What happens when you move a file from one location to an encrypted volume

[hungryfalcon]

If I move a file to a encrypted volume, is there any trace left of the original file in it’s original location that could be recovered on an ipad? And if the file that I move is larger than my ram would that mean it would be copied to swap and potentially could be recovered?

 

[EdwinG]

If I move a file to a encrypted volume, is there any trace left of the original file in it’s original location that could be recovered on an ipad? And if the file that I move is larger than my ram would that mean it would be copied to swap and potentially could be recovered?

Hello,

iPadOS has no notion of a swap file, so the answer to that part of your question is no. And even if it had a swap file, a file copy operation does not use the swap file, because it has to go through device to device - so RAM or CPU cache (or straight device to device).

To the first part of your question… your iPad’s storage is always encrypted. The level of protection will vary whether you have a passcode, PIN or nothing, but it will still be enciphered at rest.
This does not mean that data cannot be recovered. It is just much harder. An actor would need to be running forensics software on your running iPadOS instance to recover data. Otherwise, they see a binary blob of garbage.

For more information, Apple has published a Platform Security Guide here: https://support.apple.com/en-ca/guide/security/sece3bee0835/web

 

[hungryfalcon]

Thanks for your replay.
Just to clarify, for example if I moved unencrypted sensitive document to an encrypted internal volume and later let’s say I’m forced to do a full system decryption or someone breaks the built in encryption. And they specifically needed to find that file I previously moved to an internal encrypted storage. Also the volume I moved that file had a hidden volume in that strorage, so I have a plausible deniability. Now if they used highly sophisticated tools to find that unencrypted file from where it was moved, would that be possible or there is no trace.

 

[imwjl]

If a Word or Excel file suits what you're trying to do you can use AIP in your subscription to have a schema that stays with it regardless of the file system type or platform.

You can use other systems or ways to encrypt your data file but I'm not sure they would all work with an iPad's OS. You could have the file in your iCloud Drive but maybe not have the mobile app to decrypt it.

 

[EdwinG]

Thanks for your replay.
Just to clarify, for example if I moved unencrypted sensitive document to an encrypted internal volume and later let’s say I’m forced to do a full system decryption or someone breaks the built in encryption. And they specifically needed to find that file I previously moved to an internal encrypted storage. Also the volume I moved that file had a hidden volume in that strorage, so I have a plausible deniability. Now if they used highly sophisticated tools to find that unencrypted file from where it was moved, would that be possible or there is no trace.

If the on-device encryption is broken, all bets are off. It means that all your unencrypted files are potentially readable.
And there are no means to ensure deletion, because of the way flash storage works. When you erase a file, it will mark the space as free and relocate the area on other parts of the “drive” to ensure it ages evenly. You can make it hard by erasing the device multiple times, but not impossible – aside from physical destruction.

All files that contain sensitive information (e.g.: social insurance number) should always be encrypted by the app that generated them stored on an encrypted volume. As [mention]imwjl [/mention] mentioned, this can take the form of Information Protection for Microsoft Office documents.

 

[hungryfalcon]

I understand that but when I move a file into separate encrypted volume created by an app like Crypto disks which creates a volume like in Veracrypt, then in this instance I don’t delete a file but simply move it into that encrypted container. So by this logic the file I moved cannot be retrieved, is that correct?

 

[EdwinG]

I understand that but when I move a file into separate encrypted volume created by an app like Crypto disks which creates a volume like in Veracrypt, then in this instance I don’t delete a file but simply move it into that encrypted container. So by this logic the file I moved cannot be retrieved, is that correct?

That is not correct for this reason:
When you are moving files between volumes (or containers), it’s actually a copy, check and erase operation. Otherwise, any disruption could lead to the loss of the file.

This said, it’s not very risky on iPadOS, because the storage is always encrypted. You would need access to the operating system to decrypt the storage (or guess the drive’s decryption key, which is not 6-digit long but is locked by your passcode).

If you are worried about the information stored on your iPad’s internal storage, make sure you have remote erase capabilities (e.g. Find My), as that will blow away the device’s decryption key, making data retrieval extremely difficult. The people that would be able to get to that information will have very advanced means (e.g. state actors) or be very dedicated (many years/decades). Caveat: a defect in the software might be found that makes it much easier, but so far, it has been rock solid.

 

[hungryfalcon]

So If I understand correctly, nothing ever gets deleted, when I move a file to an encrypted container the file system marks space where original file resided as a free space. My thinking was that moving files in a file system is analogous to putting book on a locked safe on a bookshelf, so therefore you could not retrieve the original.

 

[EdwinG]

So If I understand correctly, nothing ever gets deleted, when I move a file to an encrypted container the file system marks space where original file resided as a free space. My thinking was that moving files in a file system is analogous to putting book on a locked safe on a bookshelf, so therefore you could not retrieve the original.

It gets rewritten, eventually. But that can take days, weeks or months - depending on your usage of the device.
There is a finite amount of space, so it will eventually just write over freed space.

To be clear, that is done by the drive, not the operating system. The OS will gently mark the space as freed and notify the drive to free up the space.

As to moving files inside a given volume, it is correct. You're just changing the location of the file in the master table. The physical - on disk - location does not change, just the logical location changes.

 

[hungryfalcon]

Thank you for your time, I have a better understanding now

 

[EdwinG]

Thank you for your time, I have a better understanding now

You're welcome

When you have time, feel free to introduce yourself here: https://forums.imore.com/new-forums-introduce-yourself-here/