Re: volume locking
- From: "Chris Ellis" <chriseAtStompsoftDotCom>
- Date: Thu, 15 Jun 2006 12:54:52 -0400
Ok, we are developing software to recover lost files from various file
systems. Currently we are able to do so with a high rate of success. The
problem that arises is that users who install such software are now unable
to remove data from their system with any level of certainty. There is a
good chance that it can simply be restored, and an even higher chance that
information about it will be easily visible to anyone who runs the recovery
software. For this reason, the recovery software should also include the
ability to make data unrecoverable, whether that data is currently visible
to the filesystem or not. Now, in order to recover data, we have to read
and interpret the data structures of the underlying file system. Because we
keep records of this information, it makes it very easy to wipe out the
data. If we can find a deleted file, we know exactly where every trace of
that file exists in the underlying file system.
So that brings us to the problem at hand. With the background given, I will
answer your questions:
Access the volume from outside of the OS. Knoppix comes to mind
<
I am not familiar with Knoppix, but we are accessing the volume ourselves
directly at the hard drive level. Though our software runs in the Windows
environment, it accesses the hard drive directly (through API's designed for
that purpose). Without doing this, there is no hope of recovering data that
Windows does not acknowledge.
You have no control over the hardware write cache and this is not and should
not be a concern to you
<
You are correct. Here I am not referring to the hardware write cache, but
rather the operating system's internal write cache. The hardware cache is
of no concern to us, but the operating system's cache is... because if the
operating system has written to a portion of the file system but that cache
has not yet been written to the hardware (without regard for what the
hardware does with that write) then there is a chance for a race condition
in which very bad things could happen.
Do you understand that if you delete a bunch of files and clear recycle bin
that eventually all the sectors containing that deleted data will be
overwritten by active files?
<
Not soon enough... and actually, unless you fill the disk to capacity it is
never guaranteed. We find records of files that date back a long time when
scanning the underlying file system
Next step would be to defrag the volume. This will reorder the active files
on the system overwriting the pointers to the deleted files.
<
This is not an acceptable solution... that is... to tell our users that to
rid their system of a file they must delete it through the operating system
and then defrag their drive... hopefully, given a more specific background,
this is obvious
If you really wanted to make that deleted info unaccessable overwrite the
file names with bogus files the same size. Then delete the bogus files.
<
While this is a practical solution that solves the problem in a general
manner, it would produce garbage files with garbage data that would then
show up when the user scanned for missing files. While this would not be a
problem of security... the data would truly be gone... it comes with an
undesirable side-effect that would make it more difficult to locate the
files that the user may need to retrieve in the future. The best solution,
we believe, is to wipe all record of the file from the underlying file
system such that subsequent scans will turn up no record related to the
previous existence of that file... for all intents and purposes making the
existence of that file totally disappear
And as for the other questions... hopefully it is clear that we are not
trying to wipe anything more than specific files... this is a surgical
operation... and even a format does not remove the file data from the
drive...
Thanks for your response,
Chris
.
- References:
- volume locking
- From: Chris Ellis
- volume locking
- Prev by Date: deleting a file in a DFS root
- Next by Date: Re: volume locking
- Previous by thread: volume locking
- Next by thread: Re: volume locking
- Index(es):
Relevant Pages
|
