Friday, January 19, 2018

linux - Shred File without overwriting blocks



AFAIK, a file on a file system has two components.




  1. The pointer that stores the directory path of the file. Also stores the list of sectors/blocks on the disk that the file is composed of.

  2. The real sectors/blocks on the disk that store the file data.




When deleting a file, the pointer is removed without any changes to the blocks. But the list of blocks are marked free to be used whenever data is written. Considering no overwritten data,




  • If the pointer is completely removed, How can Recovery programs recover files?

  • From what source these Recovery programs get the list of blocks the deleted file is composed of?



And,





  • Can I shred file without overwriting its blocks? By completely clearing list of blocks that file to be deleted is composed of.

  • Can I make file recovery impossible of already deleted files by not overwriting free space? By completely clearing list of blocks that deleted file is composed of.



Consider a fragmented filesystem like ext4 on a 512 Byte physical sector sized disk. File Recovery is pretty much useless when a deleted file's list of blocks cannot be known. If such thing is possible maybe it gives the disk little more life.


Answer




If the pointer is completely removed, How can Recovery programs
recover files?





It looks at disk blocks which aren't marked as being used by any file in the filesystem and examines the contents for non-random data. Eg known file format headers or text.




From what source these Recovery programs get the list of blocks the deleted > file is composed of?




Start with a list of all the blocks that are marked as used and look for all the others. However some filesystems do record the block chain for recently deleted files to aid in recovery





Can I shred file without overwriting its blocks? By completely clearing list of >blocks that file to be deleted is composed of.




It would still be discoverable if a block contained some recognisable data, eg a JPEG header, and that allowed the rest of the image to be recovered.




Can I make file recovery impossible of already deleted files by not overwriting >free space?





No , the data is still on disk and may be detectable.




By completely clearing list of blocks that deleted file is composed of.




My knowledge of filesystems is a little out of date but they used to store the link to the next block in the end of the previous block, so you only had to recognise one block of data and got the rest of the file from that point onward. The main index table only had to store the location of the first block int he file. I don't know if this applies to modern (eg. NTFS/EXT4) filesystems.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...