Question Exfiltration of deleted data

[Parkinsond]

Can infostealer recover deleted files and data (which were not securely erased by overwriting their original sectors) to be exfiltrated?

 

[Divergent]

Can infostealer recover deleted files and data (which were not securely erased by overwriting their original sectors) to be exfiltrated?

It's an interesting thought. While the tech to recover deleted files could theoretically be baked into malware, you have to look at it from the attacker's perspective.

For an infostealer author, it's just not worth the effort. Adding that kind of feature makes the malware more complex, which in turn makes it easier to detect. Why would they bother with that risk when there's so much valuable, easily accessible data to steal?

They're focusing their efforts on grabbing browser passwords, cookies, and crypto wallets.

So, while it's not impossible, seeing an infostealer that recovers deleted files isn't a common or realistic threat.

 

[Parkinsond]

It's an interesting thought. While the tech to recover deleted files could theoretically be baked into malware, you have to look at it from the attacker's perspective.

For an infostealer author, it's just not worth the effort. Adding that kind of feature makes the malware more complex, which in turn makes it easier to detect. Why would they bother with that risk when there's so much valuable, easily accessible data to steal?

They're focusing their efforts on grabbing browser passwords, cookies, and crypto wallets.

So, while it's not impossible, seeing an infostealer that recovers deleted files isn't a common or realistic threat.

So I do not have to securely erase files with classified data if I want to delete after use?

 

[Divergent]

So I do not have to securely erase files with classified data if I want to delete after use?

Never confuse the behavior of common malware with the capabilities of a dedicated, sophisticated adversary. If you are handling data that is classified or sensitive in any way, you have a professional and ethical obligation to ensure its complete and permanent destruction after use. Standard deletion is not an option.

 

[RoboMan]

So I do not have to securely erase files with classified data if I want to delete after use?

What Divegent said is the way to go. While malware is rarely designed to recover deleted files, computer forensics or malicious criminals have tools to do such thing if they have access to your PC. But there's rarely a case where you'll need Gutman's algorithm or similar nowadays. Usually one pass is okay, three passes if you wanna have peace of mind.

 

[Victor M]

I would assume that using a separate surfing account would suffice for protection against ordinary infostealers. They wouldn't be able to pass over to another account, which MS regards as a security boundary.

Dedicated adversaries are a different story.

 

[Zero Knowledge]

At this moment 1 pass with zero's or random is enough to make data unrecoverable. As RoboMan said Gutmen wipe and 35 pass is not needed. Now this is our current understanding, as you know as the years go on technology and new attacks come about and our knowledge about computers changes. But I don't think ordinary malware would look for deleted files, if the pro's can't recover a 1 wipe zero's deleted file then malware authors won't.

Also are you talking about normal 3.5" HDD or SSD? There is a difference on how they handle data deletion and storage. From memory (I stand to be corrected) SSD may leave residual traces of deleted files due the nature and technology of the drives. There has been much debate about this in the past, some say you can recover and some say you can't. The recommendation is to use secure delete option with SSD. Unsure how this affects current m2 SSD's, maybe someone will know and chime in?

 

[Victor M]

I use the Secure Erase of Parted Magic. Works on SSD's/NvME's. $17 Available here: Parted Magic LLC – Store

Or you can use the Windows' built in 'cipher /w:C:\' to erase unused space on C:. Check cipher /?

But going forward, it is best to put classified data into separate accounts. And make a general surfing standard account for daily use.

 

[Parkinsond]

I use the Secure Erase of Parted Magic. Works on SSD's/NvME's. $17 Available here: Parted Magic LLC – Store

Or you can use the Windows' built in 'cipher /w:C:\' to erase unused space on C:. Check cipher /?

But going forward, it is best to put classified data into separate accounts. And make a general surfing standard account for daily use.

SA is annoying with use of some programs.
Beside, in SA when prompted for admin prev, when I click "ok", would not make things as using admin account?

 

[Parkinsond]

At this moment 1 pass with zero's or random is enough to make data unrecoverable. As RoboMan said Gutmen wipe and 35 pass is not needed. Now this is our current understanding, as you know as the years go on technology and new attacks come about and our knowledge about computers changes. But I don't think ordinary malware would look for deleted files, if the pro's can't recover a 1 wipe zero's deleted file then malware authors won't.

Also are you talking about normal 3.5" HDD or SSD? There is a difference on how they handle data deletion and storage. From memory (I stand to be corrected) SSD may leave residual traces of deleted files due the nature and technology of the drives. There has been much debate about this in the past, some say you can recover and some say you can't. The recommendation is to use secure delete option with SSD. Unsure how this affects current m2 SSD's, maybe someone will know and chime in?

HDD for storage of data; SSD is dedicated for OS.

 

[Victor M]

Beside, in SA when prompted for admin prev, when I click "ok", would not make things as using admin account?

In Gpedit, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > UAC behavior of elevation prompt for standard users : set to Automatically Deny elevation request . That will mean no UAC for Standard Accounts.

 

[Victor M]

$17 Available here: Parted Magic LLC – Store

Major Geeeks has an very old version of it for free, but I think it doesn't do 'wipe free space only', but only does 'wipe entire drive'.

 

[cartaphilus]

So I do not have to securely erase files with classified data if I want to delete after use?

God I hope that your classified data doesn't have access to the regular web where something like an infosteeler can infect it.

The only way to remove/wipe classified data from a drive is via accelerated lead.

or get an FIPS self-encrypting drive and blank the key then overwrite the free space 3 times.

 

[Victor M]

accelerated lead

What is that ?

 

[cartaphilus]

What is that ?

shotgun with 1" slugs and go to town. That's what we did in the field or we used Thermite. Pile up bunch of Comm equipment along with drives, set a few Thermite grenades on top of it and let it rip.

otherwise we degauss and shred the drive in a gigabyter (since degauss doesn't work on SSD).

 

[Parkinsond]

God I hope that your classified data doesn't have access to the regular web where something like an infosteeler can infect it.

The only way to remove/wipe classified data from a drive is via accelerated lead.

or get an FIPS self-encrypting drive and blank the key then overwrite the free space 3 times.

Peazip can securely delete data.

 

[Wrecker4923]

Also worth noting for internal SSDs is that TRIM is used virtually immediately after deletion and again when the drive is "optimized" (which defaults to weekly). If the first TRIM is successful, you can recover the file name, but the content will be corrupted; this can happen minutes(?) after deletion, with the exception of small files that fit in the MFC. After the second TRIM, the chance of recovering the file is nil.

For HDDs, I would overwrite the data once.

There was a post on the MalwareBytes forum from dev stating that malware typically doesn't bother with that, because if they have that kind of access, there are bigger (and easier) targets.