VMware Cloud Community
jesse_gardner
Enthusiast
Enthusiast
Jump to solution

Data recovery / secure deletion from VMFS

We are going through an initiative where we are taking into consideration any potential exposure of sensitive data, no matter how far fetched. We securely wipe hard disks when we decommission physical servers, etc... I started thinking about deleted VM's. If I "Delete From Disk" a VM, but leave the VMFS volume intact, does anyone have a good idea how possible it would be to recover information from that deleted VM, should someone a) gain access to the physical hard disk or b) gain shell access to the host?

I know that preventing people from gaining such access is imperative. We are talking theoretical here.

Thanks.

Jesse

Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
Jump to solution

Hello,

The data is definitely not zeroed out, so it is an unlink either direct through rm or some other lower level command.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
0 Kudos
8 Replies
demz
Expert
Expert
Jump to solution

The "delete from disk" option causes a linux rm on all the VM's files in its folder, so it's quite hard to recover data from a deleted VM on VMFS.

Reply
0 Kudos
jesse_gardner
Enthusiast
Enthusiast
Jump to solution

On (normal) linux, rm doesn't necessarily make the data unavailable. For ext2 file systems, there are many recovery tools available. For ext3, there are possibilities ()

This would be specific to VMFS. Does it securely overwrite 0's or random data, or does it just remove the file system pointer and leave the data?

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

Moved to the Security and Compliance forum.

You are correct. One thing you can do prior to deleting the VMDK is to boot the VMDK from a CDROM that contains a program that will write 0s to the hard disk presented. I know these exist.... There are plenty out there. The DoD has its own. If you use a linux boot disk you can use 'dd' to write 0s to the entire vmdk as well. WipeDisk is another one.

However, even if you write 0s to the entire contents of the VMDK, the data can still be discovered granted it would cost quite a bit to use an electron microscope to get the information out of the platters but there are companies that do this all the time......

Writing 0s even 100s of times does not erase the media completely. A good forensic scientist can still uncover the data.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
jesse_gardner
Enthusiast
Enthusiast
Jump to solution

Thank you Edward for moving it to the correct forum and your helpful answer.

We probably will implement a standard disk-wipe for VM's just like we do for physical servers. And I do know that, given enough resources, someone can probably get data off no matter how thoroughly you wipe it. However I'd still like to understand exactly what "Delete From Disk" does. Does it unlink files or overwrite them?

Reply
0 Kudos
demz
Expert
Expert
Jump to solution

I think it executes a rm command on the VM's folder... So it's basically an unlink.

Texiwill
Leadership
Leadership
Jump to solution

Hello,

The data is definitely not zeroed out, so it is an unlink either direct through rm or some other lower level command.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
gorkish
Enthusiast
Enthusiast
Jump to solution

We got this question today too; I suggested a zero wipe but does anyone know if it would be safe to do this from within the service console? Ie using DD to completely overwrite the vmdk file with 0's then delete it? that would be possibly easier than a bootdisk.

BTW not one time in the entire history of computers has anyone documented that they have been able to successfully recover any volume of data from an overwritten hard drive, no matter the number of rewrites. At this point, I think it is so often repeated that people simply believe this type of data recovery is possible. The idea that an "electron microscope" is the right tool or indeed even useful at all for the job is patently ridiculous.

Anyway on physical machines we have taken to simply pulling the HDD's and having them shredded; it's more cost effective, plus its a whole lot more fun. I'd like an equivalent 'shred' command in the VI client!

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

We got this question today too; I suggested a zero wipe but does anyone know if it would be safe to do this from within the service console? Ie using DD to completely overwrite the vmdk file with 0's then delete it? that would be possibly easier than a bootdisk.

It is not just the VMDK but the VSWP (or where it once was), and snapshot files, and other memory files. Basically there is quite a bit of data created when the VM is running

BTW not one time in the entire history of computers has anyone documented that they have been able to successfully recover any volume of data from an overwritten hard drive, no matter the number of rewrites. At this point, I think it is so often repeated that people simply believe this type of data recovery is possible. The idea that an "electron microscope" is the right tool or indeed even useful at all for the job is patently ridiculous.

It is a theoretical possibility, and some consider it an urban myth, others consider it gospel, others think the government can do this... It is still in some forensic's books, etc.

Anyway on physical machines we have taken to simply pulling the HDD's and having them shredded; it's more cost effective, plus its a whole lot more fun. I'd like an equivalent 'shred' command in the VI client!

THat would be nice, but the DoD level wipe has to happen anytimea file is erased not just the VMDK, so it really needs to hook into the vmkernel. Hopefully with the vStorage and VMSafe APIs this will now be possible.


Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos