One Big File Is Not Enough: A Critical Evaluation of the Dominant Free-Space Sanitization Technique

  • Simson L. Garfinkel
  • David J. Malan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4258)


Many of today’s privacy-preserving tools create a big file that fills up a hard drive or USB storage device in an effort to overwrite all of the “deleted files” that the media contain. But while this technique is widespread, it is largely unvalidated.

We evaluate the effectiveness of the “big file technique” using sector-by-sector disk imaging on file systems running under Windows, Mac OS, Linux, and FreeBSD. We find the big file is effective in overwriting file data on FAT32, NTFS, and HFS, but not on Ext2fs, Ext3fs, or Reiserfs. In one case, a total of 248 individual files consisting of 1.75MB of disk space could be recovered in their entirety. Also, file metadata such as filenames are rarely overwritten. We present a theoretical analysis of the file sanitization problem and evaluate the effectiveness of a commercial implementation that implements an improved strategy.


Free List Digital Forensic National Security Agency Root Directory Forensic Tool 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Redacting with confidence: How to safely publish sanitized reports converted from word to pdf. Technical Report I333-015R-2005, Architectures and Applications Division of the Systems and Network Attack Center (SNAC), Information Assurance Directorate, National Security Agency (2005)Google Scholar
  2. 2.
    Acronis, Inc.,
  3. 3.
    Apple Computer, Inc. Apple Disk Utility (2006)Google Scholar
  4. 4.
    Bauer, S., Priyantha, N.B.: Secure data deletion for Linux file systems. In: Proc. 10th Usenix Security Symposium, San Antonio, Texas, Usenix, pp. 153–164 (2001)Google Scholar
  5. 5.
    Burke, P.K., Craiger, P.: Digital Trace Evidence from Secure Deletion Programs. In: Proceedings of the Second Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida (January 2006)Google Scholar
  6. 6.
    Carrier, B.: The Sleuth Kit & Autopsy: Forensics tools for Linux and other Unixes (2005)Google Scholar
  7. 7.
    Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: Proc. of the 13th Usenix Security Symposium, Usenix (August 9–13, 2004)Google Scholar
  8. 8.
    Microsoft Corporation. How To Use Cipher.exe to Overwrite Deleted Data in Windows (July 2004)Google Scholar
  9. 9.
    Microsoft Corporation. Windows 2000 Security Tool: New Cipher.exe Tool (March 2004),
  10. 10.
    Di Crescenzo, G., Fergurson, N., Impagliazzo, R., Jakobsson, M.: How to forget a secret. In: Meinel, C., Tison, S. (eds.) STACS 1999. LNCS, vol. 1563, pp. 500–509. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  11. 11.
  12. 12.
    Cleaning and sanitization matrix, ch.8 (January 1995)Google Scholar
  13. 13.
    EAST Technologies,
  14. 14.
    Garfinkel, S.L.: Design Principles and Patterns for Computer Systems that are Simultaneously Secure and Usable. PhD thesis, MIT, Cambridge, MA (April 26, 2005)Google Scholar
  15. 15.
    Garfinkel, S.L., Malan, D.J., Dubec, K.-A., Stevens, C.C., Pham, C.: Disk imaging with the advanced forensic format, library and tools. In: Research Advances in Digital Forensics (Second Annual IFIP WG 11.9 International Conference on Digital Forensics), Springer, Heidelberg (2006)Google Scholar
  16. 16.
    Trant, G.: Eraser,
  17. 17.
    Geiger, M.: Evaluating Commercial Counter-Forensic Tools. In: Proceedings of the 5th Annual Digital Forensic Research Workshop, New Orleans, Louisiana (August 2005)Google Scholar
  18. 18.
    Guidance Software, Inc. EnCase ForensicGoogle Scholar
  19. 19.
    Gutmann, P.: Secure deletion of data from magnetic and solid-state memory. In: Sixth USENIX Security Symposium Proceedings, San Jose, California, July 22-25, Usenix (1996) (Online paper has been updated since presentation in 1996)Google Scholar
  20. 20.
    IDM Computer Solutions, Inc.,
  21. 21.
    Mark Russinovich. SDelete (2003)Google Scholar
  22. 22.
    Russinovich, M., Cogswell, B.: Filemon for WindowsGoogle Scholar
  23. 23.
    Microsoft. Cipher.exe security tool for the encrypting file system (January 31, 2006)Google Scholar
  24. 24.
    NeoImagic Computing, Inc.,
  25. 25.
    Onley, D.S.: Pdf user slip-up gives dod lesson in protecting classified information. Government Computer News 24 (April 16, 2005)Google Scholar
  26. 26.
    Poulsen, K.: Justice e-censorship gaffe sparks controversy. In: SecurityFocus (October 23, 2003)Google Scholar
  27. 27.
    Robin Hood Software Ltd.,
  28. 28.
    Rowe, N.C.: Automatic detection of fake file systems. In: International Conference on Intelligence Analysis Methods and Tools (May 2005)Google Scholar
  29. 29.
    Shankland, S., Ard, S.: Document shows SCO prepped lawsuit against BofA. In: News.Com (March 4, 2004)Google Scholar
  30. 30.
    Stone, K., Keightley, R.: Can Computer Investigations Survive Windows XP? Technical report, Guidance Software, Pasadena, California (December 2001)Google Scholar
  31. 31.
    Webroot Software, Inc.,
  32. 32.
    WhiteCanyon, Inc.,
  33. 33.
    Young, W.D., Boebeit, W.E., Kain, R.Y.: Proving a computer system secure. The Scientific Honeyweller 6(2), 18–27 (1985); Reprinted in Abrams, M.D., Podell, H. J.(eds.): Computer and Network Security, IEEE Computer Security Press, New York (1986)Google Scholar
  34. 34.
    Zorn, B.: Comparing mark-and sweep and stop-and-copy garbage collection. In: LFP 1990: Proceedings of the 1990 ACM conference on LISP and functional programming, pp. 87–98. ACM Press, New York (1990)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Simson L. Garfinkel
    • 1
  • David J. Malan
    • 2
  1. 1.Center for Research on Computation and SocietyHarvard University 
  2. 2.Division of Engineering and Applied SciencesHarvard University 

Personalised recommendations