Forum: Author Hangout

The same article where I saw the above claim, also said that the CIA and NSA destroy used hard drives by grinding the platters into dust.

After repeated leaks, the NSA (and the White House) are now considering grinding their analysts into dust!

Won't work, too much liquid in a human body. They would have to be stored in a low humidity environment long enough to completely desiccate before grinding.

Trump wouldn't mind grinding them underfoot (the bloodier the better), while the NSA wouldn't mind grinding them under the weight of the legal system. The idea is to extract revenge, not to cover up the already exposed truth.

I don't know if it's true

As I indicated I worked with classified data and was involved in the destruction of a number of classified hard disks. During our indoctrination in handling classified computer disks, we were informed that there it was possible to recover data that had been wiped by programs similar to those that Capt Zapp mentioned. If I understand the method used, the wipe programs only remove the central portion of the data track created by the write heads. The recovery programs are based on placing the data platters in a special hard drive that has a very sensitive read head that is setup to read the data still present at the outer edges of the data track. It is a time consuming and costly process, but it can be done.

Grinding the magnetic medium off of a platter is definitely a good way to destroy data stored on that medium. Bending a platter as I described above is also a good way to do it for you will never flatten that disk to the extent its data can be read. Re-flattening the platter might be possible without distorting it, but in the process you would destroy the magnetic medium on which the data is stored.

During our indoctrination in handling classified computer disks, we were informed that there it was possible to recover data that had been wiped by programs similar to those that Capt Zapp mentioned. If I understand the method used, the wipe programs only remove the central portion of the data track created by the write heads.

More than that, disks retain 'ghost' images of the old data, even when the data on them has been erased. So if you examine the disk, you can still read content that's been erased, overwritten and has complete new data in it.

Consider that every time you click the wrong link and an obscene image pops up. If anyone ever accuses you of something, all the cops need is one or two of those 'momentary' images and you'll spend the rest of your life labeled as a convicted pedophile. In Ernest's case, he sent an email to the wrong person, asking about access to a site he didn't know anything about. They're still examining his disks, trying to uncover more of those 'never stored on his computer' images.

to remove ALL traces of deleted files.

Thanks Capt Zapp. My MC's problem is the files were never save to the PC's hard disk. I do not that Word has temporary working files that are given names by Word. I don't know where these temp files are saved and I'm not sure it there may be other files saved also.

When one of my companies went out of business, we had to destroy the hard disks that contained classified material. Under the watchful eye of out security officer, we opened the hard disks and removed the platters. We took a screwdriver and scratched up both sides of the platter and then bent it in half and flattened it with a hammer. At the time, that was the Government approved method of destroying hard disks containing classified data. The Government may have slagged theirs, but we did not have that capability.

There is a system temp directory for temporary files.

Here is an article from PC world on how to clean it out.

I'm familiar with it, because every time WORD crashes, it leaves 'temporary' links behind. However, I rarely save them because the recovered files cause problems with various sites I post to.

overwrite deleted files

Thanks DS.

As I mentioned to Capt Zapp, the files aren't deleted. They may be on the disk but you don't have their names and short of wiping the entire disk, it won't help my MC. Since my MC might be creating sensitive files on a regular basis, wiping the disk after creating a sensitive file won't work as a long term solution.

'scrubbing'

I am familiar with the process of scrubbing/wiping a hard disk. It won't work for my MC because he may have to create sensitive documents on a on-going basis, and those techniques affect the entire hard disk. He won't want to reload the operating system and all his programs every day.

His personal PC is subject to seizure by the authorities at almost anytime, although such a seizure would be the result of a lawsuit, so he would have some idea that it might happen. But he will need to use the computer during the high risk period.

My concern is that PCs can allocate hard disk sectors to be used as RAM. So if Word were to use that allocated hard disk RAM storage area, the data would still be there when the computer is shutdown. There may be other ways in which Word could leave data on the hard disk or in a solid state memory locations that are not dumped when power is removed. Is there a way to selectively remove this data without affecting other portions of the hard disk or memory that my MC would like to retain. If this can be done, then there is the second question of how would my MC know what areas need to be cleaned.

He won't want to reload the operating system and all his programs every day.

If you use a Live Disc or an SSD with an OS etc on it the only information on the main system is in the RAM and will be lost as soon as the system reboots. Thus he need only turn off the system and boot to the other as required, no need to rebuild the system at all, and the main system doesn't have to be cleaned at all. However, you have to ensure the Live Disc or SSD has all the software you want to use on it.

I am familiar with the process of scrubbing/wiping a hard disk. It won't work for my MC because he may have to create sensitive documents on a on-going basis, and those techniques affect the entire hard disk. He won't want to reload the operating system and all his programs every day.

If he's working with so much sensitive data, he WOULDN'T be using such ancient technology. Using solid state disks would solve most of the problem, assuming he never physically 'saved' anything to his computer.

it removes the entry from the table,

Not to be argumentative for I appreciate the help, but what actually happens is first letter of the filename in the FAT is overwritten with an invalid filename character. Restoring the first character of the filename with a valid character allows you to retrieve the file if it hasn't been overwritten after deletion.

Procedures for destroying data on a hard drive platter have changed over the years, and I suspect each government defines what it feels is adequate. I know that at the time I was involved in destroying hard disks containing classified data, the process you defined was known to the US Government and was not deemed adequate. For whatever reason, we had to physical damage each platter in a way that made it totally unusable and the data irrecoverable. I don't know today's approved process.

Procedures for destroying data on a hard drive platter have changed over the years, and I suspect each government defines what it feels is adequate.

When I was working in the Aust DoD we followed the same rules as the US DoD and that was to use 2 types of drive clearance based on the highest classification of material that might have been on the drive.

1. Writing Over the drive as earlier described was used for drives where the data on the drive could only be in the categories below Secret and Highly Protected - which is the equivalent of Secret for data that was of a National Security type, eg. personnel data type stuff.

2. Write Over and Disc Destruction (which I also mentioned) was for all data at or over Secret and Highly Protected. The Write Over was done before it left the facility because the destruction was done elsewhere and the policy was easier to write as do the Write Over to all drives first.

Guys, the FAT (File Allocation Table) disk structure has been well and truly superseded on hard disks by the MFT (Master File Table).

Although the process name was used as the title of the original process, and more recent processes use different names, such as that used in Unix and Linux and the latest versions of MS Windows, the process known as File Allocation Table is still the same process working in the same basic way.

How they work is significantly different.

The basics I set out are the same, just like the basics of driving a manual 10 speed truck are the same basics as driving an automatic 4 cylinder car. Sure the gear lever system work in a different way, but the basics of selecting gears to change the drive shaft speed from the crankshaft are the same.

Every operating system has some sort of File Allocation Table where it lists the files and the memory storage locations of the actual files (as I previously stated). When you choose to delete a file it erases the entry, and not the actual file. The file itself is wiped only when it gets overwritten by having something else written to that space.. - The basics are the same, regardless of what you call and regardless of the oeprating system being used.

There is nothing in NTFS that resembles the FAT in FAT based systems.

I suggest you go back and do some studying of computer systems.

The main File Allocation Table Systems in use for the lats 30 years have been named FAT 16, FAT 32, NTFS, EXT2, and EXT3 - there are also some others. They all work on the same basic File Allocation Table process of having a Table which works much like Table of Contents for a book. Space is set aside at the start of the drive for that table and it lists the file name then the storage location the file is stored in, judge like I described in the first post. You are having issues because the process is known as a File Allocation Table and you're mixing it up with the system known as FAT16 and FAT32 - which are simple names for the early Windows version. With NTFS they used the exact same layout and gave it a new name, that's all - the main difference between the three is the amount of space set aside and used for each entry in them. The way they all operate is the same as I said at the start.

Like a lot of things with computers, the process methodology stays the same, but the names for it change just so they can make it seem different. Directory or Folder - two names for the same process and procedure.

typo edit

The one aspect of your presentation that I question is your repeated statement about the file entry being deleted.

If that were true, then the Undelete Programs would not be able to undelete a file. Since they can recover a deleted file, the entry has to be still present.

The OS doesn't delete the file's FAT entry when you delete the file. The OS modifies the entry's name using an illegal file character, so the file will not appear in a listing of a HD's files. The entry remains in the FAT for a period of time before it is dropped. I am not aware of the factors causing it to be dropped. The Undelete Programs do their thing by showing the user a listing of all the FAT entries, and providing the user the ability to change the illegal filename character back to a legal character. The file name will then be displayed in the directory listing of the HD's files. Of course there is the concern that a portion of the file was overwritten while the file was "deleted", but that is a different issue.

The one aspect of your presentation that I question is your repeated statement about the file entry being deleted.

The file itself isn't deleted when you tell it to delete, the entry in the table is deleted from the table, or if you send it to the Trash Bin it's moved to the Trash Bin record. The actual file is still sitting on the drive until something else is written into the space it's sitting on. The recovery system works by checking the drive itself and reinstating the entry. Leave it too long and the file can't be recovered due to part of it being overwritten.

Think of it like a word processor Table of Contents where you use three levels of chapter headings in the document, set the ToC to look for three levels and it lists them all, set it for two levels and all the third level headings vanish from the table, but they're still in the document - same sort of effect. No entry in the table, but it's there in the document.

recovery system works by checking the drive itself and reinstating the entry

We all agree that the file is still on the HD if it hasn't been overwritten.

My issue is the file entry in the FAT. It sounds as if you are saying it is deleted (i.e. gone forever, which is what deleted means) and I am saying that is not true.

Please explain to me how the recovery system can reinstate the entry if it no longer exists. Since the FAT is the structure that holds all file entry information, the recovery program has to go to the FAT to find the file's entry which is the first step in reinstating the file.

No entry - no recovery.

Entry still present (not deleted) - recovery possible.

Please explain to me how the recovery system can reinstate the entry if it no longer exists.

There are two main ways the data of the file is stored on the drive:

1. The data is stored in contiguous locations - not common with many of today's systems.

2. The data is stored in a number of file locations and part of the data stored as the last info in the first storage location is the information on where to find the next lot of data, and so on until the very last lot has the end of file info.

In both cases the first storage location is noted in the allocation table.

When you run a recovery program it examines the drive storage location for what is in it, and does a full catalogue of what it finds, then compares it with the allocation table and tells you what extras it found and if you want them reinstated.

............

As it was explained in the college tech class on hard drives and data storage I did those years ago, think of all the storage locations on the drive like a large wall of pigeon hole boxes, each with it's on ID for the box. The allocation table is like a clipboard sitting on the table in front of it that has the list of files and the box address of the first data for the file.

For the sake of this example think of 26 rows of 100 boxes with each row being a letter and the numbers being 00 to 99 and the storage foes from A00 to A99 then B00 to B99 etc. Assume the file in question needs 40 boxes.

If the data is stored in one contiguous set of boxes the first box has a sign on it saying the name of the file and a note that the file is stored from there to the last box listed. So the table says it starts at A35, and when you get to A35 there's a note saying the file is from A35 to A75 andA75 has an End of File note.

In the second set up the same file and location listing sends you to A35, and in A35 is a note saying go to A36 next, that has a note saying go to A37, etc. Then you get to A41 and it says go to B15, and each box goes on until you get to the last box which has a note saying End of File.

..........

that's the basics of the process. The recovery program examines each location and notes what's there. Think of it like doing an inventory stocktake where you open every box and count what's in it while noting what's there.

The allocation table is like a clipboard sitting on the table in front of it that has the list of files and the box address of the first data for the file.

I agree with what you said EB - the allocation table has the list of files that correlates to the assigned and unassigned portions of the HD disk space. The files in the list that are associated with deleted files (unassigned disk space) are still in the list and they contain the start address of the files that were deleted.

So, why do you keep insisting that the files associated with the deleted files have been deleted from the Allocation Table's list of files?

So, why do you keep insisting that the files associated with the deleted files have been deleted from the Allocation Table's list of files?

The actual data files aren't touched by the delete command, but the list entry is removed from the list. I keep saying that because that's what happens. Tell the system to delete the file Whatza and it's list entry is removed at the same time as the memory units allocated to it are listed as being available. Thus it no longer shows in the list while the data is still in the boxes.

There is no allocation table reserved sector space with NTFS.

A rose by any other name will still prick your thumb with its thorns. Call it a File Allocation Table or a Master File Table, it matters not, it still does the same job. When you format a drive with NTFS the amount of usable space is reduced due to it setting aside the space it uses for the Allocation Table which they call a Journal - same job, same basic process, different name because it has a few extras, that's all.

https://en.wikipedia.org/wiki/NTFS#Master_File_Table

Quote

In NTFS, all file, directory and metafile data—file name, creation date, access permissions (by the use of access control lists), and size—are stored as metadata in the Master File Table (MFT). This abstract approach allowed easy addition of file system features during Windows NT's development—an example is the addition of fields for indexing used by the Active Directory software. This also enables fast file search software such as Everything to locate named local files and folders included in the MFT very quickly, without requiring any other index.

End Quote

NTFS makes two copies of the table with one stored in a Mirror file.

Ergo, NTFS has a File Allocation Table which it calls a Master File Table.

An MFT is not the same thing as a FAT, regardless of how often the end result of its use is perceived to be the same as a FAT.

They both work in the same way, they do the same function, and sue the same processes. They just give them different names, is all. MFT has a few extra bells, but it still has the same core function working in the same basic way.

I can see this is a religious issue for you EB, so I will not try any further to bend your zeal.

Funny, I thought that was your attitude, so I gave up trying to tell you the truth, since you kept ignoring the facts.

A rose by any other name will still prick your thumb with its thorns. Call it a File Allocation Table or a Master File Table, it matters not, it still does the same job. When you format a drive with NTFS the amount of usable space is reduced due to it setting aside the space it uses for the Allocation Table which they call a Journal - same job, same basic process, different name because it has a few extras, that's all.

...

NTFS makes two copies of the table with one stored in a Mirror file.

Ergo, NTFS has a File Allocation Table which it calls a Master File Table.

The NTFS file does not operate the same way, nor does it present the same challenges. However, it still allocates (but doesn't clear) existing space, allowing 'deleted data' to remain indefinitely, potentially allowing it to be recovered later. But it is still harder to recover than it was under the older Windows system. In short, the danger is reduced, but surely not eliminated.

Don't forget about the trash can. When something's deleted, it goes in there.

The File Allocation Table entry is what is placed in the Trash Can, not the actual file or data.

The File Allocation Table entry is what is placed in the Trash Can, not the actual file or data.

It doesn't go "in" the trash can, rather that's how the trash can is created (i.e. it "is" the trash can).

But, putting stuff in the trash and emptying it doesn't do anything to remove it from the computer.

It doesn't go "in" the trash can, rather that's how the trash can is created

There's a file in the computer that's known as the Trash Can when you send a file to the trash can the data from the File Allocation Table is moved from the normal File Allocation Table list and placed in the Trash Can list. When you tell the system to clear the Trash Can it simply clears the Trash Can list. The actual data for the file on the drive isn't touched or affected in any way. However, it will be overwritten the next time the computer wants to use that space.

Files can be recovered by some software after the file allocation list is gone as long as the actual data hasn't been overwritten yet. The system recovers the files by using software to check what is in each storage location and comparing that to the File Allocation Table and then listing what it finds that's not in the File Allocation Table.

How about using some kind of magnetic fields. Could that possibly work to erase a hard drive's data completely?

a very strong EMP or magnetic field will totally scramble everything on a drive and render it totally useless, and is one way of erasing data. But it takes a strong field to do it.

a very strong EMP or magnetic field will totally scramble everything on a drive and render it totally useless, and is one way of erasing data. But it takes a strong field to do it.

Again, not complete--especially in the case of the old 'hard' drives with disk platters. Often, images get 'burned into the disk' even where there's new 'data' on those physical locations. The magnetic field only erases the current data, not the old data etched into the disk's surface.

And again, it's no longer an issue with the advent of solid state disks.

Often, images get 'burned into the disk' even where there's new 'data' on those physical locations.

As I explained in an early response, the data in the actual memory track is wiped and replaced, but what you're referring to is where an echo copy is stored in the space between the tracks that isn't replaced because the head doesn't pass directly over it.

If he's saving to a removable drive and even has Word write the auto-backups to that removable drive, is any of the data written to the computer's main hard drive? Like in a tmp file.

He'd be required to disable the 'autosave' and 'recover' features on software like WORD, since they aren't secure and leave easily traceable information. Thus, if WORD crashes, he'd have to recreate EVERYTHING by hand (and memory).

I watched for replies to this question with interest because I have had various PCs fail on me - fail in the sense that they will no longer even start to boot up so special programs couldn't work.

depending on what is actually wrong, the drives may work on another system - I've recovered data from dead systems for many people in the past.

When I replace my PC, I pull the hard disk out of my old unit and install it in either an open slot of the new PC or in an external HD case, which I connect to the PC. After the new PC boots, and if the old HD isn't defective, I can retrieve its data or use any special program that may be on the old HD.

Of course if the only thing you want to do is keep someone from accessing the disk's data (i.e., not classified data) all you really have to do is put it on a hard surface and hit it with a sledge hammer a few times. Caving in the case will damage the interior mechanisms. Hit it a couple of more times and you will deform the platters. Simple, easy, and you can work your frustrations off at the same time.

Beat it with a sledge, douse it in gasoline, set it on fire, and throw it in a blast furnace. ;)

If that doesn't work, then a small nuclear device should do the job! 'D

but why is all this necessary?

It is a revenge story. The MC plans to use computers and the Internet do something unorthodox and potentially illegal to those he feels harmed him. His goal is to do the same thing to them that they did to him (the title is Sauce for the Gander and it should be ready for posting close to the time that my Time Scope 2 posting ends).

The MC expects to be sued by his targets and is setting up a defense team. To fully understand the MC's actions and motivations the lawyer wants him to prepare an electronic journal. The MC will present his actions in court as a public service, but his real motivation is revenge. The targets are wealthy and powerful and they will accuse him of illegal activities (true if his real motivation can be proved); so there is a possibility that his computer would be seized by court order and analyzed. The lawyer wants to make sure there is nothing that might be incriminating on the MC's computer.

needed

Good idea. I had him hiding from the bad guys in libraries for a week or two, so I'll have him or the lawyer think of the library computers or something like that. A minor rewrite should do it.

Unless the MC named the thing "legally sensitive document" instead of some innocuous and oft used filename, does it really matter if it's listed?

Yes, because there is software that can check all the files on a system for text of particular words. Law Enforcement uses such software to examine computers, and would thus find the data.

Yes, I'm aware of that. But that is checking the files content. The FAT/NTFS does not contain the content, thus unless the file name is incriminating, why the concern?

Ask the OP about what's the issue with their story. In the story i wrote where the fellow took precautions he was working with documents he'd been informed the CIA was after and he'd noticed people tracking him and searching his place, so he didn't want them to know he'd received the documents they were chasing. I suspect a similar issue for the character in the story the OP is writing.

C4.

A bit of overkill compared to a sledgehammer, but very effective.

If I really, really was unsure, I'd just pop-open the hard drive and destroy it

Thanks. Good idea, but impractical for my MC's situation.

The MC is starting a business and due to the nature of the business, he expects to be sued. So he sought legal counsel to prepare for that eventuality and to provide guidance to minimize his exposure. The lawyer needs the background of what motivated him to setup the business and how he plans to conduct business, so requested an electronic journal. Producing the initial journal might leave traces on the MC's computer, and the timing would probably result in them being non-recoverable. I had the idea of having the lawyer request updates and that would create an ongoing problem. Destroying the HD every month isn't feasible.

I was also involved in the intelligence community; but from what you described a month or so ago, we worked in very different areas. I don't talk about my USAF role, but my civilian role was predominantly training military intelligence personnel to operate and maintain the new technology my company created for the US military and alphabet agencies. My efforts also included writing O&M manuals for the intelligence gathering equipment. Most definitely not a Bond type role; more of an office job.

Still, as to the problem

Thanks, but as I said I got the solution from an earlier post and it looks like it is working okay.