Re: [sleuthkit-users] Drive slack
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Drive slack
|
From: Andrew C. <at...@gm...> - 2013-10-22 01:10:50
|
"which it is not the last sector used by the file" what did you mean here? Also, did you reboot the machine or dismount/mount the drive after running ccleaner and before running tsk? tsk may be reading cached data and not going back to the actual disk. On Mon, Oct 21, 2013 at 6:30 PM, Sergio Work <ser...@gm...> wrote: > I have been trying to understand the concept of drive slack and how > some applications wipe this space. In order to do this, I have created > a small hard disk with a NTFS filesystem inside a virtual machime with > Windows 7. Then I have added a simple JPG file to this hard disk. > After that, I have edited the last sector of the last cluster of such > file (which it is not the last sector used by the file), and added a > simple word "DRIVESLACK" to this last sector. Then, I have used the > CCleaner application and activated the "Wipe Cluster Tips" which > supposly, remove the drive slack space. After that, If I have > performed a blkcat of the last cluster of the file, and I observed how > the DRIVESLACK remains in the last sector of the last cluster of the > jpg file. Is there something that I have missed, or why the DRIVELSACK > is not overwritten by the CCleaner application? > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |