Saturday, July 18, 2009

FAT file system

When a file is deleted on a FAT file system, its directory entry remains stored on the disk, slightly renamed in a way that marks the entry in FAT table as available for use by newly created files thereafter. Most of its name, and its time stamp, file length and — most importantly — location on the disk, remain unchanged in the directory entry. The list of disk clusters occupied by the file will be erased from the File Allocation Table, however, marking those sectors available for use by other files created or modified thereafter.

When undeletion operation is attempted, the following conditions must be met for a successful recovery of the file:

  • The entry of the deleted file must still exist in the directory, meaning that it must not yet be overwritten by a new file (or folder) that has been created in the same directory. Whether this is the case can fairly easily be detected by checking whether the remaining name of the file to be undeleted is still present in the directory.
  • The sectors formerly used by the deleted file must not be overwritten yet by other files. This can fairly well be verified by checking that the sectors are not marked as used in the File Allocation Table. However, if, in the meantime, a new file had been written to, using those sectors, and then deleted again, freeing those sectors again, this cannot be detected automatically by the undeletion program. In this case an undeletion operation, even if appearing successful, might fail because the recovered file contains different data.
  • The file must not have been fragmented, meaning that the sectors its data occupied on the disk must have all been in one uninterrupted sequence. Whether this was the case may or may not be detectable by the undeletion program, depending on the arrangement of other files on the disk.

Chances of recovering deleted files is higher in FAT16 as compared to FAT32 drives; fragmentation of files is usually less in FAT16 due to large cluster size support (1024 Bytes, 2KB, 4KB, 8KB, 16KB, 32KB and 64KB which is supported only in Windows NT) as compared to FAT32 (4KB, 8KB, 16KB only).

If the undeletion program can not detect clear signs of the above requirements not being met, it will restore the directory entry as being in use and mark all consecutive sectors (clusters), beginning with the one as recorded in the old directory entry, as used in the File Allocation Table. It is then up to the user to open the recovered file and to verify that it contains the complete data of the formerly deleted file.

If the data of the recovered file is not correct, parts of the file may still be stored in other sectors of the disk. Recovery of those is not possible by automatic processes but only by manual examination of each (unused) block of the disk. This usually must be done by specialists that have very good knowledge of both the disk structure and the data being sought.

Norton UNERASE was an important component in Norton Utilities version 1.0 in 1981. Microsoft included a similar UNDELETE program in the final version of MS-DOS, but applied the Recycle Bin approach instead in later operating systems using FAT.

Thursday, July 16, 2009

Privacy Policy

Privacy Policy for

If you require any more information or have any questions about our privacy policy, please feel free to contact us by email at

At, the privacy of our visitors is of extreme importance to us. This privacy policy document outlines the types of personal information is received and collected by and how it is used.

Log Files
Like many other Web sites, makes use of log files. The information inside the log files includes internet protocol ( IP ) addresses, type of browser, Internet Service Provider ( ISP ), date/time stamp, referring/exit pages, and number of clicks to analyze trends, administer the site, track user’s movement around the site, and gather demographic information. IP addresses, and other such information are not linked to any information that is personally identifiable.

Cookies and Web Beacons does use cookies to store information about visitors preferences, record user-specific information on which pages the user access or visit, customize Web page content based on visitors browser type or other information that the visitor sends via their browser.

DoubleClick DART Cookie
.:: Google, as a third party vendor, uses cookies to serve ads on
.:: Google's use of the DART cookie enables it to serve ads to users based on their visit to and other sites on the Internet.
.:: Users may opt out of the use of the DART cookie by visiting the Google ad and content network privacy policy at the following URL -

Some of our advertising partners may use cookies and web beacons on our site. Our advertising partners include ....
Google Adsense

These third-party ad servers or ad networks use technology to the advertisements and links that appear on send directly to your browsers. They automatically receive your IP address when this occurs. Other technologies ( such as cookies, JavaScript, or Web Beacons ) may also be used by the third-party ad networks to measure the effectiveness of their advertisements and / or to personalize the advertising content that you see. has no access to or control over these cookies that are used by third-party advertisers.

