8 Replies Latest reply on Jun 4, 2009 7:22 AM by Texiwill

    Data recovery / secure deletion from VMFS

    jesse.gardner Hot Shot

       

      We are going through an initiative where we are taking into consideration any potential exposure of sensitive data, no matter how far fetched.  We securely wipe hard disks when we decommission physical servers, etc...  I started thinking about deleted VM's.  If I "Delete From Disk" a VM, but leave the VMFS volume intact, does anyone have a good idea how possible it would be to recover information from that deleted VM, should someone a) gain access to the physical hard disk or b) gain shell access to the host?

       

       

      I know that preventing people from gaining such access is imperative.  We are talking theoretical here.

       

       

      Thanks.

       

       

      Jesse

       

       

        • 1. Re: Data recovery / secure deletion from VMFS
          Ilann Valet Expert
          vExpert

          The "delete from disk" option causes a linux rm on all the VM's files in its folder, so it's quite hard to recover data from a deleted VM on VMFS.

          • 2. Re: Data recovery / secure deletion from VMFS
            jesse.gardner Hot Shot

             

            On (normal) linux, rm doesn't necessarily make the data unavailable.  For ext2 file systems, there are many recovery tools available.  For ext3, there are possibilities (http://www.vayanis.com/2007/07/06/ext3-data-recovery/)

             

             

            This would be specific to VMFS.  Does it securely overwrite 0's or random data, or does it just remove the file system pointer and leave the data?

             

             

            • 3. Re: Data recovery / secure deletion from VMFS
              Texiwill Guru
              User ModeratorsvExpert

              Hello,

               

              Moved to the Security and Compliance forum.

               

              You are correct. One thing you can do prior to deleting the VMDK is to boot the VMDK from a CDROM that contains a program that will write 0s to the hard disk presented. I know these exist.... There are plenty out there. The DoD has its own. If you use a linux boot disk you can use 'dd' to write 0s to the entire vmdk as well. WipeDisk is another one.

               

              However, even if you write 0s to the entire contents of the VMDK, the data can still be discovered granted it would cost quite a bit to use an electron microscope to get the information out of the platters but there are companies that do this all the time......

               

              Writing 0s even 100s of times does not erase the media completely. A good forensic scientist can still uncover the data.

               


              Best regards,

              Edward L. Haletky

              VMware Communities User Moderator

              ====

              Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

              CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

              As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

              1 person found this helpful
              • 4. Re: Data recovery / secure deletion from VMFS
                jesse.gardner Hot Shot

                 

                Thank you Edward for moving it to the correct forum and your helpful answer.

                 

                 

                We probably will implement a standard disk-wipe for VM's just like we do for physical servers.  And I do know that, given enough resources, someone can probably get data off no matter how thoroughly you wipe it.  However I'd still like to understand exactly what "Delete From Disk" does.  Does it unlink files or overwrite them?

                 

                 

                • 5. Re: Data recovery / secure deletion from VMFS
                  Ilann Valet Expert
                  vExpert

                  I think it executes a rm command on the VM's folder... So it's basically an unlink.

                  1 person found this helpful
                  • 6. Re: Data recovery / secure deletion from VMFS
                    Texiwill Guru
                    User ModeratorsvExpert

                    Hello,

                     

                    The data is definitely not zeroed out, so it is an unlink either direct through rm or some other lower level command.

                     


                    Best regards,

                    Edward L. Haletky

                    VMware Communities User Moderator

                    ====

                    Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

                    CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

                    As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

                    • 7. Re: Data recovery / secure deletion from VMFS
                      gorkish Enthusiast

                       

                      We got this question today too; I suggested a zero wipe but does anyone know if it would be safe to do this from within the service console? Ie using DD to completely overwrite the vmdk file with 0's then delete it? that would be possibly easier than a bootdisk.

                       

                       

                      BTW not one time in the entire history of computers has anyone documented that they have been able to successfully recover any volume of data from an overwritten hard drive, no matter the number of rewrites. At this point, I think it is so often repeated that people simply believe this type of data recovery is possible. The idea that an "electron microscope" is the right tool or indeed even useful at all for the job is patently ridiculous.

                       

                       

                      Anyway on physical machines we have taken to simply pulling the HDD's and having them shredded; it's more cost effective, plus its a whole lot more fun. I'd like an equivalent 'shred' command in the VI client!

                       

                       

                      • 8. Re: Data recovery / secure deletion from VMFS
                        Texiwill Guru
                        User ModeratorsvExpert

                        Hello,

                         

                        We got this question today too; I suggested a zero wipe but does anyone know if it would be safe to do this from within the service console? Ie using DD to completely overwrite the vmdk file with 0's then delete it? that would be possibly easier than a bootdisk.

                         

                        It is not just the VMDK but the VSWP (or where it once was), and snapshot files, and other memory files. Basically there is quite a bit of data created when the VM is running

                         

                        BTW not one time in the entire history of computers has anyone documented that they have been able to successfully recover any volume of data from an overwritten hard drive, no matter the number of rewrites. At this point, I think it is so often repeated that people simply believe this type of data recovery is possible. The idea that an "electron microscope" is the right tool or indeed even useful at all for the job is patently ridiculous.

                         

                        It is a theoretical possibility, and some consider it an urban myth, others consider it gospel, others think the government can do this... It is still in some forensic's books, etc.

                         

                        Anyway on physical machines we have taken to simply pulling the HDD's and having them shredded; it's more cost effective, plus its a whole lot more fun. I'd like an equivalent 'shred' command in the VI client!

                         

                        THat would be nice, but the DoD level wipe has to happen anytimea file is erased not just the VMDK, so it really needs to hook into the vmkernel. Hopefully with the vStorage and VMSafe APIs this will now be possible.

                         


                        Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
                        Now Available on Rough-Cuts: url=http://www.astroarch.com/wiki/index.php/VMware_Virtual_Infrastructure_Security'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'[/url]
                        Also available url=http://www.astroarch.com/wiki/index.php/VMWare_ESX_Server_in_the_Enterprise'VMWare ESX Server in the Enterprise'[/url]
                        [url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|url=http://www.astroarch.com/blogBlue Gears[/url]|url=http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_LinksTop Virtualization Security Links[/url]|url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_PodcastVirtualization Security Round Table Podcast[/url]