Spelunking the places where files are not
Warner Losh
imp at bsdimp.com
Sat Mar 6 01:43:50 CST 2021
On Fri, Mar 5, 2021 at 7:41 AM John Foust via cctalk <cctalk at classiccmp.org>
wrote:
>
> After thinking about disk imaging tools like Greaseweasel,
> I started thinking about tools that would grab and examine the unused
> portions of disks.
>
I've used this to recover a couple of Univation utilities from a disk that
they had been deleted from... It's quite useful... It was a FAT filesystem,
and the files were small and contiguous so it was easy...
Warner
> It's obviously file-system dependent. At one level we know of
> "undelete" tools that could piece together recently deleted files
> and restore them intact by using abandoned bits of block table info.
> Of course some simple file systems can't even permit that.
>
> But very few systems would bother to zero out the released blocks
> of erased or rewritten files and then blocks are left full of
> old data. Text source code would be easy to spot.
>
> I have vague memories of bits of Amiga OS source code being unintentionally
> released in unused blocks on OS binary disks that were sent out for
> mass duplication and distribution.
>
> This situation makes me hesitant to release disk images from the past.
> It's one thing to do it with disks that were mine and to take
> responsibility
> for my risk; it's another to release disks once owned and used by others.
> Do the unused sectors contain their love letters from 1983?
>
> Or if I want to release disk images that contain known personal files,
> how will I image, then remove specific files, then zero unused blocks
> if I don't want to alter the original media?
>
> Obviously in some situations the relevant files can be pulled and
> redistributed in a new filesystem like a Zip.
>
> The situation only gets worse with distributing larger images of
> entire hard disks. Or with Windows, "quick format" doesn't zero blocks.
>
> In another case I encountered while digging through files on an old
> RSTS backup tape, we had a program that logged usage data to a file
> and for speed purposes it would preallocate a large file (as opposed
> to extending the file, which was slower) and then write block records
> to it. RSTS reused blocks without zeroing. In the unused blocks
> of an extant file I found an email I'd sent in '82 as well as bits
> from other users of the same timesharing system.
>
> Certainly the archivists out there have considered these questions.
> How are they solved?
>
> Are there notable tools that focus on the files that aren't there?
>
> I don't mean modern forensic carving tools... but some concepts would
> be similar.
>
> - John
>
>
More information about the cctalk
mailing list