Rasori Posted January 17, 2004 Posted January 17, 2004 I was just in an argument over this. Maybe I don't know as much about computers as I thought I did, but I was told that a memory or hard drive wipe doesn't do anything if there was something you wanted to hide. I'm sure there was some exaggeration, but the other person said that every keystroke, even mistakes, are saved in the computer and can't be deleted via memory wipe, and no matter how many times you try to delete a file it still exists in a restricted part of your computer. I don't think it's true, I mean it doesn't fit from a business point of view (if you can fit that much info in something so small you can't find it when looking for it, why not make normal storage with this technology?) or from a personal point of view (if this information is saved, how can the memory wipe give you back the original space on the hard drive?). Then, of course, there's also the fact that if the FBI or someone can get into this info, an average person can if they try and then delete it themselves. So who's right? Does a memory wipe only hide the obvious stuff (their opinion) or does it wipe it all (my opinion)?
LuTze Posted January 17, 2004 Posted January 17, 2004 If you're talking about a computers RAM, then anything in that will disappear a couple of microseconds after the power is switched off, because it is volatile storage. The hard disk itself if different. It stores data magnetically, in a file system. A file system is a way of organising data on the disk so the operating system knows where to find it. Generally, information about where a file is stored on a disk is contained in something called an 'inode'. When you 'delete' a file in windows, all your are actually doing is deleting this inode, not the data itself. This just means the the operating system no longer knows where to find the file - in time the space used by the file itself will probably be overwritten by something else, but until then it's hanging around waiting for someone to find it. To get rid of something completely, you need a program that will remove the inode, and the actual file's data. You can get programs that write over the data several times with 'random' stuff, just to be sure. PGP does this I think. The 'Secure Delete' function in Mac OS X does a similar thing.
Cap'n Refsmmat Posted January 17, 2004 Posted January 17, 2004 Yes, that is true somewhat. You can get them to go away. It just drops that file from the directory. This could be likened to forgetting something. It is still in your brain, you just can't find it. Eventually you do, and remember it.
Rasori Posted January 17, 2004 Author Posted January 17, 2004 What if you were to completely erase the contents in the file and save it blank, then delete the corresponding inode. Wouldn't the file then just show up blank?
Cap'n Refsmmat Posted January 17, 2004 Posted January 17, 2004 But if you erase the contents and save it blank, it takes less space, and so parts of the original will now be deleted. Someone with proper training can get in and read it. If you were to change it to a bunch of garbled stuff of the exact same size, your file would only have that. The original would be gone.
LuTze Posted January 17, 2004 Posted January 17, 2004 It depends where on the disk the operating system decides to put the modified file. It could put it somewhere else on the disk, then modify the inode to point to the new location.
Rasori Posted January 17, 2004 Author Posted January 17, 2004 Hmm... But then, if all deletion does is destroy the inode, how does a memory wipe get you back all your original space (the impossible-to-get-to files would still take up their space, no?)
LuTze Posted January 17, 2004 Posted January 17, 2004 Yes and no, once you delete the inode the operating system no longer 'sees' the file, so considers the space taken up by it available. That's why it will eventually be overwritten by something else.
Rasori Posted January 17, 2004 Author Posted January 17, 2004 So if you keep your hardrive full you have nothing to worry about? Except a damn slow computer, of course...
LuTze Posted January 17, 2004 Posted January 17, 2004 Well if it's close to full you'll have fragments of files all over the place...
Rasori Posted January 17, 2004 Author Posted January 17, 2004 Now, how exactly could investigators access these files that don't have inodes?
LuTze Posted January 17, 2004 Posted January 17, 2004 There are a few ways to do it, ranging from "very simple" to "very complicated and OTT". Have a look here: - http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/
Cap'n Refsmmat Posted January 17, 2004 Posted January 17, 2004 Special programs that allow you to access any part of the drive. In fact, I believe that spy Hansen (or Walker) re-formatted a hard drive so it appeared to have less space than it actually did. The information given to the KGB was on the space that "didn't exist". It is possible to read the information that was deleted, you just have to look.
