Original URL: http://www.theregister.co.uk/2007/05/05/wipe_swap_file/

Clearing swap and hibernation files properly

Two neglected open books

By Thomas C Greene

Posted in Security, 5th May 2007 06:02 GMT

Privacy workshop Most privacy-conscious users are familiar with deleting files securely, that is, destructively with overwriting and with wiping free space on their disks. But two items that often get overlooked are the swap file (or swap partition), and the hibernation file.

Let's start with the swap file. This is an area of your hard disk where data previously held in RAM is written, and later read, to "free up" physical memory and make it available for other tasks. Data swapped from RAM to disk is sometimes called "virtual memory". Your computer can read from RAM much faster than it can read from the disk, but RAM is expensive, whereas disk space is comparatively cheap and usually plentiful. Thus, it's not unusual for a system to have a swap file of 1GB or more.

Unfortunately, your swap file knows a lot about you. Pretty much anything you do with your computer can leave traces there. Files you've opened and their contents, websites you've visited, online chats you've had, emails you've sent and received, virtually anything can end up archived in it for quite a long time - months, and even years. You can delete, even wipe securely, the original data, and still your swap file might tell on you by retaining duplicate traces of your computing behaviour. Forensics practitioners consider the swap file to be a real bonanza of data traces, because swapping is an automatic, background process that users - even privacy-conscious ones - can't control completely.

So, what data gets swapped to disk? No one can say: it depends on conditions and memory needs peculiar to each system. Not all data is swapped to disk, but virtually any data might be swapped - even passwords, potentially.

In fact, it's possible that the plain text versions of encrypted files could turn up in the swap file: perhaps the content was swapped to disk before encrypting or after decrypting - that is, when a user is viewing or editing the plain-text content of these files. A good encryption utility will have its own viewer and editor designed to prevent swapping the plain-text data. But are you certain that it works as it should? And what happens if you copy and paste between two decrypted files, or between two files that you intend to encrypt later? Clipboard contents can certainly be swapped.

So, what are the solutions? First, and most obviously, don't use a swap file or swap device. If you've got plenty of RAM, you might not need anything more. Some Windows applications, games, etc, require a swap file even when there is an abundance of RAM, so not everyone can use this option. But Linux users can almost always get away with not using a swap partition if they have plenty of RAM, say 1GB or more.

The next approach is to perform a manual, secure wipe of the swap file on a regular schedule with the help of an inexpensive utility like BCWipe for Windows users, or a free utility like LinuxWipeTools for Tuxers.

The old-fashioned way

Let's look at doing this manually first. On Windows, the swap file is a hidden file in the root directory called pagefile.sys. To wipe it securely you must disable swapping, delete the file manually if it remains, securely wipe your disk's free space, and then re-enable swapping. This is a very cumbersome procedure, but here's how to do it:

First, ensure that you have Windows Explorer set to show hidden and protected system files. Open Windows Explorer, go to My Computer ==> Local Disk (C:), and from the menu bar choose Tools ==> Folder Options. In the Folder Options dialogue box, choose the "View" tab, and do the following: select the radio button beside the option "Show hidden files and folders", and clear the tick-box beside the option "Hide protected operating system files (Recommended)" (There are a few other useful settings here that we will discuss in a forthcoming article). Click the Apply button and close the Folder Options dialogue box.

All right, now that you can finally see what's in your filesystem, do this:

1. Disable memory swapping temporarily. Go to Control Panel ==> System ==> Advanced ==> Performance (click "Settings") ==> Advanced ==> Virtual Memory (click "Change"). On the Virtual Memory dialogue box, choose "No paging file", and click the button labelled "Set". Now click "Apply" (and "OK" several times), and re-boot your machine.

Disable Swap

2. You are now ready to delete your swap file, if disabling virtual memory did not delete it automatically. Open Windows Explorer and navigate to the root directory, i.e., My Computer ==> Local Disk (C:). Look for pagefile.sys, and delete it if it's present. Next, empty your Recycle Bin.

3. Now, fire up your wipe utility, and wipe all the free space and file slack on your disk.

4. When that's finished, go back to Control Panel ==> System ==> Advanced ==> Performance (click "Settings") ==> Advanced ==> Virtual Memory (click "Change"). On the Virtual Memory dialogue box, choose "Custom size", ensure that the initial and maximum sizes are the same, and click the button labelled "Set". Now click "Apply" (and "OK" several times), and re-boot your machine once more. Voilà, you've got a clean swap file, at least for now.

The reason why I recommend using a swap file with the same initial and maximum size is simple: by default, Windows will allow the file to grow as needed, and this means that data traces will be scattered all over your disk. As the file shrinks, some data will no longer be allocated to pagefile.sys, but it will still be there on your disk. Keeping the swap file a fixed size keeps its data allocated, making it easier to clean. It's also good from a performance point of view, as disk defragmenting lasts longer when you haven't got fragments of pagefile.sys interspersed with other fragments all over the place.

