Disk cleansing 102
- By Joab Jackson
- Aug 23, 2006
How can you be sure that, when you delete a file on Microsoft Windows, it is truly erased? Just deleting it won't do the trick. The OS merely removes the links to the file, marking that space as unused. The data stays intact, at least until it is overwritten by another file.
In recent years, a number of disk cleaners have been introduced that actually remove the contents, namely by overwriting the file with a big dummy file. For the security-conscious, most of these tools aren't thorough enough, according to Hal Berghel, associate dean of the Howard R. Hughes College of Engineering at the University of Nevada at Las Vegas, and David Hoelzer, a faculty member of the SANS Institute. The two looked at one potentially troublesome area'how data was stored, or erased, on each disk's Master File Table. This little-known file, named $MFT, keeps track of how disk blocks are allocated and holds meta-information such as file names, timestamps and, in some cases, copies of the entire file itself.
The duo looked at how six products handled the $MFT: Microsoft's own Cipher.exe
(from CyberScrub LLC), PGP Shred
and PGP Wipe
(from PGP Corp.), WinCleaner Destroy-it
(from Business Logic Corp.) and Evidence Eliminator
(from Robin Hood Software Ltd. ). They had found that only one, Evidence Eliminator, completely erased information from the $MFT, according to a report of their findings in the August 2006 issue of Communications of the ACM.
Berghel speculated that part of the reason third-party utility companies are reluctant to tackle this problem is that Microsoft itself has not published specifications on how $MFT works, so writing software that works with $MFT could be too dangerous. 'The exercise of overwriting metadata files comes with considerable risk,' Berghel e-mailed to GCN. 'Trashing customers' mission-critical files is a real non-starter for a software utility developer.'
Researchers admit that snooping around the $MFT lies way beyond most users' abilities. To aid in this task though, they posted the source code for the MFT Extractor they built themselves (www.cyber-defense.org/MFT_Extractor.html
). Nonetheless, $MFT should be taken seriously.For more IT trends and analysis, visit the GCN.com Tech Blog at www.gcn.com/blogs/tech.
Joab Jackson is the senior technology editor for Government Computer News.