Keylogger

[Xen]

Ralf Mardorf schreef op 03-12-2017 9:31:

> HDD's firmware might copy and move data, so a simple shred command,
> even for a default mounted (not data) journaling ext file system 
> remains
> to be an issue

The bigger concern is really user space programs that leave copies 
behind,
not HDD firmware because not everyone is going to take a harddrive apart
to search for information.

But you are right that "shred" might not do the job.

It's just not for reasons of hardware.

> but indeed
> http://manpages.ubuntu.com/manpages/xenial/man1/sfill.1.html seemingly
> is working around this issue, but software that "shred"s data usually
> doesn't call sfill, too.

Well that's true, and I'm not saying that caution is unwarranted, but 
only real information can help people stay safe.

In this case:

* I once searched an ext4 filesystem for traces of a file that I wanted 
to recover. The search revealed dozens of copies of the file in various 
stages of development, apparently left behind by Vim.

* But in this case the log file of my keylogger exists in only one place 
so shredding it was actually sufficient.

It appears that Vim does a rename, write and then delete while saving 
the file, but I have not verified this yet.

Other programs like aescrypt and/or gzip may leave behind a copy of the 
original.

There are many programs that might do this.

So to really be safe is to run sfill like every week or so.

However on SSDs, "discard" may already make unused space unavailable.