What You Donít See On Your Hard Drive
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 33

Thread: What You Donít See On Your Hard Drive

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    112

    What You Donít See On Your Hard Drive

    I have been working on a paper dealing with how data is stored, deleted, and recovered on hard drives for the last few weeks. In the course of my research I found this paper which covers this subject more eloquently than I could ever hope for.

    http://rr.sans.org/incident/dont_see.php

    Below is the opening paragraph as a preview.

    Just because you don't see it doesn't mean it's not there. By having a knowledge of something that exists, but is hidden from your sight, will give you an advantage because you know it's there. In the security field it is very important to keep up to date on the latest information available. If you don't, someone will take advantage of your ignorance. Things are always changing and becoming bigger, better, faster and sometimes sneakier. A few years back in my Information Technology career I made the change from Desktop Support to the Information Security Group. Since then I have learned a tremendous amount about security. I have learned that you have to train yourself to think differently about things, add a little paranoia. This paper will address two security concerns that I found very interesting. They both have to do with things that are not in plain sight. The first security concern covers the issue of retrieving data that has been deleted. So many people have no idea about data that is left behind when you delete files or fdisk and format your hard drive. The second issue deals with hidden access and control of your computer. I will look at what a rootkit is and look at the recent development of rootkits designed for Microsoft Windows operating systems.
    If you receive something that says \'Send this to everyone you know,\' pretend you don\'t know me.

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    321
    Great post
    Ad once again the sans institute is doing its job!
    assembly.... digital dna ?

  3. #3
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    good job man, thi is really an interesting subject i think, how computers store data and how they delete it, most people think when you delete something its not stll there, its gone, but in reality the computer marks it as free space and its still there, we learned this a few weeks ago in my OSs class.
    Kill the lights, let the candles burn behind the pumpkinsí mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    117
    A few weeks ago all my mp3's "magically" vanished. How? Not a clue. I checked my D drive, and sure enough, the amount of available space had increased dramatically. I checked all drives, folders, files, everything. No sign of them. I fired up Norton UnErase and it found them. Where? I don't have any idea. But it was wierd to see that the space the mp3's took up on my D drive WAS no longer there. They were on my system, but masked somehow.
    I\'d rather die on my feet than live my life on my knees.

    (Emiliano Zapata, a Mexican revolutionary in the early 1900s)

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Firestarter: from what you're describing, your mp3 files were indeed deleted*: the fact that the total free space increased reflects that. Notice that I said "deleted*" with an *: when you "delete" files, you basically just erease the "index" that says where the file is stored on the disc. The content of the file itself isn't ereased. Norton UnErase uses that fact to restore files that have been "deleted" but not overwritten yet: it just makes a new "index" for the file to be restored, and voila... This is how you were able to recover your mp3s...


    Ammo

    Hey, quickly reading the sans article, I notice they didn't mention NTFS hidden data streams which can also be used to hide data... Oddly they already add an article describing that though..! : http://rr.sans.org/threats/win_NTFS.php

    A few uitilities exist that can find hidden data streams on your disks, Foundstone has one: SFind: http://www.foundstone.com/knowledge/...c-toolkit.html

    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #6
    Senior Member
    Join Date
    Aug 2001
    Posts
    117
    A question then: You have a partitioned drive. C drive is 5G and D drive is 10G. You go to Kazaa and download 9.9G of mp3's on your D drive (this is a hypothetical situation). You write down a list of all these mp3's then delete them! Your PC says you have 10G of available space on your D drive again. Back to Kazaa you go and download another 9.9G of mp3's. Does this mean that your 10G D drive is actually holding 19.8G of mp3's? Or is the info from those origianl mp3's now actually overwritten and unable to be retrieved?
    I\'d rather die on my feet than live my life on my knees.

    (Emiliano Zapata, a Mexican revolutionary in the early 1900s)

  7. #7
    Senior Member
    Join Date
    Jun 2002
    Posts
    405
    Your D drive would be holding all the new mp3s, having wiped the old ones to make space for the new ones. You would be unable to retrieve the old mp3s. The disk is physically unable to hold more than 10Gb of data.

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Like powertoad said...
    There are utilities that actually wipe "deleted" data (it in fact overwrites free space with zeros...)...

    Ammo
    Credit travels up, blame travels down -- The Boss

  9. #9
    Senior Member The Old Man's Avatar
    Join Date
    Aug 2001
    Posts
    364
    Darn good post, good info. I wrote a lengthy account of an incident where un-delete did a good job. But it was too boring. I de-leted it!

  10. #10
    Member
    Join Date
    Nov 2002
    Posts
    97
    Originally posted here by ammo
    (it in fact overwrites free space with zeros...)...
    nothing big, but i think what happens when data is wiped from a HDD is that rather than be a zero or a one, the magnetic charges on the platter are just randomly scattered about.

    again, nothing even remotely important, but i was just pretty sure that's what happens. i guess the heads would read those as zeros, though.
    i will shoot you so hard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •