From owner-freebsd-questions@FreeBSD.ORG Wed Feb 18 18:00:15 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8AF56291 for ; Wed, 18 Feb 2015 18:00:15 +0000 (UTC) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 474C7DB8 for ; Wed, 18 Feb 2015 18:00:14 +0000 (UTC) Received: from r56.edvax.de (port-92-195-149-162.dynamic.qsc.de [92.195.149.162]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 4023F3CDEA; Wed, 18 Feb 2015 19:00:12 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t1II0CXY002287; Wed, 18 Feb 2015 19:00:12 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Wed, 18 Feb 2015 19:00:12 +0100 From: Polytropon To: Ralf Mardorf Subject: Re: [Bulk] Re: What's in my hard drive? How can I get rid of it? Message-Id: <20150218190012.d865cbdf.freebsd@edvax.de> In-Reply-To: <20150218020243.366fe968@archlinux> References: <54E39F83.70002@gmail.com> <51803.128.135.70.2.1424219858.squirrel@cosmo.uchicago.edu> <20150218020243.366fe968@archlinux> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2015 18:00:15 -0000 On Wed, 18 Feb 2015 02:02:43 +0100, Ralf Mardorf wrote: > Actually criminal investigation departments seems to be unable to > recover all the data that was deleted by a simple rm command, even on > journaling file systems. Why is it recommended to mount read only, as > soon as possible, if we lose data, to be able to recover that data? Because they use expensive and certified software, highly recommended by qualified and certified consultants, which are also expensive. The highly sophisticated equipment is only accessed by a very restricted set of professional officers who can already distinguish the left mouse button from the right mouse button and have been trained (by skilled and certified educators) to click on little pictures. This approach is safe, because there are procedures, and those are certified. Nothing can go unnoticed, as all involved parts are free of any imaginable error or misbehaviour: the software is idiot-proof, and the officers are... highly qualified experts. Our tax money at work. So what do you expect? :-) > The NSA is able to recover all the data that was deleted all over the > world even by a shred command on a non-journaling FS? If so, the NSA > isn't willing to give hints against child molesters and other criminals, > because the NSA is the watchdog of more important crimes? That's > grotesque. Any organisation has to carefully define its priorities, and when the NSA states: "We could undelete those files, and a child molester has been arrested as a result", the society would scream in fear because they would begin to admit the thought that everything which is possible WILL BE DONE (no matter if we are able to recognize it in the first place). Also keep in mind: there's a difference between "to protect" and "to investigate" - and put that into context with defining priorities... In the end, anti-forensics is where the "real criminals" are actually really good at. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...