-
June 28th, 2007, 11:51 AM
#1
Data Persistence in Slack Space
I came across this rather interesting article dealing with the potential danger of confidential data being stored in slack space for surprisingly long periods of time.
Link here: http://www.securityfocus.com/infocus/1891/1
-
June 28th, 2007, 02:51 PM
#2
Well, I never even thought of that thing!!! It was a really nice read!
Last edited by jockey0109; October 14th, 2007 at 08:02 AM.
"Everything should be made as simple as possible, but not simpler."
- Albert Einstein
-
June 28th, 2007, 03:23 PM
#3
Yes Vaibhav,
It is surprising what is left hanging around. Most people are aware of the obvious ones:
Clipboard
Recycle Bin
History Files
Cache Files
Temp Files
Log Files
Backup Files
MRU Lists
Cookies
Index Files
They frequently overlook:
Cluster Tips
Swap File(s)
Cluster Slack Space
The Registry
Metadata
Memory Dumps
Chkdsk Fragments
Free Space
-
June 28th, 2007, 03:42 PM
#4
Well, you seem to be the first person calling me by my real name. Anyway, the list you have provided is once again longer than what I had already in my mind.
Well, among those that you have mentioned, I had not thought of :
Memory Dumps
chkdsk fragments
Cluster Tips.
Well, I understand the two of them but I have no clue of what is a 'cluster tip'? After going through Google (which was not to much helpful), I found that a cluster tip is the unused space in the last cluster for a file. Well, if it is so, what is the Cluster Slack Space then? I mean to ask:
What are the differences between the Cluster Tip and Cluster Slack Space?
And What is a chkdsk fragment? Never heard of it before!
Last edited by jockey0109; October 14th, 2007 at 08:03 AM.
"Everything should be made as simple as possible, but not simpler."
- Albert Einstein
-
June 28th, 2007, 04:59 PM
#5
OK. Vaibhav,
Cluster tips are what is left at the end. By "slack space" I was referring to the hidden stuff that gets on an NTFS formatted HDD due to the use of data streams. Probably the wrong term I know, but I am going back to my NT 4.0 days which are somewhat hazy by now
The chkdsk fragments are the "orphaned" bits of files that running chkdsk/scandisk produces. As they are generated as the result of some sort of crash, you never know what sensitive info might be in them?
I just realised that I did not correctly distinguish "free space". This has been marked as "available" but may still contain the previous files' data. Slightly different from the cluster tips that won't get overwritten, as they are not seen as available.
Defragmentation is another issue I forgot to mention. It frequently uses free space on the drive (usually at the end) to reassemble fragmented files before copying them back. Like data streams, you won't be able to see them without forensic tools.
-
June 28th, 2007, 05:13 PM
#6
Well, Thanks once again for the info. Defragmentation is opne thing which had helped me recover my data from a partition which I accidently deleted using the compmgmt.msc facility on Windows XP. The recovery software recovered the data from what I think was a part of defragmentation process I had carried out just the previous day I deleted the partition.
Well, as far as free space is concerned, I already had the idea; thanks for the confirmation though!
Now as you say, you are talking about the OLD days of NT 4.0, I think that NTFS is STILL a file system which uses the data streams for storing almost anything on the disk. So what is the 'change' in NTFS since those days (except the special metadata files which went on increasin in number with Windows NT versions)? Kindly clarify.
Another point: I have almost never run chkdsk by my ownself. I have seen it being done on other systems; I see this thing on my system only when Windows XP checks a FAT32 partition after a crash. Well, how exactly does chkdsk produce those (presumably) 'sensitive' data from the files being checked?
Last edited by jockey0109; October 14th, 2007 at 07:32 PM.
"Everything should be made as simple as possible, but not simpler."
- Albert Einstein
-
June 28th, 2007, 06:02 PM
#7
Hi Vaibhav,
Here are a few articles.................I remember messing with the exploits back in '99 on NT 4.0 quite disturbing, but doesn't seem to have caught the imagination of malware authors?
http://www.windowsecurity.com/articl...a_Streams.html
From looking at this Microsoft article, things don't seem to have changed that much............. the article applies from Win NT 3.51 to XP!
http://support.microsoft.com/kb/105763
More on exploits:
http://www.securityfocus.com/infocus/1822
and here:
http://www.bleepingcomputer.com/tuto...utorial25.html
and here is a free tool:
http://www.microsoft.com/technet/sys...k/Streams.mspx
-
June 28th, 2007, 09:28 PM
#8
Well, the links are awesome. Well, even though all of them are as good, I liked the first one the most due to the simple language used there.
as far as the tool is concerned, I have the whole sysinternal suite. Even though I use only process viewer and registry monitor. I like using them for testing purposes.
Anyway thanks a lot for that. It was really informative.
Last edited by jockey0109; October 14th, 2007 at 07:35 PM.
"Everything should be made as simple as possible, but not simpler."
- Albert Einstein
-
June 28th, 2007, 10:10 PM
#9
Hi, Vaibhav,
I am glad that you found them interesting
I posted the Sysinternals tool link because it is from the Microsoft site, so should be the latest version?
I too have all the others
-
June 29th, 2007, 03:58 PM
#10
Of course, you have to have all the others. Almost all other senior members (when I say senior members, I mean seniority by experience not by post count) must be having them as well. And really, I was thinking of the slack space thing whole day ... almost 8 hours regularly. Since I am about to buy another one, I would do some experiments on this thing on the new one.
Thanks a lot once again.
"Everything should be made as simple as possible, but not simpler."
- Albert Einstein
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By ThePreacher in forum Miscellaneous Security Discussions
Replies: 17
Last Post: December 14th, 2006, 09:37 PM
-
By -DaRK-RaiDeR- in forum Newbie Security Questions
Replies: 9
Last Post: December 14th, 2002, 08:38 PM
-
Replies: 1
Last Post: July 15th, 2002, 03:46 AM
-
By E5C4P3 in forum Miscellaneous Security Discussions
Replies: 5
Last Post: March 7th, 2002, 07:35 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|