On Fri, Mar 5, 2021 at 7:41 AM John Foust via cctalk <cctalk@classiccmp.org> wrote:
> > After thinking about disk imaging tools like Greaseweasel, > I started thinking about tools that would grab and examine the unused > portions of disks. > I've used this to recover a couple of Univation utilities from a disk that they had been deleted from... It's quite useful... It was a FAT filesystem, and the files were small and contiguous so it was easy... Warner > It's obviously file-system dependent. At one level we know of > "undelete" tools that could piece together recently deleted files > and restore them intact by using abandoned bits of block table info. > Of course some simple file systems can't even permit that. > > But very few systems would bother to zero out the released blocks > of erased or rewritten files and then blocks are left full of > old data. Text source code would be easy to spot. > > I have vague memories of bits of Amiga OS source code being unintentionally > released in unused blocks on OS binary disks that were sent out for > mass duplication and distribution. > > This situation makes me hesitant to release disk images from the past. > It's one thing to do it with disks that were mine and to take > responsibility > for my risk; it's another to release disks once owned and used by others. > Do the unused sectors contain their love letters from 1983? > > Or if I want to release disk images that contain known personal files, > how will I image, then remove specific files, then zero unused blocks > if I don't want to alter the original media? > > Obviously in some situations the relevant files can be pulled and > redistributed in a new filesystem like a Zip. > > The situation only gets worse with distributing larger images of > entire hard disks. Or with Windows, "quick format" doesn't zero blocks. > > In another case I encountered while digging through files on an old > RSTS backup tape, we had a program that logged usage data to a file > and for speed purposes it would preallocate a large file (as opposed > to extending the file, which was slower) and then write block records > to it. RSTS reused blocks without zeroing. In the unused blocks > of an extant file I found an email I'd sent in '82 as well as bits > from other users of the same timesharing system. > > Certainly the archivists out there have considered these questions. > How are they solved? > > Are there notable tools that focus on the files that aren't there? > > I don't mean modern forensic carving tools... but some concepts would > be similar. > > - John > >
