










                           Table of Contents



       1.   Introduction

       2.   Terms and Conditions of Use

       3.   Shredders' command-line and keyboard control options

       4.   Technical Information
            A. Interrupt handler
            B. Truncated Files Problem (expanded) 
            C. Miscellaneous



































 1. Introduction

 Data which has been overwritten or deleted may not be gone for good.  In
 fact, it may be quite possible to recover data which has been overwritten
 by up to six times (PC Magazine, Nov. 27, 1990; pg#11).  This 
 documententation discusses a method for making it virtually impossible
 to recover erased data; it is about a newly developed file shredding   
 program.
 
 A file shredder is analogous to the paper shredder in that it "destroys"
 confidential information before it is disposed of; the file shredder 
 destroys the magnetic information by overwriting the information with 0's
 or 1's (the value alternates for each iteration).  The file shredding     
 program has been developed as a terminate-and-stay-resident (TSR) program 
 instead of the standard application-based file shredder.

 There are two distinct security advantages of the TSR over the standard 
 application.  The first is that it can shred files on-the-fly.  This can 
 be seen as a blessing or a curse: the user will not have to worry about 
 data in erased files being recovered- providing that the user wanted to 
 delete the data in the first place.  To lower the risk of accidental 
 deletions, the user can control the TSR's operation through the command 
 line, special keyboarding sequence, and software interrupt controls (as 
 discussed later). 

 This on-the-fly approach also provides another advantage: the user might
 not always have the luxury of shredding confidential files before they
 are deleted.  For example, many word processing applications will create a 
 temporary backup of the file currently being edited at run-time and then 
 delete it when the program terminates.  From this, the user would be 
 confident that highly confidential files have been shredded thoroughly 
 (e.g.: if the encryption utility didn't sufficiently shred the plaintext 
 file X times before deleting it, the shredder could fill that gap by 
 guaranteeing that the file would be unrecoverable.)     
 
 The second advantage that is addressed by the shredder is the problem of   
 truncated files, which is often overlooked.  When a file is truncated back 
 to a smaller size, any information that was stored in the file past the 
 truncation point is then marked as "unused" via DOS's housekeeping 
 services. [ie: DOS shortens a file's size by deallocating the file's
 entries reserved in the FAT table starting from the last entry, moving
 towards the first entry, in a backwards direction.]
 
 Since this information that is now "unused" is only marked as such, a   
 skilled person with the right utilities, time, and know-how could  
 inspect and reconstruct the rest of the file.  When resident, the 
 shredder fixes this problem by shredding the rest of the file after the 
 truncation point.

 As mentioned earlier, deleted files should also be shredded to ensure
 that they will be unrecoverable.  If the deleted data has not been written 
 over sufficiently, it is possible to restore most, if not all, of the erased
 information through utilities such as MSDOS's "undelete", Norton
 Utilities [tm] "unerase", or through a data-recovery service.

 This new program must be loaded with the consideration of the one possible 
 question in mind:  Do I want to keep the information in the particular 
 file or document private?  If the answer is yes, then this program is 
 certainly beneficial.  Unfortunately, the tradeoff is obvious: any     
 information that is shredded is NOT recoverable.  Once a file has been 
 deleted, it is gone forever.  

 To minimize the success rate for recovering the file through data recovery 
 services, the shredder can be configured to re-shred the file X number of 
 times.  Currently, the default is one pass, but the user can select the 
 option to overwrite the file up to twenty times. 



 PLEASE NOTE:                            
 It is assumed that for safety, operators will not have any accidents through
 file deletion, truncation, or otherwise, since they will have an adequate
 backup of any files that they intend to keep or use.


 2.  TERMS AND CONDITIONS OF USE

 The user, licensee or any third party receives no warranty expressed or
 implied and there are expressly excluded all warranties or merchantability
 and fitness for a particular purpose. In no event, will I be liable to you
 for any damages arising from your use, or your inability to use this
 documentation or software. This includes but is not limited to lost profits
 or savings, loss of data, or any liability from exemplary, consequential,
 or incidental damages even if the I have been advised of the possibility
 of such damages (i.e. this software is offered on an "AS-IS" basis)
 
 This software is shareware.  Please register this program if you are still
 going to use it after the 21 day trial period.  Individuals using this
 program for use at home (that is, on a personally owned computer for
 non-commerical purposes) may use this program free of charge.  By purchasing
 one software license, the user is entitled to install and/or use this
 software in a manner such that it exists on only one computer for any given
 moment. There is no transfer of ownership for any of the intellectual property.
 This software must not be reverse engineered, disassembled, re-compiled, or
 patched in any way.

 For registration and distribution information, please see the files
 "register.txt" and "distrib.txt", respectively.

























3.  Shredders' command-line and keyboard control options

  The shredder is a TSR which is loaded from DOS.  There are a few command-
  line options which enhance the use of this program, such as the ability to 
  switch the shredder on or off, to print filenames to console, or to select 
  the total number of iterations though which the file will be shredded.  

  The parameters are as follows:
  
  Switch functions  
  (where '+'=on and '-'=off)
  +/-a   to activate/de-activate shredder               (default->active)
  +/-d   to enable/disable the displaying of the        (default->enabled)
         shredded filename to the console            
      
         (NOTE: the filenames are not displayed when in Windows mode) 

  /n     where n signifies the # of iterations in which the file is shredded. 
         A higher number provides better security but slows down disk 
         performance.
         [the range of n is 1..20]                      (default->1)
 
   


  Example:
   
  shred -d +a /5
  -do not display messages, activate shredder, and overwrite files five
   times


  Keyboard Sequence:

  If the shredder is enabled to shred files, the user can prematurely
  abort the shredding process through holding down the left-control +
  left-shift keys.  This will skip over the shredding process and pass
  control back to the previous DOS call.  

