Thumb Drive with de...
 
Notifications
Clear all

Thumb Drive with deleted/overwritten files but UC is all 0's

11 Posts
8 Users
0 Likes
439 Views
(@chitapett)
Posts: 76
Estimable Member
Topic starter
 

I'm analyzing the image of a thumb drive and have located 7 deleted/overwritten files, 0 deleted files and about 15mb's of allocated files. Unallocated is 3.7 GB's, nothing but 0's. Is there any realistic reason to NOT suspect data wiping seeing to as there are obvious deleted files of which 0 bytes can be recovered. Can those files truely be completely overwritten? This device is Fat32.

 
Posted : 28/08/2012 3:52 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

Yes, one plausible reason is that the drive was formatted under vista or higher. if that were the case, by default, the formatting process overwrites sectors even under quick mode, thus explaining why your unallocated blob is all zeroes.

Now that being said, Quite often, with wiping of deleted files, the catalog information remains behind ( eg MFT records ). so if you have catalog records that show files once existed, but the sectors are now zeroed out, then that is a strong indicator of file wiping.

 
Posted : 28/08/2012 4:43 am
(@athulin)
Posts: 1156
Noble Member
 

Is there any realistic reason to NOT suspect data wiping seeing to as there are obvious deleted files of which 0 bytes can be recovered. Can those files truely be completely overwritten? This device is Fat32.

I'd ask the opposite question are there any signs that they were not completely overwritten? Simples answer would be 'yes, there is data in unallocated contents, which easily could come from (some) deleted files'. But in your case you apparently can't point to any such data at all – is that right?

So where were those deleted files? You have starting sector and you have size … if they were in the middle of a huge unallocated chunk, it would seem odd. If they are in the middle of currently allocated files … not obviously odd. (Unless perhaps you can 'date' the deletion.)

Where are the deleted file entries? At the end of the list directory entries or somewhere in the middle?

Some remote possibilities

Is this a flash device? Does it do TRIM or equivalent? (seems a little small for that, but one never knows … )

It doesn't happen to have faulty sectors that were zeroed on acquiry? (very long shot …)

 
Posted : 28/08/2012 11:58 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Yes, one plausible reason is that the drive was formatted under vista or higher. if that were the case, by default, the formatting process overwrites sectors even under quick mode, thus explaining why your unallocated blob is all zeroes.

We have just performed a quick test in our office and formatted a USB Pen drive using Win 7 with quick format, our unallocated was full of information and definitely not zeroed.

 
Posted : 28/08/2012 12:13 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

Quick format does not wipe, full format does.

One possible explaination is that the chip is 'new' and has not been used much.

You have been asked the location of the existing files and deleted files. Are they all at the start of the disk? However, do not forget that most FAT32 files when deleted, the high 16 bits of the FAT pointer are also blanked to zeros.

If everything is near the start, then I would suspect limited use rather than wiping. If remaining files are all all over the disk, then wiping looks more likely.

 
Posted : 28/08/2012 2:13 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Just for the record, the behaviour changed with VIsta 😯
http//support.microsoft.com/kb/941961/en-us

The format command behavior has changed in Windows Vista. By default in Windows Vista, the format command writes zeros to the whole disk when a full format is performed. In Windows XP and in earlier versions of the Windows operating system, the format command does not write zeros to the whole disk when a full format is performed.

jaclaz

 
Posted : 28/08/2012 2:30 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

On my Windows 7 systems, the default appears to be Quick format. If I want a full format, I have to select the check box.

 
Posted : 28/08/2012 2:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

On my Windows 7 systems, the default appears to be Quick format. If I want a full format, I have to select the check box.

Yes, this is "normal" and also "logical", since the "full" format now erases/wipes (actualy writes 00's) to each and every sector it will take hours to "full format" a biggish hard disk partition, it is more likely that normally a "common Joe" would want to simply format a partition/volume and not also wipe it.

The main issue is with those that still like to use (or read a tutorial article suggesting the use of) the command line.

In this case, unless you specify the /q switch the default is "full".

Using the /q switch on command line has been for me an "automatic setting" because even the "old" versions without the /q switch took some more time because the sectors were checked (but not wiped), now that there is also the wiping part, it takes forever if you don't use he /q switch and when you actually want to do a wiping tools like hdderase or hdparm are way faster through the ATA internal commands.

IMHO it has been a "design flaw" of the newish versions, they should have made even on command line the quick as default and force the use of a /F or similar to explicitly set the Full mode.

jaclaz

 
Posted : 28/08/2012 4:45 pm
KungFuAction
(@kungfuaction)
Posts: 109
Estimable Member
 

User could also have used a file wiping program which automatically wipes deleted files.

 
Posted : 29/08/2012 3:22 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

User could also have used a file wiping program which automatically wipes deleted files.

….and also have typed a HUGE number of 00's in a disk editor ….. wink

jaclaz

 
Posted : 29/08/2012 12:52 pm
Page 1 / 2
Share: