[SOLVED] Overwriting free space or overwriting single files restored by photorec
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok, I ran photorec once again without deleting the large file (and filling up the previously reserved disk space) and it discovered only a few text files which were possibly created and deleted since dd stopped. Interesting, though, is the fact, that after deleting the large file, some files were recovered again (not nearly as much as recovered before). Although mostly small text files were spotted, this shouldn't happen, should it? Can photorec restore overwritten bits sometimes? Maybe running dd if=/dev/zero of=largefile some more times will do the trick? I'll try it out.
Don't wait forever for the hexdump command to finish if it doesn't show anything other than those lines for a while it's fine
Quote:
Originally Posted by fcrok
Maybe there is a tool which checks whether an inode refers to a given part of the partition or not? This could make my dd command safe.
An inode always refers to somewhere on the same partition (strictly, its multiple block pointers refer to somewhere on the same partition). You can't have file systems covering multiple partitions.
If you want the exact block address within the partition, I guess that is what photorec is telling you: but you have no guarantee that another process won't write another file there after you have deleted it, because the OS thinks the space is free.
Quote:
Originally Posted by fcrok
No, I restored the files to a different parition and selected "unallocated space only" every time.
Now I don't understand. Are the files fully deleted or simply moved to another partition? If the files exist elsewhere on the drive, maybe photorec is scanning that as well?
Now I don't understand. Are the files fully deleted or simply moved to another partition? If the files exist elsewhere on the drive, maybe photorec is scanning that as well?
The files were deleted using rm. After photorec discovered such a deleted file, it copies the contents to a new file on another partition (I restore files form sda3 and store the recovered files on sdb1)
Quote:
Originally Posted by SecretCode
Definitely not! If they were recovered, they were not originally overwritten.
Then it is very strange that photorec recovered sooo much files, because I'm definitely sure that every unallocated bit was zeroed. And it is impossible that every file was created and deleted after if removed the large file.
One thing has occurred to me: if a block containing some of a deleted text file is then allocated to another file, which doesn't write over all of it, the text data won't be cleaned by this technique. To illustrate what I mean ...
Time 1: sensitive.txt is a 4KB file taking one 4KB block at location 1000000
Time 2: sensitive.txt is deleted. That disk block is marked free but still contains the text data
Time 3: arbitrary.tmp, a 1 byte file, is allocated to the same location. That disk block is not free, and now contains 1 (or 2 including a NUL?) bytes of the new file but still contains 4094 bytes of your text
Time 4: you run the dd largefile command. Block 1000000 isn't touched because it's not free.
Time 5: arbitrary.tmp is freed but your text data is still on the disk.
Time 6: you delete 'largefile' (or not, makes no difference)
Time 7: you run photorec and it finds that text data, with a couple of garbage characters at the front.
shred (run before deleting the file) I think would address this by overwriting the bytes in the disk block before deleting the file.
... And another thing: ext4 is a journalling file system. I have no idea what the implication of this is (how much written data is copied where), but man shred warns that it may not work on journalling file systems.
Hey thank you, your last post seems logical. But for the main problem being solved by disabling reserved blocks, I am pleased now It just seemed strange that my first approach didn't work.
So once again thank you for your help and I'll use the button
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.