Alternate data stream still intact

General discussion about data forensics.

Moderators: Eraser DevTeam, Eraser Moderators

Alternate data stream still intact

Postby cameron715 » Sun Mar 27, 2011 12:06 am

Here is what I did in a nushell. I went to the command line and typed this:
Note I was doing this on a flash drive formatted in NTFS
E:\>echo this is a test > test.txt

Then I hid show text in a alternate data stream of that file

E:\>echo top secret info > test.txt:secret.txt

So after I did this I used a program called HxD (A drive hexadecimal forensic tool) and found my secret text on the disk. I then used eraser and on the file test.txt. Then tried looking to make sure the alternate data stream was destroyed too but it wasn't, test.txt was destroyed. But the text "top secret info" was still intact. When developing Eraser was Alternate Data Streams ADS taken into account?

More info on Alternate Data Streams can be found here:
http://www.irongeek.com/i.php?page=security/altds
cameron715
 
Posts: 1
Joined: Sat Mar 26, 2011 11:13 pm

Re: Alternate data stream still intact

Postby DavidHB » Sun Mar 27, 2011 10:40 am

The issue is very probably that you were using a flash drive. Erasing individual files does not work on flash drives, because the wear levelling mechanism (which is inaccessible to the user) relocates the erasing data away from the sector housing the target file. Erasing free space does work, however, because that fills up the whole drive.

Please try your experiment on an ordinary hard disk.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: Alternate data stream still intact

Postby Joel » Mon Mar 28, 2011 11:31 am

Yes, Eraser deals with ADSes, however on NTFS lots of metadata is kept about files, how they are modified etc. This is especially so with small files, they get scattered all over the MFT etc. Also, there are shadow copies which may have been made. These all contribute to the overall (lack of) effectiveness for Eraser.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: Alternate data stream still intact

Postby DavidHB » Mon Mar 28, 2011 12:35 pm

Joel wrote:These all contribute to the overall (lack of) effectiveness for Eraser.

I think Joel is doing himself down here ... :)

For me, Eraser is an essential tool, but, as often discussed in these forums, it should be regarded as only part of good security practice. Much of that is about organising the system sensibly in the first place, including (in this particular case) recognising the limitations of solid state storage when it comes to secure erasing.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: Alternate data stream still intact

Postby AwesomeMachine » Mon Jun 27, 2011 7:06 am

I just read a report describing the effectiveness of the top 16 drive cleansing tools, on solid state storage devices. I'll upload it, if I'm given an ftp link or something. The results were pathetic. The best performing tool allowed recovery of 10% of the test data (100 MB out of 1.0 GB) Clearly, flash drive controllers create a situation in which flash-memory-based drives cannot be released from secure custody without prior physical destruction.
AwesomeMachine
 
Posts: 1
Joined: Mon Jun 27, 2011 4:56 am

Re: Alternate data stream still intact

Postby DavidHB » Mon Jun 27, 2011 10:18 am

Without knowing how the tests were conducted, it would be wise to reserve judgement. For a flash drive, and using Eraser, my test would be to do a quick format and then a free space erase, and then run, say, Recuva on the drive.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: Alternate data stream still intact

Postby Joel » Tue Aug 30, 2011 11:45 am

Flash drives indeed pose a problem. For that matter, most modern drives share the same problem albeit to a smaller extent.

Flash drives have a few features which magnetic disks "do not": over provisioning (to compensate for reduced reliability), wear levelling (as memory cells have a limited number of read/write cycles). Both work against erasure as data can be locked in areas the controller deems faulty and that writes to the same location from the OS' point of view may result in a write in a separate physical location.

Magnetic disks are not free from this. It has been a while since drive manufacturers have over provisioned drives (but not to the extent of flash memory) and firmware remapping (to counter bad sectors.)
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: Alternate data stream still intact

Postby ForensicsGuy » Wed Aug 31, 2011 1:47 pm

AwesomeMachine wrote:I just read a report describing the effectiveness of the top 16 drive cleansing tools, on solid state storage devices. I'll upload it, if I'm given an ftp link or something. The results were pathetic. The best performing tool allowed recovery of 10% of the test data (100 MB out of 1.0 GB) Clearly, flash drive controllers create a situation in which flash-memory-based drives cannot be released from secure custody without prior physical destruction.


Let's put this all in perspective...

The only 100% safe way to ensure data cannot be recovered is complete physical destruction of the media. However, in security, as in other areas of life, a 100% solution is not always required. Overwriting an entire hard drive with a single pass of random data is sufficient to stop all but the most motivated and well financed attackers. Encrypting the entire drive or partition is also an effective countermeasure, especially if followed by an overwrite when the drive is no longer required.

Erasing files is always difficult. There are multiple issues: Alternate streams, shadow copies, journals, swap files, etc. If you create a file, erase it, and immediately subject the system to forensic analysis it is very difficult to ensure that absolutely every trace of the data is gone. However, over time, the use of a solid erasure techniques results in far less residual information that would otherwise be present.

So if there is stuff on your hard drive that would ruin your life if someone else got hold of it, get out your electric drill, punch a few holes through the platters, and take a sledge hammer to the remains. If you need to keep people out of your stuff, use whole hard drive encryption. And if you want to improve your privacy in the long term, use software to overwrite files instead of just deleting them.
ForensicsGuy
 
Posts: 4
Joined: Mon Aug 22, 2011 1:27 pm


Return to Data Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

cron