6 Mar
2021
6 Mar
'21
5:55 p.m.
At 07:20 PM 3/6/2021, Chuck Guzis via cctalk wrote:
The data forensics folks are at least 20 years ahead of
you, John!
They're interested in *everything* on disk, active or not.
Yes, I've looked at some of the high-end tools and once wondered about
a career in data forensics. I've had a few consulting clients push
me in this direction, asking the question "what exactly was this
employee really doing?" short of a criminal investigation.
For purposes of this thread, of course, I was thinking about all
the old file systems. I imagine the expensive packages don't handle,
say, UCSD Pascal or RT-11 or Amiga disk file systems, right?
But I bet they handle FAT and NTFS and Mac and Unix/Linux.
One feature from the big-boy software that would be nice to
carry down to the old stuff would be lists of known OS files
so they could be subtracted from disks (thereby leaving the
user-created stuff.)
More than 30 years ago, I posted a utility for MSDOS
floppies called
"SEEJUNK".
https://lostarchives.org/category/27/file/2258#
And I guess I hadn't thought of that case where the file system
named the number of bytes in the file and that the unused ends
of blocks could also contain stuff, too. Is there a name for those bytes?
It was very revealing what could be found on
manufacturers'
disks.
Such as?
To be fair, I also wrote a companion utility to clean
the stuff
out called PRUNE.
And Microsoft is still handing out a zeroing tool, useful in several
situations including thinning virtualized drives.
https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
- John