contents of your drives.

The reserve of time is needed to have time to perform all the necessary manipulations – to start the processes of destroying information on media.

Provision should be made for a backup power source, i.e. a UPS (UPS), for all computers. It will provide an opportunity to do everything necessary if an attacker turns off the power supply.

Early response system can be organized in various ways:

  • like-minded people in law enforcement agencies who have access to information about the institution of new criminal cases and the conduct of operational-search measures (as practice shows, this is one of the most effective methods of early response. Hundreds of civilians managed to evacuate in time shortly before the start of hostile actions by the security forces);
  • outdoor surveillance cameras at the entrance to the courtyard, entrance to the staircase, entrance to the apartment. Modern home video surveillance systems sometimes provide accounts for residents with access to the video stream. The general video surveillance system can be supplemented with personal video cameras on your floor. It is convenient to organize remote access to watch the picture from a mobile phone.
  • reinforced doors and windows.

Backups

It is recommended for all users to make backups, but in this case it is an absolute necessity.

In our case, the old 3-2-1 backup scheme will have to be slightly adjusted so that there are no backups left at the main place of residence. Backups can be made in cloud storage, on remote hosting, on your backup server, which is physically remote from the main base.

Access to backups must be impossible for an intruder who knows the password and gains access to your computer and mobile devices. Let’s admit the option of two-factor authentication using a device that, for objective reasons, cannot be seized by an attacker (for example, it is physically located in a safe deposit box of a foreign bank). Or access according to Shamir’s secret sharing scheme with the obligatory participation of several trusted parties.

Direct stripping

Linux

SSD

The ATA / NVMe Sanitize Crypto Scramble method (aka Secure Erase, Crypto Erase) provides fast stripping of ATA / NVMe disks. This method changes the encryption key for the internally encrypted SSD so that all data becomes a meaningless stream of garbage.

In case of a large margin of time, you can use physical erase of ATA / NVMe Sanitize Block Erase or multiple physical overwrite of ATA / NVMe Sanitize Overwrite blocks. This is a very slow method, but it is physically 100% guaranteed to delete information.

Unfortunately, there are no easy-to-use universal open source tools for these operations, so you have to use either the programs provided by the manufacturer (the Secure Erase or Sanitize option in BIOS / UEFI), or free utilities like hdparm and nvme-cli from a proprietary kit Parted magic… Note that Parted Magic is a paid product, but some utilities are free and open source.

As the simplest option, you can run the OS reinstallation procedure with reformatting and re-encryption of the disk (full disk encryption).

In general, the procedure is as follows: check the BIOS / UEFI for the Secure Erase or Sanitize options. If there is, take advantage of them. Here is the corresponding documentation on erasing a drive from BIOS on the official websites of vendors for laptops of different models:

If there is no such option, you can buy or download from torrents Parted Magic image – the latest version in the official store parted_magic_2021_05.12.iso – and make a bootable USB flash drive or DVD using the utility Rufus (Windows) or Etcher (macOS).

The program provides a simple and convenient interface for erasing HDD / SSD.

It should be understood that these options are intended to completely erase a disk, not individual directories or logical drives.

For external drives under Linux, you can use the command blkdiscard with zeroing of all blocks:

$ blkdiscard /dev/sdX

If the controller or drive does not support this functionality, then the option remains to restart full-disk encryption (LUKS or Veracrypt utilities).

A less secure way is to manually erase the files and fill the sectors with pseudo-random data. For example, using the utility BleachBit or from the command line via secure-delete

$ apt-get install secure-delete

This set of four tools including srm to safely delete files, sfill to overwrite the space that is marked empty on the disk, etc.

$ srm private/*

$ sfill /home/username

It is convenient to put the program in bash scripts for remote deletion of private directories.

HDD

For system / internal HDDs, the procedure is the same: check the BIOS for the Secure Erase or Sanitize options. If they are not there, then reinstall the OS with re-encryption of the entire disk.