So, what size should you choose? If you are short of RAM, try 1.5 to 2.0 times the amount of RAM you have. But if you've got 1GB or more of RAM, you'll rarely need more than a 1GB swap file on a home system.

Paying for convenience

Alternatively, you can use BCWipe, for which you must pay, which will eliminate the unused portion of the swap file, but not the current data in it. However, it can encrypt the swap file, if you like, so that its data can't be read. Read the help files carefully, and follow the recommendations. I will outline them briefly, but you need to get this right. First, choose a specific size for your swap file as described previously. Next, initialise the BCWipe CryptoSwap utility. Be sure to choose the option "Initialise swap file with random data when Windows starts". Now reboot. Next, do a disk wipe including file slack, disk free space, and the swap file. This will remove any leftover swap-file data traces, leaving only encrypted data in the file.

This utility encrypts and decrypts on the fly, so there is obviously going to be some performance overhead. For that reason, not everyone is going to like this method, but it is far more convenient than the manual method outlined above. You do it once, and from then all you need to wipe are file slack and free space, and of course, individual files as appropriate.

Good news for Tuxers

On a Linux system, the swap file is a disk partition and it can be wiped easily with a free tool that I created called LinuxWipeTools. This is a collection of simple Bash scripts that will allow you to wipe your disk in three modes: the swap partition alone, free space only, or an entire disk. The one you want is called WipeSwap.sh. Launch it from a root shell, and it will automatically detect your swap device, wipe it securely, and re-create it for you. You can run it conveniently in the background while you are using your computer, and there is no need to reboot. You can easily modify it and set it as a cron job, and have a freshly-wiped swap partition every day, if you like, without the slightest bother.

If you're lazy, and cheap

Finally, there is a less secure, but convenient and free, approach for Windows users. You can set your swap file for automatic deletion each time you reboot or shut down your system. It's not a secure wipe, but if you've chosen a fixed-size swap file as I recommend, there's a fair chance that old data will gradually be overwritten as a new swap file is created each time you reboot. There's no guarantee that a new file will overwrite a previous one (because there's no guarantee that it will occupy the same physical disk area as a previous one), but this is a very easy thing to do, it costs nothing, and it's certainly better than neglecting the swap file entirely.

To set up your swap file for automatic deletion, go to Start ==> Run ==> and type regedit. The registry editor will launch. Before you make any changes to your registry, make a copy of it. In the left-hand pane of the registry editor, select the top level, labelled "My Computer". Now, in the upper menu bar, go to File ==> Export. In the export dialogue box, be sure to choose "All" in the Export Range option toward the bottom of the box. Now save your registry. If your changes cause any problems, you can re-install your previous registry files simply by opening the editor, choosing File ==> Import from the menu bar, and reversing the process.

Now, to set your swap file for automatic deletion, here's all you need to do:

In the left-hand pane of the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management. Next, in the right-hand pane, select ClearPageFileAtShutdown. Right click on it, choose "Modify", and change the value to 1. Reboot, of course.

Edit Registry

You can tell that it's working because shutting down Windows will take noticeably longer than before. Obviously, if you're in the habit of simply powering off your computer, you won't get much benefit from this. You do have to shut down normally for it to work.

Sensitive data asleep

Now for hibernation, or suspend-to-disk, on Windows 2K and XP. Enabled by default on XP, this gimmick takes a snapshot of memory and writes it to disk so your computer can hibernate and "wake up" more quickly than it could from a dead stop. In practice, it's not that much help, and few users express much enthusiasm for it. So its benefits are questionable, while it poses a serious challenge to good data hygiene. The size of the corresponding hidden file, called hiberfil.sys, will roughly match the amount of RAM on the system.

Naturally, an incredible amount of sensitive data could be dumped to disk when hibernation is activated. So if you're at all concerned about privacy and data hygiene, this file has to go, and the area it occupies has to be wiped properly.

1. Begin by disabling hibernation. Go to Control Panel ==> Power Options, to launch the Power Options Properties dialogue box. Select the tab labelled "Hibernate", and clear the tick-box beside the option, "Enable hibernation". Click the Apply button, close the dialogue box, and reboot your machine.

2. Next, open Windows Explorer and navigate to the root directory, i.e., My Computer ==> Local Disk (C:). Look for hiberfil.sys, and delete it if it's present. Now, empty your Recycle Bin.

3. Finally, perform a secure wipe of your disk's free space and file slack space.

As far as I know, current Linux distros do not hibernate or suspend-to-disk by default, although a user can implement it using the swap partition as the hibernate file. In that case you would need a swap partition about twice the size of system RAM, and you will have to recompile your kernel, as certain features need to be built in to the kernel, rather than being loaded as modules. But clearing hibernation data properly is as easy as running the WipeSwap.sh script as described previously.

So once again, when it comes to privacy and security, Linux users have it a lot easier than Windows users. And cheaper, too. ®