Stuart Miller came up with this when s/he headbutted the keyboard a moment
ago in alt.computer.security:
> As I understand NTFS, once a file is deleted then removed from the recycle
> bin it is not recoverable by ordinary means.
Sort of. Read below.
> Therer may be utilities out there to do that, and certainly after a defrag
> it will likely be gone. No problem there, but are files recoverable?
>
> Problem is the other way around, here. I deleted a set of files, emptied
> recycle bin, deleted more the next day and emptied again. Today the first
> set of files were back in the folder that had been deleted from. Only
> explanation I can think of is they there was a brief power outage that
day,
> so the system went down and restarted. I remember win98 and 95 used to do
> these automatic registry restores periodically, but I didn't think that
> deleted files and former folder contents were stored in the registry.
>
they're not - FAT file systems have two FAT tables. One's a backup; not that
that does much good, because it's essentially a mirror of the primary.
NTFS uses journaling and backgrounding to give the illusion of a faster
filesystem. Now, the backgrounding (which makes heavy use of the large
caches found on very modern drives) isn't much use to you if there's a
power cut or if you're running a PVR on your system (you need realtime
writing to disk - no caching), however the journal is where you become
unstuck from a security viewpoint.
> From a security point of view - does this mean that deleted files, with
> recycle bin emptied, are not really deleted?
>
answer: deleting a file on an NTFS filesystem merely removes it from the
current journal. The file is still physically on the drive. The allocated
space is flagged for overwriting and bumped to the back of the write queue,
where it is forgotten about, until it reaches the front of the write queue
and is overwritten. On an average system, this can take /months/
considering light usage (browsing, writing documents, etc). On a heavy-use
system (such as a PVR) this can take a few days. Or even a few hours. Even
then the chances of that space being entirely overwritten in order are
fairly remote, so something of the original file will remain - very likely
enough to use as evidence after a forensic search.
To expand: a normal format does not erase the contents of a partition.
Neither does repartitioning. All these do is to rewrite the partition and
FAT tables. The data area is basically untouched until it comes to actually
writing data to it with pointers from whatever filesystem resource locator
you're using (NTFS, FAT, whatever). The only sure way of destroying data
beyond recoverability (apart from physically destroying the disk) is to
make multiple passes over hte drive with military-grade hard disk lowlevel
formatting software*.
*old Conner AT drives (of which I still have a few) had a notice on them
which said "WARNING: DO NOT LOW LEVEL FORMAT". This was all to do with the
fact that if you lowleveled the drive you had to rebuild it using the CHS
parameters for that specific unit. Get it wrong, you had a brick (or at the
very least, one which was misconfigured in such a way that you saw a
dropping sector every couple of seconds - rapidly rendering the drive
unusable). HD controllers nowadays are smart enough to rebuild themselves
after a LLF, so it's pretty safe to LLF a drive maybe half a dozen times
during its lifetime (being a very intensive operation, modern drives get
bloody hot during a LLF, so definitely not recommended without ample
cooling!)
> Thanks
>
> Stuart
--
-*- Linux Desktops & Clustering Solutions -*-
http://dotware.co.uk
-*- Registered Linux user #426308 -*-
http://counter.li.org
-*- Linux is like a wigwam: no Windows, no Gates, and Apache inside.
-*- <discl mode="Boilerplate" />