Jump to content

Recommended Posts

Posted

I was just in an argument over this. Maybe I don't know as much about computers as I thought I did, but I was told that a memory or hard drive wipe doesn't do anything if there was something you wanted to hide.

 

I'm sure there was some exaggeration, but the other person said that every keystroke, even mistakes, are saved in the computer and can't be deleted via memory wipe, and no matter how many times you try to delete a file it still exists in a restricted part of your computer.

 

I don't think it's true, I mean it doesn't fit from a business point of view (if you can fit that much info in something so small you can't find it when looking for it, why not make normal storage with this technology?) or from a personal point of view (if this information is saved, how can the memory wipe give you back the original space on the hard drive?). Then, of course, there's also the fact that if the FBI or someone can get into this info, an average person can if they try and then delete it themselves.

 

So who's right? Does a memory wipe only hide the obvious stuff (their opinion) or does it wipe it all (my opinion)?

Posted

If you're talking about a computers RAM, then anything in that will disappear a couple of microseconds after the power is switched off, because it is volatile storage.

 

The hard disk itself if different. It stores data magnetically, in a file system. A file system is a way of organising data on the disk so the operating system knows where to find it. Generally, information about where a file is stored on a disk is contained in something called an 'inode'. When you 'delete' a file in windows, all your are actually doing is deleting this inode, not the data itself. This just means the the operating system no longer knows where to find the file - in time the space used by the file itself will probably be overwritten by something else, but until then it's hanging around waiting for someone to find it.

 

To get rid of something completely, you need a program that will remove the inode, and the actual file's data. You can get programs that write over the data several times with 'random' stuff, just to be sure. PGP does this I think. The 'Secure Delete' function in Mac OS X does a similar thing.

Posted

Yes, that is true somewhat. You can get them to go away. It just drops that file from the directory. This could be likened to forgetting something. It is still in your brain, you just can't find it. Eventually you do, and remember it.

Posted

What if you were to completely erase the contents in the file and save it blank, then delete the corresponding inode. Wouldn't the file then just show up blank?

Posted

But if you erase the contents and save it blank, it takes less space, and so parts of the original will now be deleted. Someone with proper training can get in and read it. If you were to change it to a bunch of garbled stuff of the exact same size, your file would only have that. The original would be gone.

Posted

It depends where on the disk the operating system decides to put the modified file. It could put it somewhere else on the disk, then modify the inode to point to the new location.

Posted

Hmm...

But then, if all deletion does is destroy the inode, how does a memory wipe get you back all your original space (the impossible-to-get-to files would still take up their space, no?)

Posted

Yes and no, once you delete the inode the operating system no longer 'sees' the file, so considers the space taken up by it available. That's why it will eventually be overwritten by something else.

Posted

Special programs that allow you to access any part of the drive. In fact, I believe that spy Hansen (or Walker) re-formatted a hard drive so it appeared to have less space than it actually did. The information given to the KGB was on the space that "didn't exist". It is possible to read the information that was deleted, you just have to look.

Posted

does re-orging the HDD stamp over the data?

sometime the files get fragmented and access time takes ages, re-org or a de-fragger fixes that, but would it wipe the other stuff?

Posted
Rasori said

I'm sure there was some exaggeration, but the other person said that every keystroke, even mistakes, are saved in the computer and can't be deleted via memory wipe, and no matter how many times you try to delete a file it still exists in a restricted part of your computer. 

 

hmmmm.... I don;t know about keystrokes, but files that are deleted from the recycle bin still exist on ur computer, its just a matter of finding them. that's how recovery software work. Usually, they say that we will recover deleted files. They work by scanning the whole harddisk for these types of files. Of course they aren't 100% efficient, but they do quite a good job.

 

Once, one whole harddrive got erased for some mysterious reason. I used that and got back most of my files!

Posted

keystrokes will be stored in the keyboard buffer (in RAM) but not on the HDD unless you use special capture s/ware (it`s for ripping passwords and stuff).

the only other time I know of is with some telnet clients, mistakes and keystokes are always sent regardless.

Posted

yeah. I was not really sure about the keystrokes. If that is true (which it likely is) then, it would be very easy to obtain someones password

 

As for password finders, they work in a different way. They actually UNMASK the password. They don't obtain it from the ram. Since the password is on the screen, they just simply unmask it. Some, however, DO access the password from the RAM.

 

YIKES!!!

Posted

Windows virtual memory manager writes memory pages to pagefile.sys, So it may contain random chunks of data that's been in your ram which persists untill overwritten. You can't access this file through windows. but if you mount the partition with a linux boot disk you can for example pipe it through strings and find useful information like keystrokes passwords etc.

 

recycled files are still linked to the file system untill the bin is emptied and then the data remains on the disk untill overwritten.

 

PGP has secure delete functionality which overwrites the datablocks a few times with random data.

 

You also get ambient data in file slack:

E.g if yor fs cluster size is 4096 bytes and a cluster is allocated to a 1k file there will be 3k of slack space sat behind the file, this will contain whatever was allocated previously to that cluster. The whole cluster is allocated but the filesystem can only see 1k of it.

 

So a defrag will likely replace alot of unallocated clusters but the slack space will remain.

 

TASK is an open source toolkit for analysing /recovering file system structures. at http://www.opensourceforensics.org

Posted

10 for a = 0 to (top mem)

20 b= peek a

30 if b < 48 or > 91 goto 50

40 print chr$(b),

50 next a

 

that used to work on the older machines to complete mem dump as ascii codes, it would rip passwords from the buffers lovely :)

it MAY work on newer machines? I`ve never tried it :)

Posted

10 for a = 0 to (top mem)

20 b= peek (a)

30 if b < 48 or > 91 goto 50

40 print chr$(b);

50 next a

 

that used to work on the older machines to complete mem dump as ascii codes, it would rip passwords from the buffers lovely :)

it MAY work on newer machines? I`ve never tried it :)

Posted

What if you were to try to access the files through DOS? My first inclination is to say no because you still have to find the name of the file and everything, but there's a LOT of stuff you can do in DOS if you know how...

Posted

if you mean me, it`s a simple program in Basic to read all the buffers in RAM and display them as text, ignoring all the other codes like clear screen and bell etc... and only displaying usable text :)

Posted

it would probably work on a spectrum. but i think you'd get a load of GPF's on windows. (each process has it's own virtual memory space and can't address outside of it). Having said that WinHex has a RAM editor that manages to do it so god knows.

Posted
Rasori said in post # :

What if you were to try to access the files through DOS? My first inclination is to say no because you still have to find the name of the file and everything, but there's a LOT of stuff you can do in DOS if you know how...

Sorry but DOS is shite, Theres a lot of stuff you can do with Saukraut but it doen't make it any better :)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.