Stoker, Kenneth E
Kenneth.Stoker at pnl.gov
Thu Jul 31 16:23:35 CDT 2003
Thanks, Drew. I think I have had this explained before but not as well and not as detailed. Appreciate it. Ken Stoker Technology Commercialization Information Systems Administrator PH: (509) 375-3758 FAX: (509) 375-6731 E-mail: Kenneth.Stoker at pnl.gov <mailto:Kenneth.Stoker at pnl.gov> -----Original Message----- From: Drew Wutka [mailto:dbatech at wolfwares.com] Sent: Thursday, July 31, 2003 1:36 PM To: Discussion of Hardware and Software issues Subject: Re: [dba-Tech] Retrieving Deleted Files off a hard drive That is a very good question to ask. First of all, there are two things to be aware of when data is stored on a disk. The first is the actual physical data, which is stored in the major portion of the drive, the second is the 'header' or table of contents, where the information about the file is stored. This header stores all sorts of information. Information you may use would be the file size, the name, the path it's in, the various properties such as read only, archive, etc. However, the header also stores the 'sectors' where the file is stored on the disk. If you completely wipe out that table of contents, then the chances of restoring the data is going to be based upon how fragmented the drive is. If a data file is completely scattered across the drive, it would be nearly impossible to determine what goes with what, and in what order. However, those 'segments' are semi large. Fat16 is 8k, Fat32 is 4k, not sure what NTFS is, but I think it's 4k also. What that means, is if you write a tiny little file, say a few words, it is going to get it's own segment of 4k (or 8k for Fat16). If you write a 5k file, it is going to get 2 segments. So a 10 meg file is going to get a LOT of segments, thus, if those segments are scattered, you can see the issue of trying to recover without the 'TOC' on the disk. Of course, your smaller files will recover easily, since you can't fragment a file smaller then the segment size. Next, when you delete a file, from your computer, it doesn't physically write over the data. It simply flags the TOC entry as being deleted. In FAT systems, it just removes the first character in the file name (making it null), which prevents the file from showing up. There are several utilities out there that can 'undelete' a FAT file, by putting the character back into place. This of course is dependant upon the individual segments that the file used. They all need to have been left alone, or you risk retrieving a corrupted file, if some of the segments have been 'reused'. In NTFS systems, there are also recover utilities. I personally have one called Restore 2000 Pro. Great utility. It doesn't do the 'first character' thing, it just shows you want used to be on the drive(full names intact). If it can recover it, it does. Defragging a drive, after you delete data, isn't really going to do anything, because unless you had the deleted data at the start of the drive, then it may not get overwritten as the existing stuff is sorted and pushed to the front. You can write a little routine to fill your drive with 3 or 4k files, so that a defrag little writes over every segment.....that may work. However, in theory, even physically writing over the data, you cannot be absolutely sure that it's gone. Since disks read/write with a magnetic process, there are residual layers of magnetism, and with the right equipment (which would have to be VERY VERY sensitive, and probably costs mucho denaro), you could theoretically retrieve anything that was ever written to the disk. If you are that worried about the data, the only thing you can do is physically destroy the disks within the hard drive. Now, if you are just trying to prevent the average techie from retrieving the data (special hardware aside), then I would recommend the fill the drive with junk method. Formatting only removes the TOC of the disk. It does not write over every segment. Writing over every segment is called a low level format, and unless you know EXACTLY what you are doing with that process, I recommend you stay away from it....because the wrong settings can cause the drive to be unusable. Hopefully that answers some of your question. Drew ----- Original Message ----- From: "Stoker, Kenneth E" <Kenneth.Stoker at pnl.gov> To: "dba-Tech (E-mail)" <dba-tech at databaseadvisors.com> Sent: Thursday, July 31, 2003 2:49 PM Subject: [dba-Tech] Retrieving Deleted Files off a hard drive > Everyone, > > I recently had a discussion with a coworker about the subject of retrieving deleted files off a hard drive. We got on the subject because we are having an audit on those company-owned computers systems that some staff may have at home for business use. He claims that any file can be reclaimed, even if a defragmentation has been run. I thought that once a disk has been defragmented, those files were truly gone, if the anyone defragmented the disk, the audit would basically be a waste of time. Is this true? The computer security group here is, I'm sure, quite good, don't let any limitations be considered in any advise returned to settle this score. > > If it is possible, does that also apply to a reformatted disk? I would think that a reformatted disk would be the ultimate cleanup, but that would have me wondering now if a defragment doesn't work. Which would cause some serious concerns at this location as much of the stuff that I work with is very sensitive and would make me wonder about correct processes when buying a new machine and excessing the old one. > > Thanks for your help in settling the discussion. > > > Ken Stoker > Technology Commercialization > Information Systems Administrator > PH: (509) 375-3758 > FAX: (509) 375-6731 > E-mail: Kenneth.Stoker at pnl.gov > > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com > _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com