You should consult the respective privacy policies of these third-party ad servers for more detailed information on their practices as well as for instructions about how to opt-out of certain practices.'s privacy policy does not apply to, and we cannot control the activities of, such other advertisers or web sites.

If you wish to disable cookies, you may do so through your individual browser options. More detailed information about cookie management with specific web browsers can be found at the browsers' respective websites.

Recovery software


Data recovery cannot always be done on a running system. As a result boot disk, Live CD, Live USB, or any other type of Live Distro containing a minimal operating system and a set of repair tools.

List of live CDs

This is a list of live CDs. A live CD or live DVD is a CD or DVD containing a bootable computer operating system. Live CDs are unique in that they have the ability to run a complete, modern operating system on a computer lacking mutable secondary storage, such as a hard disk drive.

Rescue and Repair Live CDs



  • Damn Small Linux – very light and small with JWM and fluxbox, installable Live CD
  • DemoLinux (versions 2 and 3) – one of the very first Live CDs
  • Dreamlinux – installable Live CD to hard drives or flash media
  • Finnix – a small system administration Live CD. A PowerPC version is available.
  • Freeduc-cd – an educational live CD using Xfce realized with the help of UNESCO
  • gnuLinEx – includes GNOME
  • GNUstep – works on i386, AMD64, UltraSPARC, and PowerPC
  • grml – installable Live CD for sysadmins and text tool users
  • Kanotix – installable Live CD
  • Knoppix – the "original" Debian-based Live CD
  • MEPIS – installable Live CD
  • sidux[4] based on Debian unstable (Sid), installable Live CD, DVD
  • Tuquito – created in Argentina
  • ULAnux/ULAnix – created in Mérida, Venezuela, and available on CD/DVD and USB forms


These are based at least partially on Ubuntu, which is based on Debian:

Monday, July 13, 2009

Data erasure

Data erasure is a method of software-based overwriting that completely destroys all electronic data residing on a hard drive or other digital media. Permanent data erasure goes beyond basic file deletion commands, which only remove direct pointers to data disk sectors and make data recovery possible with common software tools. Unlike degaussing and physical destruction, which render the disk unusable, data erasure removes all information while leaving the disk operable, preserving assets and the environment.

Software-based overwriting uses a software application to write patterns of meaningless data onto each of a hard drive's sectors. There are key differentiators between data erasure and other overwriting methods, which can leave data intact and raise the risk of data breach or spill, identity theft and failure to achieve regulatory compliance. Data erasure also provides multiple overwrites so that it supports recognized government and industry standards. It provides verification of data removal, which is necessary for meeting certain standards.

To protect data on lost or stolen media, some data erasure applications remotely destroy data if the password is incorrectly entered. Data erasure tools can also target specific data on a disk for routine erasure, providing a hacking protection method that is a less time-consuming than encryption.


nformation technology (IT) assets commonly hold large volumes of confidential data. Social security numbers, credit card numbers, bank details, medical history and classified information are often stored on computer hard drives or servers and can inadvertently or intentionally make their way onto other media such as printer, USB, flash, Zip, Jaz, and REV drives.

Data breach

Increased storage of sensitive data, combined with rapid technological change and the shorter lifespan of IT assets, has driven the need for permanent data erasure of electronic devices as they are retired or refurbished. Also, compromised networks and laptop theft and loss, as well as that of other portable media, are increasingly common sources of data breaches. If data erasure does not occur when a disk is retired or lost, an organization or user faces that possibility that data will be stolen and compromised, leading to identity theft, loss of corporate reputation, threats to regulatory compliance and financial impacts. Companies have spent nearly $5 million on average to recover when corporate data was lost or stolen.

