Results 1 to 10 of 10

Thread: Data Persistence in Slack Space

  1. #1
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188

    Data Persistence in Slack Space

    I came across this rather interesting article dealing with the potential danger of confidential data being stored in slack space for surprisingly long periods of time.

    Link here: http://www.securityfocus.com/infocus/1891/1

  2. #2
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Well, I never even thought of that thing!!! It was a really nice read!
    Last edited by jockey0109; October 14th, 2007 at 08:02 AM.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Yes Vaibhav,

    It is surprising what is left hanging around. Most people are aware of the obvious ones:

    Clipboard
    Recycle Bin
    History Files
    Cache Files
    Temp Files
    Log Files
    Backup Files
    MRU Lists
    Cookies
    Index Files

    They frequently overlook:

    Cluster Tips
    Swap File(s)
    Cluster Slack Space
    The Registry
    Metadata
    Memory Dumps
    Chkdsk Fragments
    Free Space


  4. #4
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Well, you seem to be the first person calling me by my real name. Anyway, the list you have provided is once again longer than what I had already in my mind.

    Well, among those that you have mentioned, I had not thought of :

    Memory Dumps
    chkdsk fragments
    Cluster Tips.

    Well, I understand the two of them but I have no clue of what is a 'cluster tip'? After going through Google (which was not to much helpful), I found that a cluster tip is the unused space in the last cluster for a file. Well, if it is so, what is the Cluster Slack Space then? I mean to ask:

    What are the differences between the Cluster Tip and Cluster Slack Space?

    And What is a chkdsk fragment? Never heard of it before!
    Last edited by jockey0109; October 14th, 2007 at 08:03 AM.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    OK. Vaibhav,

    Cluster tips are what is left at the end. By "slack space" I was referring to the hidden stuff that gets on an NTFS formatted HDD due to the use of data streams. Probably the wrong term I know, but I am going back to my NT 4.0 days which are somewhat hazy by now

    The chkdsk fragments are the "orphaned" bits of files that running chkdsk/scandisk produces. As they are generated as the result of some sort of crash, you never know what sensitive info might be in them?

    I just realised that I did not correctly distinguish "free space". This has been marked as "available" but may still contain the previous files' data. Slightly different from the cluster tips that won't get overwritten, as they are not seen as available.

    Defragmentation is another issue I forgot to mention. It frequently uses free space on the drive (usually at the end) to reassemble fragmented files before copying them back. Like data streams, you won't be able to see them without forensic tools.

  6. #6
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Well, Thanks once again for the info. Defragmentation is opne thing which had helped me recover my data from a partition which I accidently deleted using the compmgmt.msc facility on Windows XP. The recovery software recovered the data from what I think was a part of defragmentation process I had carried out just the previous day I deleted the partition.

    Well, as far as free space is concerned, I already had the idea; thanks for the confirmation though!

    Now as you say, you are talking about the OLD days of NT 4.0, I think that NTFS is STILL a file system which uses the data streams for storing almost anything on the disk. So what is the 'change' in NTFS since those days (except the special metadata files which went on increasin in number with Windows NT versions)? Kindly clarify.

    Another point: I have almost never run chkdsk by my ownself. I have seen it being done on other systems; I see this thing on my system only when Windows XP checks a FAT32 partition after a crash. Well, how exactly does chkdsk produce those (presumably) 'sensitive' data from the files being checked?
    Last edited by jockey0109; October 14th, 2007 at 07:32 PM.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Vaibhav,

    Here are a few articles.................I remember messing with the exploits back in '99 on NT 4.0 quite disturbing, but doesn't seem to have caught the imagination of malware authors?

    http://www.windowsecurity.com/articl...a_Streams.html

    From looking at this Microsoft article, things don't seem to have changed that much............. the article applies from Win NT 3.51 to XP!

    http://support.microsoft.com/kb/105763

    More on exploits:

    http://www.securityfocus.com/infocus/1822

    and here:

    http://www.bleepingcomputer.com/tuto...utorial25.html

    and here is a free tool:

    http://www.microsoft.com/technet/sys...k/Streams.mspx


  8. #8
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Well, the links are awesome. Well, even though all of them are as good, I liked the first one the most due to the simple language used there.

    as far as the tool is concerned, I have the whole sysinternal suite. Even though I use only process viewer and registry monitor. I like using them for testing purposes.

    Anyway thanks a lot for that. It was really informative.
    Last edited by jockey0109; October 14th, 2007 at 07:35 PM.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi, Vaibhav,

    I am glad that you found them interesting

    I posted the Sysinternals tool link because it is from the Microsoft site, so should be the latest version?

    I too have all the others

  10. #10
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Of course, you have to have all the others. Almost all other senior members (when I say senior members, I mean seniority by experience not by post count) must be having them as well. And really, I was thinking of the slack space thing whole day ... almost 8 hours regularly. Since I am about to buy another one, I would do some experiments on this thing on the new one.

    Thanks a lot once again.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM
  4. Replies: 1
    Last Post: July 15th, 2002, 03:46 AM
  5. Information Leakage from Optical Emanations
    By E5C4P3 in forum Miscellaneous Security Discussions
    Replies: 5
    Last Post: March 7th, 2002, 07:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •