> When the some wiping utilities I have experience were > used, the filenames were usually intact, although the > content of the file was overwritten. Is this because > the filename is listed in the master file table? IS > the size also contained in this mft? Is MFT not the > master file table? Other utils I have seen scramble > or rename the files, but there are still files there > marked as deleted. I'm relying here on my very old knowledge of how the Microsoft FAT file system worked. When a FAT file is deleted, its name has the first characater wiped out (which is what most undelete utilities go on for detecting and recovering files). I think the operating system then re-uses the first deleted file slot it finds when a new file or directory is created. So given this behavior, you can wipe out all knowledge of files by deleting them, then creating a bunch of empty files (or better yet copy a bunch of operating system files to fill blocks with "legitimate" data instead of blocks of all zeroes, all ones, any repeated pattern, etc.) then deleting all these temporary files. If you first copied all the files to a new directory, then deleted the files, then deleted the directory, then created and deleted more files, you'd effectively wipe out all traces of the files AND the directory. -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 11:49:53 PDT