Jump to content

Extent of a memory/hard drive wipe?

Rasori
in Computer Science

Featured Replies

I was just in an argument over this. Maybe I don't know as much about computers as I thought I did, but I was told that a memory or hard drive wipe doesn't do anything if there was something you wanted to hide.

 

I'm sure there was some exaggeration, but the other person said that every keystroke, even mistakes, are saved in the computer and can't be deleted via memory wipe, and no matter how many times you try to delete a file it still exists in a restricted part of your computer.

 

I don't think it's true, I mean it doesn't fit from a business point of view (if you can fit that much info in something so small you can't find it when looking for it, why not make normal storage with this technology?) or from a personal point of view (if this information is saved, how can the memory wipe give you back the original space on the hard drive?). Then, of course, there's also the fact that if the FBI or someone can get into this info, an average person can if they try and then delete it themselves.

 

So who's right? Does a memory wipe only hide the obvious stuff (their opinion) or does it wipe it all (my opinion)?

If you're talking about a computers RAM, then anything in that will disappear a couple of microseconds after the power is switched off, because it is volatile storage.

 

The hard disk itself if different. It stores data magnetically, in a file system. A file system is a way of organising data on the disk so the operating system knows where to find it. Generally, information about where a file is stored on a disk is contained in something called an 'inode'. When you 'delete' a file in windows, all your are actually doing is deleting this inode, not the data itself. This just means the the operating system no longer knows where to find the file - in time the space used by the file itself will probably be overwritten by something else, but until then it's hanging around waiting for someone to find it.

 

To get rid of something completely, you need a program that will remove the inode, and the actual file's data. You can get programs that write over the data several times with 'random' stuff, just to be sure. PGP does this I think. The 'Secure Delete' function in Mac OS X does a similar thing.

  • Author

What if you were to completely erase the contents in the file and save it blank, then delete the corresponding inode. Wouldn't the file then just show up blank?

But if you erase the contents and save it blank, it takes less space, and so parts of the original will now be deleted. Someone with proper training can get in and read it. If you were to change it to a bunch of garbled stuff of the exact same size, your file would only have that. The original would be gone.

It depends where on the disk the operating system decides to put the modified file. It could put it somewhere else on the disk, then modify the inode to point to the new location.

  • Author

Hmm...

But then, if all deletion does is destroy the inode, how does a memory wipe get you back all your original space (the impossible-to-get-to files would still take up their space, no?)

Yes and no, once you delete the inode the operating system no longer 'sees' the file, so considers the space taken up by it available. That's why it will eventually be overwritten by something else.

  • Author

So if you keep your hardrive full you have nothing to worry about? Except a damn slow computer, of course...

Well if it's close to full you'll have fragments of files all over the place...

  • Author

Now, how exactly could investigators access these files that don't have inodes?

Special programs that allow you to access any part of the drive. In fact, I believe that spy Hansen (or Walker) re-formatted a hard drive so it appeared to have less space than it actually did. The information given to the KGB was on the space that "didn't exist". It is possible to read the information that was deleted, you just have to look.

does re-orging the HDD stamp over the data?

sometime the files get fragmented and access time takes ages, re-org or a de-fragger fixes that, but would it wipe the other stuff?

Rasori said

I'm sure there was some exaggeration, but the other person said that every keystroke, even mistakes, are saved in the computer and can't be deleted via memory wipe, and no matter how many times you try to delete a file it still exists in a restricted part of your computer. 

 

hmmmm.... I don;t know about keystrokes, but files that are deleted from the recycle bin still exist on ur computer, its just a matter of finding them. that's how recovery software work. Usually, they say that we will recover deleted files. They work by scanning the whole harddisk for these types of files. Of course they aren't 100% efficient, but they do quite a good job.

 

Once, one whole harddrive got erased for some mysterious reason. I used that and got back most of my files!

keystrokes will be stored in the keyboard buffer (in RAM) but not on the HDD unless you use special capture s/ware (it`s for ripping passwords and stuff).

the only other time I know of is with some telnet clients, mistakes and keystokes are always sent regardless.

yeah. I was not really sure about the keystrokes. If that is true (which it likely is) then, it would be very easy to obtain someones password

 

As for password finders, they work in a different way. They actually UNMASK the password. They don't obtain it from the ram. Since the password is on the screen, they just simply unmask it. Some, however, DO access the password from the RAM.

 

YIKES!!!

Windows virtual memory manager writes memory pages to pagefile.sys, So it may contain random chunks of data that's been in your ram which persists untill overwritten. You can't access this file through windows. but if you mount the partition with a linux boot disk you can for example pipe it through strings and find useful information like keystrokes passwords etc.

 

recycled files are still linked to the file system untill the bin is emptied and then the data remains on the disk untill overwritten.

 

PGP has secure delete functionality which overwrites the datablocks a few times with random data.

 

You also get ambient data in file slack:

E.g if yor fs cluster size is 4096 bytes and a cluster is allocated to a 1k file there will be 3k of slack space sat behind the file, this will contain whatever was allocated previously to that cluster. The whole cluster is allocated but the filesystem can only see 1k of it.

 

So a defrag will likely replace alot of unallocated clusters but the slack space will remain.

 

TASK is an open source toolkit for analysing /recovering file system structures. at http://www.opensourceforensics.org

10 for a = 0 to (top mem)

20 b= peek a

30 if b < 48 or > 91 goto 50

40 print chr$(b),

50 next a

 

that used to work on the older machines to complete mem dump as ascii codes, it would rip passwords from the buffers lovely :)

it MAY work on newer machines? I`ve never tried it :)

10 for a = 0 to (top mem)

20 b= peek (a)

30 if b < 48 or > 91 goto 50

40 print chr$(b);

50 next a

 

that used to work on the older machines to complete mem dump as ascii codes, it would rip passwords from the buffers lovely :)

it MAY work on newer machines? I`ve never tried it :)

  • Author

What if you were to try to access the files through DOS? My first inclination is to say no because you still have to find the name of the file and everything, but there's a LOT of stuff you can do in DOS if you know how...

if you mean me, it`s a simple program in Basic to read all the buffers in RAM and display them as text, ignoring all the other codes like clear screen and bell etc... and only displaying usable text :)

it would probably work on a spectrum. but i think you'd get a load of GPF's on windows. (each process has it's own virtual memory space and can't address outside of it). Having said that WinHex has a RAM editor that manages to do it so god knows.

Rasori said in post # :

What if you were to try to access the files through DOS? My first inclination is to say no because you still have to find the name of the file and everything, but there's a LOT of stuff you can do in DOS if you know how...

Sorry but DOS is shite, Theres a lot of stuff you can do with Saukraut but it doen't make it any better :)

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.