Regulatory compliance

Strict industry standards and government regulations are in place that force organizations to mitigate the risk of unauthorized exposure of confidential corporate and government data. These regulations include HIPAA (Health Insurance Portability and Accountability Act); FACTA (The Fair and Accurate Credit Transactions Act of 2003); GLB (Gramm-Leach Bliley); Sarbanes-Oxley Act (SOx); and Payment Card Industry Data Security Standards (PCI DSS). Failure to comply can result in fines and damage to company reputation, as well as civil and criminal liability.

Preserving assets and the environment

Data erasure offers an alternative to physical destruction and degaussing for secure removal of all disk data. Physical destruction and degaussing destroy the digital media, requiring its disposal and contributing to electronic waste while negatively impacting the carbon footprint of individuals and companies.[2] Data erasure allows secure disposal of obsolete equipment and preserves the potential to refurbish a computer for future use, protecting viable IT assets.


Software-based data erasure uses a special application to write a combination of 1's and 0's onto each hard drive sector. The level of security depends on the number of times the entire hard drive is written over.

Full disk overwriting

There are many overwriting programs, but data erasure offers complete security by destroying data on all areas of a hard drive. Disk overwriting programs that cannot access the entire hard drive, including hidden/locked areas like the host protected area (HPA), device configuration overlay (DCO), and remapped sectors, perform an incomplete erasure, leaving some of the data intact. By accessing the entire hard drive, data erasure eliminates the risk of data remanence.

Data erasure also bypasses the BIOS and OS. Overwriting programs that operate through the BIOS and OS will not always perform a complete erasure due to altered or corrupted BIOS data and may report back a complete and successful erasure even if they do not access the entire hard disk, leaving data accessible.

Hardware support

Data erasure can be deployed over a network to target multiple PCs rather than having to erase each one sequentially. In contrast with DOS-based overwriting programs that may not detect all network hardware, Linux-based data erasure software supports high-end server and storage area network (SAN) environments with hardware support for Serial ATA, Serial Attached SCSI (SAS) and Fiber Channel disks and remapped sectors. It operates directly with sector sizes such as 520, 524, and 528, removing the need to first reformat back to 512 sector size.


Many government and industry standards exist for software-based overwriting that removes data. A key factor in meeting these standards is the number of times the data is overwritten. Also, some standards require a method to verify that all data has been removed from the entire hard drive and to view the overwrite pattern. Complete data erasure should account for hidden areas, typically DCO, HPA and remapped sectors.

The 1995 edition of the National Industrial Security Program Operating Manual (DoD 5220.22-M) permitted the use of overwriting techniques to sanitize some types of media by writing all addressable locations with a character, its complement, and then a random character. This provision was removed in a 2001 change to the manual and was never permitted for Top Secret media, but it is still listed as a technique by many offerors of data erasure software.

Data erasure software should provide the user with a validation certificate indicating that the overwriting procedure was completed properly. Data erasure software should also comply with requirements to erase hidden areas, provide a defects log list, and list bad sectors that could not be overwritten.

Overwriting Standard Date Overwriting Rounds Pattern Notes
NIST SP-800-88 [1] 2006 1 Unspecified
NSA/CSS Policy Manual 9-12 [2] 2006 not approved
Degauss or destroy
U.S. National Industrial Security Program Operating Manual (DoD 5220.22-M)[3] 2006

not specified
U.S. DoD Unclassified Computer Hard Drive Disposition [4] 2001 3 A character, its complement, another pattern
U.S. Navy Staff Office Publication NAVSO P-5239-26[5] 1993 3 A character, its complement, random Verification is mandatory
U.S. Air Force System Security Instruction 5020 [6] 1996 4 All 0's, all 1's, any character Verification is mandatory
British HMG Infosec Standard 5, Baseline Standard
1 All 0's Verification is optional
British HMG Infosec Standard 5, Enhanced Standard
3 All 0's, all 1's, random Verification is mandatory
Communications Security Establishment Canada ITSG-06 [7] 2006 3 All 1's or 0's, its complement, a pseudo-random pattern For unclassified media
German Federal Office for Information Security [8] 2004 2-3 Non-uniform pattern, its complement
Australian Government ICT Security Manual [9] 2008 1 Unspecified Degauss or destroy Top Secret media
New Zealand Government Communications Security Bureau NZSIT 402 [10] 2008 1 Unspecified For data up to Confidential
Peter Gutmann's Algorithm 1996 Up to 35
Originally intended for MFM and RLL disks, which are now obsolete
Bruce Schneier's Algorithm[3] 1996 7 All 1's, all 0's, pseudo-random sequence five times

Data can sometimes be recovered from a broken hard drive. However, if the platters on a hard drive are damaged, such as by drilling a hole through the drive (and the platters inside), then data can only be recovered by bit-by-bit analysis of each platter with advanced forensic technology. Seagate is the only company in the world to have credibly claimed such technology, although some governments may also be able to do this.

Number of overwrites needed

Data on floppy disks can sometimes be recovered by forensic analysis even after the disks have been overwritten once with zeros (or random zeros and ones). This is not the case with modern hard drives. The bits on modern drives are so small that deviation of tracks between writes cannot be discerned by any means[citation needed].

According to the 2006 NIST Special Publication 800-88 (p. 7): "Studies have shown that most of today’s media can be effectively cleared by one overwrite" and "for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged."[4]

According to the Center for Magnetic Recording Research, "Secure erase does a single on-track erasure of the data on the disk drive. The U.S. National Security Agency published an Information Assurance Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track overwrite passes gave no additional erasure."[5] "Secure erase" is a utility built into modern ATA hard drives that overwrites all data on a disk, including remapped (error) sectors.

Further analysis by Wright et al. seems to also indicate that one overwrite is all that is generally required

Friday, July 10, 2009

Data carving

Data Carving is a data recovery technique that allows for data with no file system allocation information to be extracted by identifying sectors and clusters belonging to the file. Data Carving usually searches through raw sectors looking for specific desired file signatures. The fact that there is no allocation information means that the investigator must specify a block size of data to carve out upon finding a matching file signature, or the carving software must infer it from other information on the media. There is a requirement that the beginning of the file still be present and that there is (depending on how common the file signature is) a risk of many false hits. Data carving, also known as file carving, has traditionally required that the files recovered be located in sequential sectors (rather than fragmented) as there is no allocation information to point to fragmented file portions. Recent developments in file carving algorithms have led to tools that can recover files that are fragmented into multiple pieces. Carving tends is a time and resource intensive operation

Thursday, July 9, 2009




CHKDSK (short for Checkdisk) is a command on computers running DOS, OS/2 and Microsoft Windows operating systems that displays the file system integrity status of hard disks and floppy disk and can fix logical file system errors. It is similar to the fsck command in Unix.

On computers running NT-based versions of Windows, CHKDSK can also check the disk surface for physical errors or bad sectors, a task previously done by SCANDISK. This version of CHKDSK can also handle some physical errors and recover data that is still readable.

Windows NT-based CHKDSK

CHKDSK can be run from the Windows Shell, the Windows Command Prompt or the Windows Recovery Console. One option for CHKDSK is the use of the Command-line/R parameter, which allows the program to repair damage it finds on the hard drive.

Conducting a CHKDSK can take some time, especially if using the /R parameter, and the results are often not visible, for various reasons. The results of a CHKDSK conducted on restart using Windows 2000 or later operating systems are written to the Application Log, with a "Source" name of Wininit or Winlogon and can be viewed with the Event Viewer.

The standard version of CHKDSK supports the following switches :

filename FAT only. Specifies the file or set of files to check for fragmentation. Wildcard characters (* and ?) are allowed.
path FAT only. Specifies the location of a file or set of files within the folder structure of the volume.
size NTFS only. Changes the log file size to the specified number of kilobytes. Must be used with the /l switch.
volume FAT and NTFS (NTFS support is unofficially supported but works normally). Specifies the drive letter (followed by a colon), mount point, or volume name.
/c NTFS only. Skips checking of cycles within the folder structure.
/f Fixes errors on the volume. The volume must be locked. If Chkdsk cannot lock the volume, it offers to check it the next time the computer starts.
/i NTFS only. Performs a less vigorous check of index entries.
/l NTFS only. Displays current size of the log file.
/p Checks disk even if it is not flagged as "dirty".
/r Locates bad sectors and recovers readable information (implies /f and /p). If Chkdsk cannot lock the volume, it offers to check it the next time the computer starts.
/v On FAT: Displays the full path and name of every file on the volume. On NTFS: Displays cleanup messages, if any.
/x NTFS only. Forces the volume to dismount first, if necessary. All opened handles to the volume are then invalid (implies /f ).
/? Displays this list of Chkdsk switches.

When running CHKDSK from the Recovery Console the options are different. The /p is not read-only as in the standard version but corrects errors :[1]

/p Fixes errors on the volume. Same as the /f option in standard CHKDSK.
/r Locates bad sectors and recovers readable information (implies /f and /p). Takes much longer to run than /p by itself.

A typical result:

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 318 unused index entries from index $SII of file 0x9.
Cleaning up 318 unused index entries from index $SDH of file 0x9.
Cleaning up 318 unused security descriptors.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

14996645 KB total disk space.
10187752 KB in 88054 files.
30784 KB in 5774 indexes.
0 KB in bad sectors.
164341 KB in use by the system.
65536 KB occupied by the log file.
4613768 KB available on disk.

4096 bytes in each allocation unit.
3749161 total allocation units on disk.
1153442 allocation units available on disk.

Vista result (App Event Log):

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
79232 file records processed.
332 large file records processed.
0 bad file records processed.
2 EA records processed.
44 reparse records processed.
105198 index entries processed.
0 unindexed files processed.
79232 security descriptors processed.
Cleaning up 1 unused index entries from index $SII of file 0x9.
Cleaning up 1 unused index entries from index $SDH of file 0x9.
Cleaning up 1 unused security descriptors.
12984 data files processed.
CHKDSK is verifying Usn Journal...
35789792 USN bytes processed.
Usn Journal verification completed.
Windows has checked the file system and found no problems.

78175231 KB total disk space.
12902428 KB in 54029 files.
36068 KB in 12985 indexes.
0 KB in bad sectors.
187407 KB in use by the system.
65536 KB occupied by the log file.
65049328 KB available on disk.

4096 bytes in each allocation unit.
19543807 total allocation units on disk.
16262332 allocation units available on disk.

Known issues
Sometimes the check after CHKDSK invoked with the /f or /r option on reboot still fails, giving the error "Cannot open volume for direct access" on startup, due to an application (anti-virus, anti-spyware, firewall, and the like) that locks up the partition before CHKDSK can access it. This has been improved in Windows XP Service Pack 2, but still happens occasionally. One fix is to set the /SAFEBOOT option in the boot.ini tab after running msconfig.[2] This puts the system in a minimal/low-resolution mode.


The MS-DOS 5 bug

The version of CHKDSK (and Undelete) supplied with MS-DOS 5.0 has a bug which can corrupt data. This applies to CHKDSK.EXE and UNDELETE.EXE with a date of 04/09/91. If the file allocation table of a disk uses 256 sectors, running CHKDSK /F can cause data loss and running UNDELETE can cause unpredictable results. This normally affects disks with a capacity of approximately a multiple of 128 MB. This bug was fixed in MS-DOS 5.0a. A Microsoft Knowledge Base article[3] gives more details on this.