Re: [sleuthkit-users] Drive slack
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Drive slack
|
From: Greg F. <gre...@gm...> - 2013-10-28 14:52:49
|
Doesn't NTFS support sub-cluster allocations at the sector level? That can you convert what you think is slack to allocated space and thus not wipable by ccleaner. My understanding is that with NTFS for the last decade or so you only have partial sector slack, so you need to write your test data after EOF, but in the last sector containing valid data. Note: I haven't ever had to testify on this so I'm working from old memories of what I read and I have not researched it myself. Hopefully one of the sleuthkit devs can be more definitive. Greg Sergio Work <ser...@gm...> wrote: >I have been trying to understand the concept of drive slack and how >some applications wipe this space. In order to do this, I have created >a small hard disk with a NTFS filesystem inside a virtual machime with >Windows 7. Then I have added a simple JPG file to this hard disk. >After that, I have edited the last sector of the last cluster of such >file (which it is not the last sector used by the file), and added a >simple word "DRIVESLACK" to this last sector. Then, I have used the >CCleaner application and activated the "Wipe Cluster Tips" which >supposly, remove the drive slack space. After that, If I have >performed a blkcat of the last cluster of the file, and I observed how >the DRIVESLACK remains in the last sector of the last cluster of the >jpg file. Is there something that I have missed, or why the DRIVELSACK >is not overwritten by the CCleaner application? > >------------------------------------------------------------------------------ >October Webinars: Code for Performance >Free Intel webinars can help you accelerate application performance. >Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >most from >the latest Intel processors and coprocessors. See abstracts and >register > >http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk >_______________________________________________ >sleuthkit-users mailing list >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >http://www.sleuthkit.org -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. |
