Spelunking the places where files are not

Boris Gimbarzevsky boris at summitclinic.com
Fri Mar 5 15:11:45 CST 2021 

Recovering data from disks was a lot easier 30 years ago when most 
filesystems had contiguous files and it was just a matter of finding 
file boundaries.  Was very glad of this when accidentally wiped first 
200 blocks of an RT-11 RK05 and just had to write a FORTRAN program 
to copy blocks of data and assign the files names.  Also wrote a 
program to do a disk scan to look for specific file type and like to 
show people what jpeg files they've left behind on a disk they've 
"wiped".  Finding images very easy as can display a list of many 
image icons on screen and quickly scroll through them if one is 
looking far a particular image.  Of course, the longer a hard disk 
has been used and not defragmented, the lower the recovery percentage 
of files.  Got paid for file recovery a few times but mainly use it 
to show people what really happens when they "wipe" a disk.  Have 
convinced a lot of people that low level format on a disk they're 
giving away a good idea.


>After thinking about disk imaging tools like Greaseweasel,
>I started thinking about tools that would grab and examine the unused
>portions of disks.
>
>It's obviously file-system dependent.  At one level we know of
>"undelete" tools that could piece together recently deleted files
>and restore them intact by using abandoned bits of block table info.
>Of course some simple file systems can't even permit that.
>
>But very few systems would bother to zero out the released blocks
>of erased or rewritten files and then blocks are left full of
>old data.  Text source code would be easy to spot.
>
>I have vague memories of bits of Amiga OS source code being unintentionally
>released in unused blocks on OS binary disks that were sent out for
>mass duplication and distribution.
>
>This situation makes me hesitant to release disk images from the past.
>It's one thing to do it with disks that were mine and to take responsibility
>for my risk; it's another to release disks once owned and used by others.
>Do the unused sectors contain their love letters from 1983?
>
>Or if I want to release disk images that contain known personal files,
>how will I image, then remove specific files, then zero unused blocks
>if I don't want to alter the original media?
>
>Obviously in some situations the relevant files can be pulled and
>redistributed in a new filesystem like a Zip.
>
>The situation only gets worse with distributing larger images of
>entire hard disks.  Or with Windows, "quick format" doesn't zero blocks.
>
>In another case I encountered while digging through files on an old
>RSTS backup tape, we had a program that logged usage data to a file
>and for speed purposes it would preallocate a large file (as opposed
>to extending the file, which was slower) and then write block records
>to it.  RSTS reused blocks without zeroing.  In the unused blocks
>of an extant file I found an email I'd sent in '82 as well as bits
>from other users of the same timesharing system.
>
>Certainly the archivists out there have considered these questions.
>How are they solved?
>
>Are there notable tools that focus on the files that aren't there?
>
>I don't mean modern forensic carving tools...  but some concepts would
>be similar.
>
>- John

More information about the cctech mailing list