Jump to content

Extent of a memory/hard drive wipe?


Rasori

Recommended Posts

I was just in an argument over this. Maybe I don't know as much about computers as I thought I did, but I was told that a memory or hard drive wipe doesn't do anything if there was something you wanted to hide.

 

I'm sure there was some exaggeration, but the other person said that every keystroke, even mistakes, are saved in the computer and can't be deleted via memory wipe, and no matter how many times you try to delete a file it still exists in a restricted part of your computer.

 

I don't think it's true, I mean it doesn't fit from a business point of view (if you can fit that much info in something so small you can't find it when looking for it, why not make normal storage with this technology?) or from a personal point of view (if this information is saved, how can the memory wipe give you back the original space on the hard drive?). Then, of course, there's also the fact that if the FBI or someone can get into this info, an average person can if they try and then delete it themselves.

 

So who's right? Does a memory wipe only hide the obvious stuff (their opinion) or does it wipe it all (my opinion)?

Link to comment
Share on other sites

If you're talking about a computers RAM, then anything in that will disappear a couple of microseconds after the power is switched off, because it is volatile storage.

 

The hard disk itself if different. It stores data magnetically, in a file system. A file system is a way of organising data on the disk so the operating system knows where to find it. Generally, information about where a file is stored on a disk is contained in something called an 'inode'. When you 'delete' a file in windows, all your are actually doing is deleting this inode, not the data itself. This just means the the operating system no longer knows where to find the file - in time the space used by the file itself will probably be overwritten by something else, but until then it's hanging around waiting for someone to find it.

 

To get rid of something completely, you need a program that will remove the inode, and the actual file's data. You can get programs that write over the data several times with 'random' stuff, just to be sure. PGP does this I think. The 'Secure Delete' function in Mac OS X does a similar thing.

Link to comment
Share on other sites

But if you erase the contents and save it blank, it takes less space, and so parts of the original will now be deleted. Someone with proper training can get in and read it. If you were to change it to a bunch of garbled stuff of the exact same size, your file would only have that. The original would be gone.

Link to comment
Share on other sites

Special programs that allow you to access any part of the drive. In fact, I believe that spy Hansen (or Walker) re-formatted a hard drive so it appeared to have less space than it actually did. The information given to the KGB was on the space that "didn't exist". It is possible to read the information that was deleted, you just have to look.

Link to comment
Share on other sites

Rasori said

I'm sure there was some exaggeration, but the other person said that every keystroke, even mistakes, are saved in the computer and can't be deleted via memory wipe, and no matter how many times you try to delete a file it still exists in a restricted part of your computer. 

 

hmmmm.... I don;t know about keystrokes, but files that are deleted from the recycle bin still exist on ur computer, its just a matter of finding them. that's how recovery software work. Usually, they say that we will recover deleted files. They work by scanning the whole harddisk for these types of files. Of course they aren't 100% efficient, but they do quite a good job.

 

Once, one whole harddrive got erased for some mysterious reason. I used that and got back most of my files!

Link to comment
Share on other sites

keystrokes will be stored in the keyboard buffer (in RAM) but not on the HDD unless you use special capture s/ware (it`s for ripping passwords and stuff).

the only other time I know of is with some telnet clients, mistakes and keystokes are always sent regardless.

Link to comment
Share on other sites

yeah. I was not really sure about the keystrokes. If that is true (which it likely is) then, it would be very easy to obtain someones password

 

As for password finders, they work in a different way. They actually UNMASK the password. They don't obtain it from the ram. Since the password is on the screen, they just simply unmask it. Some, however, DO access the password from the RAM.

 

YIKES!!!

Link to comment
Share on other sites

Windows virtual memory manager writes memory pages to pagefile.sys, So it may contain random chunks of data that's been in your ram which persists untill overwritten. You can't access this file through windows. but if you mount the partition with a linux boot disk you can for example pipe it through strings and find useful information like keystrokes passwords etc.

 

recycled files are still linked to the file system untill the bin is emptied and then the data remains on the disk untill overwritten.

 

PGP has secure delete functionality which overwrites the datablocks a few times with random data.

 

You also get ambient data in file slack:

E.g if yor fs cluster size is 4096 bytes and a cluster is allocated to a 1k file there will be 3k of slack space sat behind the file, this will contain whatever was allocated previously to that cluster. The whole cluster is allocated but the filesystem can only see 1k of it.

 

So a defrag will likely replace alot of unallocated clusters but the slack space will remain.

 

TASK is an open source toolkit for analysing /recovering file system structures. at http://www.opensourceforensics.org

Link to comment
Share on other sites

10 for a = 0 to (top mem)

20 b= peek a

30 if b < 48 or > 91 goto 50

40 print chr$(b),

50 next a

 

that used to work on the older machines to complete mem dump as ascii codes, it would rip passwords from the buffers lovely :)

it MAY work on newer machines? I`ve never tried it :)

Link to comment
Share on other sites

10 for a = 0 to (top mem)

20 b= peek (a)

30 if b < 48 or > 91 goto 50

40 print chr$(b);

50 next a

 

that used to work on the older machines to complete mem dump as ascii codes, it would rip passwords from the buffers lovely :)

it MAY work on newer machines? I`ve never tried it :)

Link to comment
Share on other sites

What if you were to try to access the files through DOS? My first inclination is to say no because you still have to find the name of the file and everything, but there's a LOT of stuff you can do in DOS if you know how...

Link to comment
Share on other sites

Rasori said in post # :

What if you were to try to access the files through DOS? My first inclination is to say no because you still have to find the name of the file and everything, but there's a LOT of stuff you can do in DOS if you know how...

Sorry but DOS is shite, Theres a lot of stuff you can do with Saukraut but it doen't make it any better :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.