Printable View
I recently learned that the slck space on your drive is filled up with data from the keyboard buffer. I am curious how to access this and what is the point of encrypting the hard drive if your pass phrase and such can be accessed anyway? Thank you for your time and help.
Wha? Slack space on the hard drive with data from the keyboard buffer? Do you mean free space on the drive, or the windows swap file, or what? Could you be more specific?
I belive what you are talking about is is called a key catcher. Its a device that plugs into the back of your keyboard and logs all keystrokes up to 65000 i belive and then lets you go to wordpad and enter in a password/phrase and shows you all the keystrokes. You have to remember that physical security is just a good as network security.
Sorry, I'll be more specific. I am reading this book and it claims this: If you save a 3k file into a 4k cluster, the remaining space (slack space) of 1k is filled with the keyboard buffer. Therefore your pass phrase could be recovered in this space. Is this true or have I been lied to?
I don't believe that any particular data are
automatically written into slack space,
although I can imagine how some special
software could be written that could
access this space in a bootleg fashion.
Slack space is generally full of random
crap, fragments of deleted files.
In the case of the slack space in the virtual
memory (swap) file, any random data that
have been in memory might find its way onto
the disk, but not in an organized fashion.
Slack space is one of the unpredictable
characteristics of disk storage.
Consider this scenario:
You write a short virus, for whatever reason.
Then you copy it, or upload it to a server.
You think you are anonymous.
Later, when people get copies of this virus
from infected systems, there is a chance
that they will find extra data that have "hitchiked"
from your slack space
You're busted!
:cool:
I see what you mean now. Yes, there is slack space, but AFAIK it is usually only full of leftover files. It's sort of like having a lined paper full of writing. You take off the title of the paper (deleting it) and then white-out/write over the first part of it until you are done. The rest of the paper still shows through, but it is a fragment, and most non-forensic programs ignore the 'leftovers'.
I'm not aware of cases where keyboard information is written to disk on a regular basis by accident.
memory in your hdd is divided into partitions, and partitions are devided into clusters. if you begin writing to a cluster but don't fill it, the rest of the unused space in that cluster is called the slack space. older versions of ms-dos use 32k clusters, windows uses 4k clusters.
so anyway, most operating systems store what you type into a keyboard buffer. so if a word processor or text editor to write something, what you have written is most likely temporarly put into a keyboard buffer. so when you close the file, the operating system cleans out the buffer by dumping whats in it into the slack space of the last used cluster. it'll only fill up the cluster though, it won't start a new one, so if they contents are too large for the slack space, i believe it just gets marked as overflow.
so yes it is possible to recover text, passwords, whatever, by looking through slack space in clusters. it's very time consuming when you think about how big your hdd is, and trying to search it one byte at a time. if you're reeeeeaally interested, you could find yourself a hex editor (or i could send you one), and you can make some files on a floppy disk, and check out the contents of that disk with the hex editor. you'd be surprised what you find.
Do all os's do this or just certain ones?
umm to be honest i don't know, i had network security class where i had to recover things from disks and slack space with hex editors and reconstruct fat tables, but we always used widows. i know that older ms-dos versions are worse b/c they have much larger clusters...windows uses smaller clusters to make more efficient use out of memory.
all operating systems are going to have slack space with random garbage in there, i guess it depends on what the particular operating system does with it's keyboard buffers.
damn i get introduced myself into ****, i heard in chatrooms a while ago. Nice, topic "owen76"