  Once the shredder is resident, it will then intercept all delete and 
  file truncation calls from DOS's DEL command, applications, utilities,  
  etc., and will shred all of the files before they are passed onto the   
  original DOS operation.

 Alternatively, if the user wants to control the shredding process, a simple 
 batch file could be constructed, which could turn the file shredder on/off
 when needed.  Assume that the operator habitually loads up files with the 
 word processor XYZ.EXE and then encrypts the files with the program,   
 CRYPT.EXE.  The batch file XY.BAT, could be easily constructed from the   
 command line or text editor.


 <in COMMAND.COM>

 copy CON XY.BAT        

 shred +d               -> enable the shredder
 XYZ.EXE                -> load up word processing program to work on file
 CRYPT.EXE              -> then encrypt the file
 shred -d               -> disable the shredder
 ^Z


 If the whole disk needs to be wiped, the shredder could be used with 
 a program such as the deltree command from DOS, starting at the root 
 directory with the recursive directory search selected.  Similarly,
 there are commercial utilities which could wipe the entire media, such
 as Norton's WipeInfo.  Alternatively, some data recovery services such
 as Ontrack Computer Services provide this service to ensure that any 
 information on the media will be permanently unrecoverable.
 



















































4. Technical information
  
  A. Interrupt Handler

  INT 21h - Shredder v1.0 -  RESIDENT CHECK/SET PARAMETERS
          AX = FFAFh
          BH = if FFh, then set the program parameters as specified in BL, CL
               otherwise, return resident status and current parameters
          BL = XXXXXX1Xb -> enable messages
               XXXXXXX1b -> enable shredding 
          CL = # of iterations to shred file

  Return: AX = F00Dh             - if shredder is resident
          BL = current settings of shredder (see BL above)
          CL = # of iterations to shred file 



  B. Truncated Files Problem (expanded):

 BLOCK  1      2      3      4      5      6      7      8      
     ͻ
      start                                     end   
       of  <-  d a t a   s t o r e d  i n   f i l e ->  of  
      file                                      file    
     ͼ
     ^---------------allocated by file system-----------------^
 
 Assume for simplicity that an unencrypted (plaintext) file consists of eight
 blocks of data where each file block is of equal length.  The file is arranged
 in sequential order where the first X bytes of the file are in block 1, the 
 next X bytes in 2nd block, etc., up to the 8th block.

 The data file containing confidential information is edited with a standard
 word processor, and it is encrypted through an encryption program when the
 word processor terminates.

 Assume that the user has finished editing the file and had deleted some text
 which was equivalent to 2 blocks of information.  The layout is as
 follows:

 BLOCK  1      2      3      4      5      6      7      8      
     ͻ
      start                         end   old   end   
       of                            of   file   of  
      file                          file  data  file    
     ͼ
     ^--------allocated by file system---------^


 The 7th and 8th blocks that were once reserved for the file are now freed up, 
 and the plaintext information can be viewed with a sector editor, as the 
 information was not encrypted [NOTE: this may create a problem in
 higher security operations if the two blocks were reclaimed by another file,
 as their might be some magnetic residual left from the old data.]

 The shredded program solves this problem by intercepting any file-truncation
 requests; blocks 7 and 8 would be shredded over before the shredder passes 
 control to DOS for the truncation operation.
 


  C.  Miscellaneous

  If the TSR file shredding method were not used, the operator would have to 
  do several things to ensure the same level of security. First, the user 
  would have to invoke the shredder application to overwrite the file.   
  Secondly, the slack space at the end of the file must be shredded in case 
  the file was edited.  Finally, any unused disk space must be shredded too, 
  since it is possible that the file was truncated by more than one disk 
  cluster.  Another possible approach would be to just delete the file(s) and
  then to immediately shred all of the free disk space on the particular 
  drive.  Unfortunately, this method is rather tedious, since the program 
  must shred all of the remaining free disk space every time a number of 
  files are deleted.  In either case, the application-based shredder would 
  at best be "as-is" in a higher security environment, since a new file could    claim      some of the free disk space that was once occupied by a confidential
  file (refer to truncated files problem mentioned earlier).

  Files which have been shredded and then undeleted will have a file size
  which is perfectly divisible by 512.  The reason for this is that the 
  shredder program rounds up to remove the slack space at the EOF for the 
  last sector.

  In the introduction of this documentation, it was mentioned that shredding
  a file makes it virtually impossible to recover the information that was in
  it.  The lack of 100% certainty is based on mechanical imperfections of the
  hard drive itself.  When information is written onto a track, there is a
  physical boundary as to where it can be written.  Unfortunately, this area
  may not always be consistent if the head is not perfectly aligned to the
  track.  Physical imperfections such as head misalignment may cause traces 
  of older data to be inaccessible to future write requests, or thermal 
  expansion may cause the head to move slowly away from the range of the 
  track, which would cause a certain proportion of the track to be 
  inaccessible at points in time.  

  [NB: the data may be there but recovering it is another thing!]  

  If security is the utmost concern, the person could always take their media
  to a data recovery service to have the information wiped, or they could 
  melt their drives back into a chunk of metal.  Unfortunately, both of these    choices are expensive, and the user must weigh the benefits of protecting
  their information against the costs for it.


 -----------------------------
  All trademarks and/or copyrights are property of their respective 
  holders.

  Shredder Documentation,
  Copyright 1998, Mike Bordynuik


  
                                                  