YT2095 Posted January 17, 2004 Posted January 17, 2004 does re-orging the HDD stamp over the data? sometime the files get fragmented and access time takes ages, re-org or a de-fragger fixes that, but would it wipe the other stuff?
aommaster Posted January 17, 2004 Posted January 17, 2004 Rasori said I'm sure there was some exaggeration, but the other person said that every keystroke, even mistakes, are saved in the computer and can't be deleted via memory wipe, and no matter how many times you try to delete a file it still exists in a restricted part of your computer. hmmmm.... I don;t know about keystrokes, but files that are deleted from the recycle bin still exist on ur computer, its just a matter of finding them. that's how recovery software work. Usually, they say that we will recover deleted files. They work by scanning the whole harddisk for these types of files. Of course they aren't 100% efficient, but they do quite a good job. Once, one whole harddrive got erased for some mysterious reason. I used that and got back most of my files!
YT2095 Posted January 17, 2004 Posted January 17, 2004 keystrokes will be stored in the keyboard buffer (in RAM) but not on the HDD unless you use special capture s/ware (it`s for ripping passwords and stuff). the only other time I know of is with some telnet clients, mistakes and keystokes are always sent regardless.
aommaster Posted January 17, 2004 Posted January 17, 2004 yeah. I was not really sure about the keystrokes. If that is true (which it likely is) then, it would be very easy to obtain someones password As for password finders, they work in a different way. They actually UNMASK the password. They don't obtain it from the ram. Since the password is on the screen, they just simply unmask it. Some, however, DO access the password from the RAM. YIKES!!!
SmokingSkillz Posted January 17, 2004 Posted January 17, 2004 Windows virtual memory manager writes memory pages to pagefile.sys, So it may contain random chunks of data that's been in your ram which persists untill overwritten. You can't access this file through windows. but if you mount the partition with a linux boot disk you can for example pipe it through strings and find useful information like keystrokes passwords etc. recycled files are still linked to the file system untill the bin is emptied and then the data remains on the disk untill overwritten. PGP has secure delete functionality which overwrites the datablocks a few times with random data. You also get ambient data in file slack: E.g if yor fs cluster size is 4096 bytes and a cluster is allocated to a 1k file there will be 3k of slack space sat behind the file, this will contain whatever was allocated previously to that cluster. The whole cluster is allocated but the filesystem can only see 1k of it. So a defrag will likely replace alot of unallocated clusters but the slack space will remain. TASK is an open source toolkit for analysing /recovering file system structures. at http://www.opensourceforensics.org
aommaster Posted January 17, 2004 Posted January 17, 2004 Nice. Thanx for the info. Really useful to know
YT2095 Posted January 17, 2004 Posted January 17, 2004 10 for a = 0 to (top mem) 20 b= peek a 30 if b < 48 or > 91 goto 50 40 print chr$(b), 50 next a that used to work on the older machines to complete mem dump as ascii codes, it would rip passwords from the buffers lovely it MAY work on newer machines? I`ve never tried it
YT2095 Posted January 17, 2004 Posted January 17, 2004 10 for a = 0 to (top mem) 20 b= peek (a) 30 if b < 48 or > 91 goto 50 40 print chr$(b); 50 next a that used to work on the older machines to complete mem dump as ascii codes, it would rip passwords from the buffers lovely it MAY work on newer machines? I`ve never tried it
Rasori Posted January 17, 2004 Author Posted January 17, 2004 What if you were to try to access the files through DOS? My first inclination is to say no because you still have to find the name of the file and everything, but there's a LOT of stuff you can do in DOS if you know how...
YT2095 Posted January 17, 2004 Posted January 17, 2004 if you mean me, it`s a simple program in Basic to read all the buffers in RAM and display them as text, ignoring all the other codes like clear screen and bell etc... and only displaying usable text
SmokingSkillz Posted January 17, 2004 Posted January 17, 2004 it would probably work on a spectrum. but i think you'd get a load of GPF's on windows. (each process has it's own virtual memory space and can't address outside of it). Having said that WinHex has a RAM editor that manages to do it so god knows.
SmokingSkillz Posted January 17, 2004 Posted January 17, 2004 Rasori said in post # :What if you were to try to access the files through DOS? My first inclination is to say no because you still have to find the name of the file and everything, but there's a LOT of stuff you can do in DOS if you know how... Sorry but DOS is shite, Theres a lot of stuff you can do with Saukraut but it doen't make it any better
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now