Ultra Quick Erase should not be relied upon

jackjack

Member
Jesse Kornblum has just release SSDeep which is a fuzzy hashing tool. unlike normal hacking tools (such as md5sum, md5deep) ssdeep allows an investigator to compare portions of a file with a known good file hash.

With the way ultra quick erase works, just deleting the first and last 2k of a file, it still leaves enough of the file that a fuzzy hash will work

(Note: comparing a fuzzy hash requires access to the original file, so if you are dealing with files only you have, the threat is reduced, however if you are eraseing, porn, warez etc this is very much an issue)

For more information on it, take a listen to an interview with Jesse on Cyberspeak
 

Carver

Member
I know this feature was meant to save time but, maybe instead of 2k it should be 10 k.
 

garrett01

Administrator
Staff member
would 10k work? What about a big file etc?

Garrett
 

jackjack

Member
No SSDeep will still be able to get a matching hash regardless of how much you take at the beginning and end, the middle will still be intact and that is what will be used to get a matching hash.

Listen to the podcast I linked to and Jesse explains how to defeat it his ssdeep hashing......
 
Top