So you think your Hard drive is CLEAN

Hi all
Whilst not W7 specific per se this is really important if you think you've found a Virus and are just using the "Infection Processes" supplied by your AV software.

Even a FORMAT of a hard disk doesn't erase or make old data inacessible.

Read this
BBC NEWS | Wales | Missile data found on hard drives

This efectively means a Virus could conceivably "resurrect" itself or "be resurrected" again after being "Cleansed"
(a sub virus ?? could look for the "deleted nasties" and re-activate them).

The normal "Delete" function in an OS just deletes the directory area but doesn't actually delete the DATA itself. This is only deleted or "Overwritten" when the OS decides to re-use that specific area of a disk - which for large TB drives these days could be a long long time into the future.

Most FREE AV software doesn't actually go into the sectors of the infected areas and retrieve the actual physical disk adresses to delete the data. You need to actually make some BIOS calls to "Physically address disk sectors" for data re-writing etc.

Intercepting BIOS calls will show if your AV software works intelligently or whether it just does basic first level "Windows Deletes".

Now Windows itself if it's security is working properly shouldn't allow programs to make BIOS calls directly -- should be done via the API -- so you've got another potential problem here -- your AV program will be blocked by Windows itself from effectively cleansing the disk by directlly calling the BIOS. So if the Virus has attacked the Windows API for Disk I/O you are up that proverbial street without the proverbial.


Until new data is physically re-written in the same actual disk addresses then the old data is actually "recoverable".

I've used a data recovery program like this to recover some pictures I had accidentally deleted after a photo shoot. I had actually even re-formatted the disk but was able to recover the pics.

Whilst "Binning" the disk is not a practical solution for most users you CAN protect against this type of scenario by using utilities which do a "Secure Erase".

These work by writing Binary Zeros on every data area of the disk maybe several times (in "Paranoid level"). They can also clear the MBR.

These still aren't 100% effective but for all practicable purposes where you don't have acees to Militiary grade equipment they will be MORE than sufficient to cleanse your disk.

Here's a decent FREE one from the University of San Diego.

CMRR - Secure Erase

Cheers
jimbo

I run without the usage of the trash bin, so when I delete something accidentally which is very rare though, I fire up R-Studio to recover it. Never fails if done immediately, without giving Windows the chance to overwrite.

A few weeks ago, I was not my normal self having a good ol' time lol and decided to install one of the 7 builds on my downstairs pc. I accidentally chose the wrong partition, temporarily lost all data on it. Used R-Studio to recover like 30 gigs of mp3s the next day. Went perfectly.

Forensics, if important enough, can recover past an overwrite which is why there's government standards for erasing, Gutmann 35 pass etc...

you need a utility that can do zero formatting.

jimbo45 said:

Hi all
Whilst not W7 specific per se this is really important if you think you've found a Virus and are just using the "Infection Processes" supplied by your AV software.

Even a FORMAT of a hard disk doesn't erase or make old data inacessible.

Read this
BBC NEWS | Wales | Missile data found on hard drives

This efectively means a Virus could conceivably "resurrect" itself or "be resurrected" again after being "Cleansed"
(a sub virus ?? could look for the "deleted nasties" and re-activate them).

The normal "Delete" function in an OS just deletes the directory area but doesn't actually delete the DATA itself. This is only deleted or "Overwritten" when the OS decides to re-use that specific area of a disk - which for large TB drives these days could be a long long time into the future.

Most FREE AV software doesn't actually go into the sectors of the infected areas and retrieve the actual physical disk adresses to delete the data. You need to actually make some BIOS calls to "Physically address disk sectors" for data re-writing etc.

Intercepting BIOS calls will show if your AV software works intelligently or whether it just does basic first level "Windows Deletes".

Now Windows itself if it's security is working properly shouldn't allow programs to make BIOS calls directly -- should be done via the API -- so you've got another potential problem here -- your AV program will be blocked by Windows itself from effectively cleansing the disk by directlly calling the BIOS. So if the Virus has attacked the Windows API for Disk I/O you are up that proverbial street without the proverbial.


Until new data is physically re-written in the same actual disk addresses then the old data is actually "recoverable".

I've used a data recovery program like this to recover some pictures I had accidentally deleted after a photo shoot. I had actually even re-formatted the disk but was able to recover the pics.

Whilst "Binning" the disk is not a practical solution for most users you CAN protect against this type of scenario by using utilities which do a "Secure Erase".

These work by writing Binary Zeros on every data area of the disk maybe several times (in "Paranoid level"). They can also clear the MBR.

These still aren't 100% effective but for all practicable purposes where you don't have acees to Militiary grade equipment they will be MORE than sufficient to cleanse your disk.

Here's a decent FREE one from the University of San Diego.

CMRR - Secure Erase

Cheers
jimbo

very very interesting...

question: system mechanic comes with it's incinerator function... how do you rate that?...

I use Drive Erase Pro. Comes with an application that gets installed for files and drives, and a boot disk.

1. File Shredder. In stead of deleting a file, use this and it will delete then write over the space the file occupied on the disk with a predetermined write sequence or just zero's and up to 10 passes.

2. Drive Erase: Just as the name implies, this will write over an entire drive/disk with different choices of write sequences. It has about 10 different standards or a custom write type and can choose how many times to write over the drive/disk. Usually I'll use the US Defense standard on the first pass, then on the second pass just have it write all zero's.

A 500gig external usb hd takes about 11 hours for 2 passes. For some reason my internal sataII drives take forever when connected to the mob sata ports. It's quicker to connect the sata drives to a sata/ide to usb adapter and run it that way.

It wasn't free, ...think it was about $30. Worth it though and is used quite a bit.