Go Back

AFFT

Anti Filesystem-Forensic Tool
Introduction    What's New?    Download    Copyright    Warning
Introduction
When deleting files on a  filesystem, most of you will know that the file just removed, isn't really gone. Ask a forensic analyst and he or she will confirm this. Only the reference to the file isn't shown anymore.

How does this work?

When a filesystem is created (usually using i.e. format, mkfs, newfs) it's like creating an empty book. You just defined the front side, the title-page and allocated the first few pages for the index. You also drawed the lines in the empty pages. That's it.
In the just choosen setup,  several chapters in this new book can be allocated. But the problem rises when every chapter is 1 page (or less) in size. We simply didn't define enough space in the index to reference every chapter. A filesystem has this problem too: but as we define an average chapter as approx. 10 pages, the defined idex is fine. And in a normal book it's not usual to have this small chapters.
OK, we will create several chapters, or files in a filesystem. Start using some lines in the index and several pages in the book. After a while we want to remove a chapter or file. This is where it gets interesting:
Removing a file is just erasing the line in the index. Nothing more. We just forget about the pages in the book. But they are still there! A forensic researcher can do 2 things right now: walk through the book and find the unallocated chapter or file. And search the index table for erased chapters. So we can figure out the name and data of this chapter or file.

What AFFT does, is the following:
  1. Create as much as possible very small files. They are just 512 bytes in size (the smallest blocksize a harddrive can store). In this way we overwrite every possible free line in the index without reaching the last page in the book. Now we remove those files again. These indexes are called inodes in a filesystem.
  2. Create several big files. Now we consume every empty page in the book and thus overwriting any old information. Now remove them again. All the empty pages, called datablocks in a filesystem, are overwritten with random data.

What's New

May 21, 2006.
Initial version, 0.9
Usage
The usage is very simple:

afft <directoryname>

Choose a directory where you (no root-rights needed) can write. AFFT will create a lot of files in there and removes them again. So i advice to use a new directory.

Download

AFFT version 0.9 can be downloaded: afft version 0.9

Copyright

AFFT is released under the GPL.

Warning

Be aware that just overwriting data once is not a garantee for beiing totaly secure ( See http://www.porcupine.org/forensics/forensic-discovery/ for a detailed explaination on this theory). I have not tested this on several different filesystems and sizes of filesystems so you might have a false feeling of security using this on your 500GB SATA disk. My tests where successfull on my memorydrives up to 1 GB using EXT2/3 and VFAT.

Be also aware that, when using this tool on unix as a normal user, wou will NOT overwrite the space reserved for the root-user.

I wrote this tool solely for testing my own filesystem forensics skills. It's in now way a tool to garantee you privacy or anything else. Allthough it can help you to prevent spreading sensitive information, i advice to use tools who are made for this goal.