WHonix and LUKS

tomorrow · January 17, 2016, 7:01am

Hello, I have my OS, but i want to format it to install another Linux distribution, with Whonix.
My question is if with LUCKS and the dm-crypt command all the previuos byte on the hard disk would be erased.
After have been erasing the sistem with dm-crypt and LUCKS, could anyone read the previus data/logs, of the previous installed sistem with forensic tools?

Ego · January 17, 2016, 9:46am

Good day,

whether everything will be erased depends on whether you choose full disk encryption or only one specific partition. Only FDE is recommended because it, as the name suggests, encrypts the entire disk.

Furthermore, it is hardly possible that logs aren’t erased as, the encryption can only work on a completely empty drive.

Have a nice day,

Ego

Patrick · January 17, 2016, 6:10pm

Two things that could go into the way.

http://www.infosecisland.com/blogview/12153-Data-Remains-on-USB-and-SSDs-After-Secure-Erase.html

tomorrow · January 17, 2016, 10:57pm

Realy intersting and scientific article.
I have understood that the modern PC, especially the laptops, have SSD drive as hard disks, in order to be faster.
And SSDs store the the data in multiple copies of its internal device.
So you wipe the hard disk, but the data on the SSD are not erased or subsitueted by random byte.
But if i am not wrong the article reffered itself only to the modern pc or MAC OXS
@Ego: The article that Patrick posted seems to say that some data always will remain on the SSD, so dm-crypt and LUCKS is not the tool that could erase the disk and substitute it with randome bytes?

Patrick · January 17, 2016, 11:07pm

tom:

But if i am not wrong the article reffered itselfonly to the modern pc or MAC OXS

No. To any operating system. Because the storage logic is up to the hard
drive.

Ego · January 19, 2016, 6:08am

Good day,

Sorry, but aren’t such “leftovers” solved by the “anti forensic splitter” used in LUKS, as to this: http://tomb.dyne.org/Luks_on_disk_format.pdf ?

Such a splitter does the following:

The information is bloated in such a way, that a single missing bit causes the original information become unrecoverable.

Source: http://clemens.endorphin.org/AFsplitter

Have a nice day,

Ego

Hiberts · January 19, 2016, 11:37am

@Ego what do you mean with “the encryption can only work on a completely empty drive” ?
If I make two or more partitions, are there problems ? With my FDE I did this : /boot on USB pendrive and three partitions on the HDD that contain OS and other data .

@tomorrow LUKS is the encryption method, you can erase the HDD with shred -6 -uvz or other methods, but each HDD could have its recovery method/tecnology .
Of course you can’t use the SSD or USB for security reason, the trick is to use these storages only with FDE, so when you delete the key from the USB the data are lost forever, at least I hope . In this case you should destroy the pendrive when you stored the key and then, for extreme security, also erase the SSD/USB storage .
In HDD case is almost the same but the problems are less .

Ego · January 19, 2016, 11:50am

Good day,

Sorry, meant partition, don’t know why I wrote drive.

Have a nice day,

Ego

Patrick · January 19, 2016, 4:17pm

Ego:

Patrick:

Two things that could go into the way.

Sorry, but aren’t such “leftovers” solved by the “anti forensic splitter” used in LUKS, as to this: http://tomb.dyne.org/Luks_on_disk_format.pdf ?

If there ever was encrypted data on the disk there is no way to reliably
get rid of it. Encryption will reduce most of it, but not reliably 100%.
Due to wear leveling.

tomorrow · January 22, 2016, 10:12am

So if i have an hard disk with an OS and i totally destroy/crypt it with LUCKS , the future data written on the hard disk will be encrypted, but the data stored in the Hard disk before the LUCKS criptage will be still recoverable?

NewNewbie · January 22, 2016, 10:52am

At least in theory, yes.

Even if it’s not an SSD or flash memory, rewritten data is theoretically supposed to be recoverable with the aid of an electron microscope. That’s not a serious concern with today’s technology unless your data is the specific target of a very powerful nation or organization. However, it may be in a future.

If you’re afraid of getting your hard drive stolen and can’t afford destroying it, there’s a function in SSD disks called “ATA secure erase” [1] that sends a small overfreight to the disk to restore its state to “0” (and consequently avoiding wear leveling). Do note however that as Patrick mentioned some manufracturers don’t correctly implement this feature on their disks. If it’s an ordinary mechanic drive, I’d suggest using some secure overwrite tool such as DBAN, or at least the Unix dd command (with /dev/random as input) many consecutive times.

[1] https://www.usenix.org/legacy/event/fast11/tech/full_papers/Wei.pdf