How to wipe file slack on OS X

A tutorial explaining how to wipe free space, including file slack on Mac OS X

Posts Tagged ‘forensics

BCWipe lets you wipe slack

with 10 comments

Photo by walknboston on FlickR (CC-By 2.0)

Update: a new and easier to use version of BCWipe for Mac OS X with a graphical user interface is now available. Read more about it here.

Apple’s Disk Utility can wipe whole disks and free space. One thing it apparently does not do, however, is wipe file slack.

File systems are divided into finite block sizes. File slack is the space after the data in a file ends and until the file systems block finishes. On an average hard drive, file slack frequently constitutes more than a gigabyte of information – information that is not wiped when wiping free space.

Unlike the Windows utility Eraser, for example, Disk Utility does not include file slack when wiping, so in fact it is not a complete wipe of free space. Forensic investigators frequently find interesting information in slack space, so a wipe of free space that does not include slack is in fact incomplete.

There is, however, a way to wipe free space on Mac OS X 10.4, 10.5 and 10.6, including slack space. Jetico’s BCWipe – one of the most versatile and advanced cross-platform wipe utilities out there. The program has to be run from the command line, and the process is somewhat complicated if you haven’t done that sort of thing before.

That’s why this tutorial was made.

Be warned that playing with these commands unless you understand what you’re doing and typing precisely, could accidentally wipe important data. Consider backing up your data first.

First, you have to download, compile and install BCWipe.

1. Download the software from http://www.jetico.com/download/
You want the BCWipe-1.9-13.tar.gz file, under the heading “BCWipe for UNIX” (“Download tar.gz”)

2. Unpack it by double clicking on it in the download directory.

3. It has to be compiled and installed. You need to download and install the Developer Tools from Apple to be able to compile software. To do that, go here and register an account, log in, download the Xcode Tools disk image, and install it. Or you could get it from the Mac App store. It should be sufficient to just install the command line tools. Then compile and install BCWipe by opening Terminal in Applications/Utilities, and run the following commands.

$ cd ~/Downloads/bcwipe-1.9-13/
$ sudo ./configure
$ sudo make install

5. Congratulations, you just installed BCWipe. It can now be run from the command-line by typing bcwipe. To read the instructions for using it, type “man bcwipe” (very useful)

Our recommended command to wipe file slack is
$ sudo bcwipe -ISrvwm1 /

Two useful scripts for Mac OS X
To save you some time, we have made two useful scripts, one to clear logs and cache, and one to wipe free space, including file slack

To make the scripts

$ sudo nano clear_logs_cache.sh

(or the name of your choice followed by .sh to designate it as a shell script)
(paste or type the contents of your choice below into the editor, remember, the commands are case sensitive)

CTRL-X, Y <enter> (to save the file)

Then, add execute permissions to the script to be able to run it

$ sudo chmod a+x clear_logs_cache.sh

Script contents

To delete logs and cache on Mac OS X 10.4, 10.5 and 10.6
bcwipe -Irvwm1 /private/var/log/*
bcwipe -Irvwm1 /Library/Logs/*
bcwipe -Irvwm1 /Library/Caches/*
bcwipe -Irvwm1 /System/Library/Caches/*
bcwipe -Irvwm1 ~/Library/Logs/*
bcwipe -Irvwm1 ~/Library/Caches/*

If you also want to delete the Spotlight database
bcwipe -Irvwm1 /.Spotlight-V100

To delete file slack and free space
bcwipe -ISrvwmz /
bcwipe -IFrvwm1 /

To run a script
$ sudo ./clear_logs_cache.sh <enter>
(type your password) <enter>

The process usually can take everything from a few minutes to three hours depending on the size and type of your disk and what you wipe, whereas wiping cache and logs is done in a minute.

These scripts have been tested on Mac OS X 10.10 and many of the previous versions, journaled and non-journaled file systems, SSDs and hard drives, and they caused no problems. All the commands here can safely be run on a live system without problems. If you are using Boot Camp, using bcwipe on / might cause it to treat the Windows partition as well. One way to handle this is simply unmounting the Windows partition in Disk Utility before using bcwipe, and using Eraser, which is Windows native and free, on the Windows partition. It’s also a good idea to unmount any external drives and network volumes before starting.

However, this is not a guarantee that they will not cause problems for you. If you play with fire, you might get burnt. Remember that one typing mistake might wipe something essential to the operation of your system, or your important files. So unless, you know what you’re doing, consider not doing it, or having a computer literate friend help you. It might be wise to make a backup and play with these commands before using them in everyday computing.

DISCLAIMER: the author of this tutorial takes no responsibility for damaged data.

It should be sufficient to wipe data once, as no company has yet been able to recover overwritten data. Especially on modern hard drives, one scrub is enough, as there are less traces of previous data on these drives. However, some argue it could be possible to recover overwritten data (in theory) using magnetic force microscopy and image analysis, and that noone knows what technology the military might secretly possess. If you want to be sure it will be very hard to recover data, a 7-pass scrub is recommended. The instructions here are for a one-time scrub of random data without verification, which is a fast and effective method. To change the settings, refer to the BCWipe manual.

Be aware that SSD drives and memory flash drives (such as USB drives) do not behave like hard drives, and that using full disk encryption with a wipeable key file+password combo seems to be the best strategy for wiping such drives as of yet. Wiping on SSDs still works, but some data might be left in inaccesible areas on the drive.

BCWipe is free to use for 30 days, then you can purchase a license from Jetico.

This tutorial was last updated August 28, 2015.

Advertisements

Written by wipetutorial

June 3, 2009 at 12:29 pm