±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 32897
New Yesterday: 3 Visitors: 187

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

delete file in safe way ?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4  Next 
  

Re: delete file in safe way ?

Post Posted: Wed Mar 22, 2017 9:42 am

I don't think that anyone has mentioned Defrag programs. These could have moved your critical file to a new location, and the old file may be left in unallocated space.

To overcome this type of issue, I occasionally just write a file (typically fairly blank data) to fill the whole drive. This should catch most of the unallocated data. I then just delete this big file.

Don't forget that very small files, maybe a few 100 bytes long, can be stored in the $MFT
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 

mscotgrove
Senior Member
 
 
  

Re: delete file in safe way ?

Post Posted: Wed Mar 22, 2017 6:57 pm

- qassam22222
hello all ... and good evening
i want to delete some files and flders from my PC how i can do that ?? without leaving any chance to anyone to recover them ?


The answer is "it depends".

Some further thoughts over and above the previous comments already given (defrag consideration etc. is an excellent point), you would also need to possibly factor in the file/operating system in use.

Is the file system NTFS, and is the OS Vista or newer? If so, then consideration needs to be given to whether Volume Shadow Service is running - you could delete and wipe the sectors in which the file/folder is sitting, but VSS would kick in and potentially backup the deleted data anyway. Until such time as the data in that shadow copy is itself overwritten (FIFO system if I recall correctly), the. The file is still recoverable.

Likewise, if the system is Mac OS X with Time Machine enabled, then consideration needs to be given to any historic backup copies which might exist.

These are just 2 examples of potentially unanticipated features which might cause the data to be recoverable, even if you had wiped the sectors storing the logical file. There are more!

Ben
_________________
Ben Findlay. BSc (Hons) MSc MCSFS MIScT
Course Leader Computer and Digital Forensics
Senior Lecturer Crime Intelligence & Data Analytics
School of Science and Engineering
Teesside University 

benfindlay
Senior Member
 
 
  

Re: delete file in safe way ?

Post Posted: Thu Mar 23, 2017 6:46 pm

- mscotgrove


Don't forget that very small files, maybe a few 100 bytes long, can be stored in the $MFT

For the "standard" 512 bytes/sector (and conversely 1024 bytes/entry) the limit is around 720-736 bytes:
www.forensicfocus.com/...c/t=10403/

An interesting question (that noone seems like interested to test/fiddle with) is what happens on 4096 bytes/sector media (and conversely with the much larger $MFT record size)?
www.hexacorn.com/blog/...cord-size/
Logically the size of the "embedded" file should expand to around 4096-(1024-736)=3808 bytes.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: delete file in safe way ?

Post Posted: Thu Mar 23, 2017 8:25 pm

[quote="jaclaz"]
- mscotgrove


An interesting question (that noone seems like interested to test/fiddle with) is what happens on 4096 bytes/sector media (and conversely with the much larger $MFT record size)?
www.hexacorn.com/blog/...cord-size/
Logically the size of the "embedded" file should expand to around 4096-(1024-736)=3808 bytes.

jaclaz


That's an interesting point and a good spot - thanks for sharing.

I can't say I've ever personally encountered this in the wild. I'd be interested to hear from practitioners as to what they are seeing at the 'coal face'.

I've taken a quick look over the at sample posted in the link you provided and the following observations jumped straight out at me:

The record header size is 72 bytes (previously 56 was the expected size).

The footer is different to previous versions of the MFT.

The Update Sequence Array occurs ever 512 bytes, possibly indicating backwards compatibility with discs with 512 byte sectors.

The information present at offset 168 onwards appears to be slack, based on FF FF FF FF 00 00 00 00 at offset 160 and confirmed by the 68 01 value at offset 18.

Anyone else care to wade in?

Ben
_________________
Ben Findlay. BSc (Hons) MSc MCSFS MIScT
Course Leader Computer and Digital Forensics
Senior Lecturer Crime Intelligence & Data Analytics
School of Science and Engineering
Teesside University 

benfindlay
Senior Member
 
 
  

Re: delete file in safe way ?

Post Posted: Sat Mar 25, 2017 2:13 pm

- benfindlay


I've taken a quick look over the at sample posted in the link you provided and the following observations jumped straight out at me:
...

Good.
I happened to remember that the VSS Microsoft Virtual Disk Driver allows to create virtual disks of a given sector size, so I quickly made one and tested the effect on a file "size.dat" enlarged by fsz.exe.
The limit is 3776 bytes, 3777 gets the "dignity" of occupying a cluster:
Code:
fsz size.dat 3775
OKMyFragmenter v1.2, 2008 J.C. Kessels
  0 clusters, 1 fragments.
Finished, 1 files processed.
Next...
Premere un tasto per continuare . . .
fsz size.dat 3776
OKMyFragmenter v1.2, 2008 J.C. Kessels
  0 clusters, 1 fragments.
Finished, 1 files processed.
Next...
Premere un tasto per continuare . . .
fsz size.dat 3777
OKMyFragmenter v1.2, 2008 J.C. Kessels
  Extent 1: Lcn=5005, Vcn=0, NextVcn=1
  1 clusters, 1 fragments.
Finished, 1 files processed.
Next...
As seen in the mentioned thread this size may vary of a few bytes depending on the actual method that is used to write the file and on the length of the filename, for file size0123.dat the limit is 3768.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: delete file in safe way ?

Post Posted: Sat Mar 25, 2017 5:21 pm

In my (fairly quiet) data recovery world I have seen a single 0x1000 MFT disk. I cannot remember if the disk was physically 0x1000 or physical 0x200

However I note that my Microsoft Storage Space has 0x1000 byte blocks, even though the physical drives are 'standard' 0x200 bytes.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 

mscotgrove
Senior Member
 
 
  

Re: delete file in safe way ?

Post Posted: Sun Mar 26, 2017 7:38 am

- mscotgrove
In my (fairly quiet) data recovery world I have seen a single 0x1000 MFT disk. I cannot remember if the disk was physically 0x1000 or physical 0x200


It was almost certainly 4096 bytes/sector physical.

"Traditional" or "512n" or "512 native" disks are 512 bytes physical AND expose a 512 bytes sector size.
"Advanced Format" or "512e" disks are 4096 bytes physical BUT expose a 512 bytes sector size.
"Large sectored" or "4k native" disks are 4096 bytes physical AND expose a 4096 bytes sector size.

There is not AFAIK any device that is 512 bytes physical but exposes 4096 bytes.

An interesting (strange) case JFYI is what happened here:
www.msfn.org/board/top...nterfaces/
www.msfn.org/board/top...nterfaces/
where an AF disk changed exposed size when in an external case it was connected to either USB or eSATA connector.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 2 of 4
Go to page Previous  1, 2, 3, 4  Next