Spelunking the places where files are not
John Foust
jfoust at threedee.com
Sat Mar 6 19:55:31 CST 2021
At 07:20 PM 3/6/2021, Chuck Guzis via cctalk wrote:
>The data forensics folks are at least 20 years ahead of you, John!
>They're interested in *everything* on disk, active or not.
Yes, I've looked at some of the high-end tools and once wondered about
a career in data forensics. I've had a few consulting clients push
me in this direction, asking the question "what exactly was this
employee really doing?" short of a criminal investigation.
For purposes of this thread, of course, I was thinking about all
the old file systems. I imagine the expensive packages don't handle,
say, UCSD Pascal or RT-11 or Amiga disk file systems, right?
But I bet they handle FAT and NTFS and Mac and Unix/Linux.
One feature from the big-boy software that would be nice to
carry down to the old stuff would be lists of known OS files
so they could be subtracted from disks (thereby leaving the
user-created stuff.)
>More than 30 years ago, I posted a utility for MSDOS floppies called
>"SEEJUNK".
https://lostarchives.org/category/27/file/2258#
And I guess I hadn't thought of that case where the file system
named the number of bytes in the file and that the unused ends
of blocks could also contain stuff, too. Is there a name for those bytes?
> It was very revealing what could be found on manufacturers'
>disks.
Such as?
>To be fair, I also wrote a companion utility to clean the stuff
>out called PRUNE.
And Microsoft is still handing out a zeroing tool, useful in several
situations including thinning virtualized drives.
https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
- John
More information about the cctech
mailing list