"Jim" <james@the-computer-shop.co.uk> wrote in message
news:B2s6h.10238$bC3.8733@newsfe7-win.ntli.net...
>> Problem is the other way around, here. I deleted a set of files, emptied
>> recycle bin, deleted more the next day and emptied again. Today the first
>> set of files were back in the folder that had been deleted from. Only
>> explanation I can think of is they there was a brief power outage that
> day,
>> so the system went down and restarted. I remember win98 and 95 used to do
>> these automatic registry restores periodically, but I didn't think that
>> deleted files and former folder contents were stored in the registry.
>>
>
> they're not - FAT file systems have two FAT tables. One's a backup; not
> that
> that does much good, because it's essentially a mirror of the primary.
> NTFS uses journaling and backgrounding to give the illusion of a faster
> filesystem. Now, the backgrounding (which makes heavy use of the large
> caches found on very modern drives) isn't much use to you if there's a
> power cut or if you're running a PVR on your system (you need realtime
> writing to disk - no caching), however the journal is where you become
> unstuck from a security viewpoint.
>
>> From a security point of view - does this mean that deleted files, with
>> recycle bin emptied, are not really deleted?
>>
>
> answer: deleting a file on an NTFS filesystem merely removes it from the
> current journal. The file is still physically on the drive. The allocated
> space is flagged for overwriting and bumped to the back of the write
> queue,
> where it is forgotten about, until it reaches the front of the write queue
> and is overwritten. On an average system, this can take /months/
> considering light usage (browsing, writing documents, etc). On a heavy-use
> system (such as a PVR) this can take a few days. Or even a few hours. Even
> then the chances of that space being entirely overwritten in order are
> fairly remote, so something of the original file will remain - very likely
> enough to use as evidence after a forensic search.

I'm ok with the forensic matters of total destruction of traces - this is
more a personal thing.
Anybody can come in and examine all of my computers all they want - there is
nothing of great importance.
But this was a collection of personal and family things for my personal
journals, and when I was finished I deleted the working copies. Nobody else
here has the ability or the interest to try to 'undelete' files. I just
expected that XP would leave them deleted, and not restore them without my
knowledge or consent.

Is there an easy way to force writing of the cache? I recall a discussion of
this in one of the linux newsgroups a few months ago.

OK, so perhaps it was just bad timing. But now all the important stuff stays
on the linux machines. Or does ext3 have the same issues?

I will test this when I have a bit of time - to see if I can duplicate the
results.

Thanks for a most useful explanation.

Stuart