Spelunking the places where files are not
Fred Cisin
cisin at xenosoft.com
Fri Mar 5 13:24:30 CST 2021
Three obvious possibilites for tools to help:
1) A program that makes a single large file out of all unallocated blocks,
for later study and breaak-up in an editor.
2) A prograam that makes a separate file out of each unallocated block,
for later study and appending in an editor.
3) An INTERACTIVE program that displays a block, with the option of
ignoring, or making a file out of it, and then, for each subsequent block
provides the option to Ignore, Append it to one of the existing files, or
Create a new file from it.
Ideally, it should have a clue about likely sequence of blocks, including
interleave and side patterns.
ALthough a variety of algorithms could ASSIST with whether a given block
is LIKELY to be a continuation of the previous block, few could work
stand-alone as well as a human operator.
Among the possibilities are seeing ASCII (or other) code at the end of one
block and the beginning of another ("looking for half a worm in the
apple")
The same tools are also useful when the DIRectory or other file system
information is destroyed, or completely unknown.
I had a client who was overjoyed when I gave him a few hundred files,
which he proceeded to printout and he and his staff manually sorted and
rearranged the printouts by looking at their content. We then looked at
the sequences of the file numbers and appended files accordingly.
--
Grumpy Ol' Fred cisin at xenosoft.com
On Fri, 5 Mar 2021, John Foust via cctalk wrote:
>
> After thinking about disk imaging tools like Greaseweasel,
> I started thinking about tools that would grab and examine the unused
> portions of disks.
>
> It's obviously file-system dependent. At one level we know of
> "undelete" tools that could piece together recently deleted files
> and restore them intact by using abandoned bits of block table info.
> Of course some simple file systems can't even permit that.
>
> But very few systems would bother to zero out the released blocks
> of erased or rewritten files and then blocks are left full of
> old data. Text source code would be easy to spot.
>
> I have vague memories of bits of Amiga OS source code being unintentionally
> released in unused blocks on OS binary disks that were sent out for
> mass duplication and distribution.
>
> This situation makes me hesitant to release disk images from the past.
> It's one thing to do it with disks that were mine and to take responsibility
> for my risk; it's another to release disks once owned and used by others.
> Do the unused sectors contain their love letters from 1983?
>
> Or if I want to release disk images that contain known personal files,
> how will I image, then remove specific files, then zero unused blocks
> if I don't want to alter the original media?
>
> Obviously in some situations the relevant files can be pulled and
> redistributed in a new filesystem like a Zip.
>
> The situation only gets worse with distributing larger images of
> entire hard disks. Or with Windows, "quick format" doesn't zero blocks.
>
> In another case I encountered while digging through files on an old
> RSTS backup tape, we had a program that logged usage data to a file
> and for speed purposes it would preallocate a large file (as opposed
> to extending the file, which was slower) and then write block records
> to it. RSTS reused blocks without zeroing. In the unused blocks
> of an extant file I found an email I'd sent in '82 as well as bits
> from other users of the same timesharing system.
>
> Certainly the archivists out there have considered these questions.
> How are they solved?
>
> Are there notable tools that focus on the files that aren't there?
>
> I don't mean modern forensic carving tools... but some concepts would
> be similar.
>
> - John
More information about the cctech
mailing list