|
Posted by Sebastian Gottschalk on November 14, 2006, 6:17 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Jim wrote:
> they're not - FAT file systems have two FAT tables. One's a backup; not that
> that does much good, because it's essentially a mirror of the primary.
> NTFS uses journaling and backgrounding to give the illusion of a faster
> filesystem. Now, the backgrounding (which makes heavy use of the large
> caches found on very modern drives) isn't much use to you if there's a
> power cut or if you're running a PVR on your system (you need realtime
> writing to disk - no caching), however the journal is where you become
> unstuck from a security viewpoint.
I'd worry much more about the MFT Mirror (same as FAT table backup). The
journal is easily cleared by filling it up with writing some bogus data.
>> From a security point of view - does this mean that deleted files, with
>> recycle bin emptied, are not really deleted?
>>
>
> answer: deleting a file on an NTFS filesystem merely removes it from the
> current journal. The file is still physically on the drive. The allocated
> space is flagged for overwriting and bumped to the back of the write queue,
> where it is forgotten about, until it reaches the front of the write queue
> and is overwritten. On an average system, this can take /months/
> considering light usage (browsing, writing documents, etc). On a heavy-use
> system (such as a PVR) this can take a few days. Or even a few hours. Even
> then the chances of that space being entirely overwritten in order are
> fairly remote, so something of the original file will remain - very likely
> enough to use as evidence after a forensic search.
However, with competent tools like SDelete or Eraser you can clear all free
disk space, all free MFT entries and the journal. Only filenames of deleted
files with pose a problem, and therefore one should at least rename the
files before deletion (those and many other tools do that automatically).
> To expand: a normal format does not erase the contents of a partition.
> Neither does repartitioning. All these do is to rewrite the partition and
> FAT tables. The data area is basically untouched until it comes to actually
> writing data to it with pointers from whatever filesystem resource locator
> you're using (NTFS, FAT, whatever). The only sure way of destroying data
> beyond recoverability (apart from physically destroying the disk) is to
> make multiple passes over hte drive with military-grade hard disk lowlevel
> formatting software*.
What about just one pass (because it simply *is* sufficient) with freely
available tools?
> HD controllers nowadays are smart enough to rebuild themselves
> after a LLF, so it's pretty safe to LLF a drive maybe half a dozen times
> during its lifetime (being a very intensive operation, modern drives get
> bloody hot during a LLF, so definitely not recommended without ample
> cooling!)
Today a low-level format only consists of filling the raw disk with zeros,
but not rebuilding the internal organization structure. And wenn, you can
easily do that with a 'dd if=/dev/zero of=/dev/hdX bs=1m' on your own.
| 
XML site map