Destructive Windows Script

Re: Destructive Windows Script

My guess would be: extremely, extremely easy. Since you're only writing 30
bytes for each file, the vast majority of the data will still be present on
disk, just temporarily inaccessible because of the del command. And more
than likely it will be possible to recover 100% if they are using a
journaling file system like NTFS, which Windows XP does.

If you are honestly trying to destroy your own data, go out and download a
free program that will do it right. If you're trying to write some kind of
trojan, well you've got a lot of learning to do. :)

R


rbt wrote:[color=blue]
> How easy or difficult would it be for a computer forensics expert to
> recover data that is overwritten in this manner? This is a bit
> off-topic for comp.lang.pytho n, but I thought some here would have
> some insight into this.
>
> Warning: **This code is destructive**. Do not run it unless you fully
> understand what you're doing!!!
>
> os.chdir('/temp')
> for root, dirs, files in os.walk('.'):
> for f in files:
> try:
> print f
>
> data = ['0', 'a', '1', 'b', '2', 'c',\
> '3', 'd', '4', 'e', '5', 'f',\
> '6', 'g', '7', 'h', '8', 'i',\
> '9', 'j', '~', '!', '@', '#',\
> '$', '%', '^', '&', '*', ';']
>
> fp = file(os.path.jo in(root,f), 'w')
> random.shuffle( data)
> garble = ''.join(data)
> fp.write(garble )
> fp.close()
>
> fs = os.popen("del /f /q /s *")
> fs.read()
> fs.close()
>
> except Exception, e:
> print e
> time.sleep(1)
> continue[/color]

Re: Destructive Windows Script

Roose wrote:[color=blue]
> My guess would be: extremely, extremely easy. Since you're only writing 30
> bytes for each file, the vast majority of the data will still be present on
> disk, just temporarily inaccessible because of the del command. And more
> than likely it will be possible to recover 100% if they are using a
> journaling file system like NTFS, which Windows XP does.
>
> If you are honestly trying to destroy your own data, go out and download a
> free program that will do it right. If you're trying to write some kind of
> trojan, well you've got a lot of learning to do. :)[/color]

Thanks for the opinion... I don't do malware. Just interested in
speeding up file wiping (if possible) for old computers that will be
auctioned. The boot programs that you allude to (killdisk, autoclave)
work well, but are slow and tedious. If this can be done *properly* in
Python, I'd like to have a go at it.

Re: Destructive Windows Script

The reason they are slow and tedious is that they need to write to
every byte on the disk. Depending on the size of the disk, there may
be a lot of data that needs to be written, and if they are older
computers, write speed may not be particularly fast.

-Chris

On 6/5/05, rbt <rbt@athop1.ath .vt.edu> wrote:[color=blue]
> Roose wrote:[color=green]
> > My guess would be: extremely, extremely easy. Since you're only writing 30
> > bytes for each file, the vast majority of the data will still be present on
> > disk, just temporarily inaccessible because of the del command. And more
> > than likely it will be possible to recover 100% if they are using a
> > journaling file system like NTFS, which Windows XP does.
> >
> > If you are honestly trying to destroy your own data, go out and download a
> > free program that will do it right. If you're trying to write some kind of
> > trojan, well you've got a lot of learning to do. :)[/color]
>
> Thanks for the opinion... I don't do malware. Just interested in
> speeding up file wiping (if possible) for old computers that will be
> auctioned. The boot programs that you allude to (killdisk, autoclave)
> work well, but are slow and tedious. If this can be done *properly* in
> Python, I'd like to have a go at it.
> --
> http://mail.python.org/mailman/listinfo/python-list
> [/color]


--
Christopher Lambacher
lambacck@comput er.org

Re: Destructive Windows Script

Chris Lambacher wrote:[color=blue]
> The reason they are slow and tedious is that they need to write to
> every byte on the disk. Depending on the size of the disk, there may
> be a lot of data that needs to be written, and if they are older
> computers, write speed may not be particularly fast.[/color]

OK, I accept that, but if you have a HDD that's 8GB total and it has 1GB
of files, why must every byte be written to? Why not just overwrite the
used portion?

Re: Destructive Windows Script

rbt wrote:[color=blue]
> Chris Lambacher wrote:
>[color=green]
>>The reason they are slow and tedious is that they need to write to
>>every byte on the disk. Depending on the size of the disk, there may
>>be a lot of data that needs to be written, and if they are older
>>computers, write speed may not be particularly fast.[/color]
>
> OK, I accept that, but if you have a HDD that's 8GB total and it has 1GB
> of files, why must every byte be written to? Why not just overwrite the
> used portion?[/color]

Because sometime in the past, you may have had 8 GB of data on there.
There's no reliable way to know which bytes have been used and which
haven't.

This is a case where "doing it properly" means "slow."

--
Robert Kern
rkern@ucsd.edu

"In the fields of hell where the grass grows high
Are the graves of dreams allowed to die."
-- Richard Harter

Re: Destructive Windows Script

rbt wrote:[color=blue]
> Chris Lambacher wrote:
>[color=green]
>> The reason they are slow and tedious is that they need to write to
>> every byte on the disk. Depending on the size of the disk, there may
>> be a lot of data that needs to be written, and if they are older
>> computers, write speed may not be particularly fast.[/color]
>
>
> OK, I accept that, but if you have a HDD that's 8GB total and it has 1GB
> of files, why must every byte be written to? Why not just overwrite the
> used portion?[/color]

What do you think is in the "unused" space, given that much of it likely
had files at some time in the past, maybe even older copies of some of
the files that are currently "live"? If you haven't wiped all those
files previously, their data is still quite accessible.

-Peter

Re: Destructive Windows Script


"Chris Lambacher" <lambacck@gmail .com> wrote in message
news:af37e9c505 0605181211ac575 b@mail.gmail.co m...[color=blue]
> The reason they are slow and tedious is that they need to write to
> every byte on the disk. Depending on the size of the disk, there may
> be a lot of data that needs to be written, and if they are older
> computers, write speed may not be particularly fast.[/color]

I would expect programs called killdisk, autoclave, etc to not only write
every byte multiple times, but to also work at the lowest level to try to
manipulate track alignment to wipe out any residual signals off the current
tracks. That is *really* slow.

(Note: the ultimate security is to shread or incenerate the disk platters.
I believe this is now standard practice in super security areas.)

OP: if you merely want to wipe the data enough to protect against a casual
user, using casual access thru normal open and read, and not the FBI disk
forensics/recovery lab (;-), one write would be enough.

On *nix, one could open '/dev/rawdisk' (actual name depends on the *nix
build) and write a tracks worth of garbage for as many tracks as there are.
I don't how to programmaticly get the track size and number (if there is a
standard way at all).

For Windows, you would need the appropriate low-level system call, but I
have no idea what it is or if it is the same for different versions. Same
for other non *nix systems.

Terry J. Reedy

Re: Destructive Windows Script

On Sun, 5 Jun 2005 21:12:57 -0400, Chris Lambacher <lambacck@gmail .com>
declaimed the following in comp.lang.pytho n:
[color=blue]
> The reason they are slow and tedious is that they need to write to
> every byte on the disk. Depending on the size of the disk, there may
> be a lot of data that needs to be written, and if they are older
> computers, write speed may not be particularly fast.
>[/color]
And then, if you are looking for a mil-spec wipe, you are
looking at something like three complete passes using different
patterns. Last assignment I had that required wiping a file was able to
get away with the simple routine of:

get length of file
generate len random data
write data
read and compare
generate len random data
write data
read and compare
ones-complement data
write data
read and compare.

If any compare failed, the wipe, as a whole, was considered to
have failed.

Not too time-consuming on a 64 byte file... Tedious on
megabytes.

My previous facility didn't even accept mil-spec wipes -- all
disk drives leaving the facility had to go through a demagnitizer, which
wiped everything, including control tracks, and played <bleep> with the
R/W head and positioning magnets.


Partition Magic does have a non-DoD approved "Delete and Secure
Erase" for hard drives. Probably a single pass random write...


--[color=blue]
> =============== =============== =============== =============== == <
> wlfraed@ix.netc om.com | Wulfraed Dennis Lee Bieber KD6MOG <
> wulfraed@dm.net | Bestiaria Support Staff <
> =============== =============== =============== =============== == <
> Home Page: <http://www.dm.net/~wulfraed/> <
> Overflow Page: <http://wlfraed.home.ne tcom.com/> <[/color]

Re: Destructive Windows Script

rbt <rbt@athop1.ath .vt.edu> writes:[color=blue]
> Thanks for the opinion... I don't do malware. Just interested in
> speeding up file wiping (if possible) for old computers that will be
> auctioned. The boot programs that you allude to (killdisk, autoclave)
> work well, but are slow and tedious.[/color]

Yes, you have to overwrite all the bytes on the disk, which can be slow.

If the drive has ultra-sensitive data on it though, you should not
auction it no matter what wiping software you've used. Think of bad
sector forwarding that might have happened while the drive was in
service. The drive firmware might have copied some sector that had
recoverable errors to a new sector sometime in the past, and
transparently mapped the new sector to the old location, so that
normal I/O operations will never find the old sector to erase it. But
suitable forensic methods might still be able to get it back.

The only way to be 100% sure the data is gone from a drive, is
basically to melt the drive. However, if your data is that sensitive,
you shouldn't ever write it to a hard drive in the clear anyway.

Re: Destructive Windows Script

BTW, since this is a bit off-topic anyway, how do I recover
files accidentally removed? Is there a free tool that works
on FAT/NTFS and ext2/ext3?
Thanks,

Michele Simionato

Re: Destructive Windows Script

On 05 Jun 2005 21:14:37 -0700, rumours say that Paul Rubin
<http://phr.cx@NOSPAM.i nvalid> might have written:
[color=blue]
>The only way to be 100% sure the data is gone from a drive, is
>basically to melt the drive. However, if your data is that sensitive,
>you shouldn't ever write it to a hard drive in the clear anyway.[/color]

A little healthy insanity never hurt anyone in the security field :)
--
TZOTZIOY, I speak England very best.
"Be strict when sending and tolerant when receiving." (from RFC1958)
I really should keep that in mind when talking with people, actually...

Re: Destructive Windows Script

Michele Simionato wrote:[color=blue]
> BTW, since this is a bit off-topic anyway, how do I recover
> files accidentally removed? Is there a free tool that works
> on FAT/NTFS and ext2/ext3?[/color]

On all of those filesystems at the same time? Probably not. But there
are tools for each. Google, and ye shall find.

--
Robert Kern
rkern@ucsd.edu

"In the fields of hell where the grass grows high
Are the graves of dreams allowed to die."
-- Richard Harter

Re: Destructive Windows Script

The problem is that Google gives me too many non-relevant hits.

I just would like something like this:

$ rm what-I-think-is-an-useless-file

ACK! It was not that useless!!

$ recover what-I-think-is-an-useless-file


Michele Simionato

Re: Destructive Windows Script

Michele Simionato wrote:[color=blue]
> The problem is that Google gives me too many non-relevant hits.[/color]

google("fat undelete")
google("ext2 undelete")

--
Robert Kern
rkern@ucsd.edu

"In the fields of hell where the grass grows high
Are the graves of dreams allowed to die."
-- Richard Harter