Since the second option is very slow, you can alternatively download System Rescue CD, Darik’s Boot And Nuke (DBAN) and ShredOS

Windows

As usual, the simplest and most reliable solution is to check the BIOS / UEFI for the Secure Erase or Sanitize options. If they are not there, look utilities from manufacturers to erase HDD and SSD.

In the end, boot images remain System Rescue CD, Darik’s Boot And Nuke (DBAN) and ShredOSand also the slowest method with reinstalling Windows and re-encrypting the entire disk (Veracrypt or Bitlocker).

An alternative (unsafe) way is to erase files and overwrite sectors multiple times with random data using programs like BleachBit and PrivaZer… For SSDs, as a last resort, you can run Defrag in Optimize mode.

Removing individual files is done with the same tools. But this is an unreliable method, because traces of the file remain in other places of the system – in the cache, swap, indexes, etc. It is safer to clean the entire drives.

Temporary evacuation

If the margin of time is sufficient, then it is possible not only to delete all information, but also to temporarily evacuate to a safe area. In practice, there are two options:

  • evacuation abroad;
  • evacuation to the village.

In the first case, it is better to choose countries in which it will be more difficult for cybercriminals to reach you.

In the second case, additional precautions are needed: a new SIM card, a new digital identity, refusal of cashless payments, etc. For more details, see “Virtual identities, anonymity, disposable SIM cards – a harsh reality in the world of total surveillance” and “A practical guide to anonymity in online “.

As for the internal emigration, according to the ads, you can rent a house in the village and pay the owner in cash. It is advisable to get there by hitchhiking or taxi, pay in cash, disembark a few kilometers from the destination.

During the evacuation, the wife, relatives and acquaintances can help in everyday matters, but it is better not to involve them and not share any information about their plans, whereabouts, etc. (for their own good). Of course, this only applies to internal emigration. If you go abroad, even in the nearest countries (Ukraine, Lithuania, Poland) you can feel relatively safe, communicate openly with relatives, colleagues, participate in zoom conferences, officially work, receive a salary, etc. In general , live a normal life. In this sense, leaving abroad seems preferable to emigration to the countryside, where strict rules of secrecy have to be observed.

As the experience of Belarus shows, in practice, the choice of the option of emigration usually depends on the intended punishment: administrative arrest or imprisonment. In the first case, it is easier to hide in the village for several months, in the second case, to temporarily go abroad.

“Red button”

For emergency situations, special mobile programs have been developed such as “Red button”… The point is that in case of danger, a person imperceptibly presses a button on the phone. For example, you can press it in your pocket without being noticed by strangers.

So far, the functionality of such applications is very limited. They just send SMS and emergency notifications with GPS coordinates to the contact list. Especially for Belarus, we have implemented the “Delayed Start” function in the application, because the security forces there often brutally detain citizens and immediately take away their mobile phone, as well as turn off the mobile Internet during protests, and it becomes impossible to press the “Red button”. Therefore, before attending a protest, a person sets a timer. If the time has expired and the timer is not canceled, then the user is considered detained and his data is automatically sent to human rights defenders.

I would like to expand the functionality of these applications. For example, immediately after sending notifications, erase all data from the phone (return to factory settings). Since the detainees always they tell law enforcement officers the pincode, only real deletion of information is effective. Although this may raise suspicion among law enforcement agencies. So ideally it is better to replace the contents of the real system with innocent files.

In addition, I would like to implement SSH access to a remote server, so that by pressing the “red button” on the server, a bash script to delete information from drives is automatically triggered, because after the arrest of a citizen with a mobile phone, there is a high likelihood of a search at his house. Perhaps this functionality can be implemented with the help of some other applications in order to “hang” remote script launch via SSH on the side button of the smartphone.

PS Comments and additions to the article are welcome. Protecting privacy in a situation of legal default is our common cause.


Advertising

Order a server and start working right away! Creature VDS within a minute, including servers for storing large amounts of data up to 4000 GB. Epic 🙂

Subscribe to our chat in Telegram

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *