6 Mar
2021
6 Mar
'21
2:43 a.m.
On Fri, Mar 5, 2021 at 7:41 AM John Foust via cctalk <cctalk at classiccmp.org>
wrote:
After thinking about disk imaging tools like Greaseweasel,
I started thinking about tools that would grab and examine the unused
portions of disks.
I've used this to recover a couple of Univation utilities from a disk that
they had been deleted from... It's quite useful... It was a FAT filesystem,
and the files were small and contiguous so it was easy...
Warner
It's obviously file-system dependent. At one
level we know of
"undelete" tools that could piece together recently deleted files
and restore them intact by using abandoned bits of block table info.
Of course some simple file systems can't even permit that.
But very few systems would bother to zero out the released blocks
of erased or rewritten files and then blocks are left full of
old data. Text source code would be easy to spot.
I have vague memories of bits of Amiga OS source code being unintentionally
released in unused blocks on OS binary disks that were sent out for
mass duplication and distribution.
This situation makes me hesitant to release disk images from the past.
It's one thing to do it with disks that were mine and to take
responsibility
for my risk; it's another to release disks once owned and used by others.
Do the unused sectors contain their love letters from 1983?
Or if I want to release disk images that contain known personal files,
how will I image, then remove specific files, then zero unused blocks
if I don't want to alter the original media?
Obviously in some situations the relevant files can be pulled and
redistributed in a new filesystem like a Zip.
The situation only gets worse with distributing larger images of
entire hard disks. Or with Windows, "quick format" doesn't zero blocks.
In another case I encountered while digging through files on an old
RSTS backup tape, we had a program that logged usage data to a file
and for speed purposes it would preallocate a large file (as opposed
to extending the file, which was slower) and then write block records
to it. RSTS reused blocks without zeroing. In the unused blocks
of an extant file I found an email I'd sent in '82 as well as bits
from other users of the same timesharing system.
Certainly the archivists out there have considered these questions.
How are they solved?
Are there notable tools that focus on the files that aren't there?
I don't mean modern forensic carving tools... but some concepts would
be similar.
- John