Golden G. Richard III, Ph.D.

« Back from IFIP 2005 in Orlando, DFRWS 2005 in New Orleans | Main | Typekey »

March 18, 2005

DIGITAL FORENSICS NOTE: formatting

I've decided to start a mini-column on interesting issues in digital forensics. Many of the issues may be common knowledge to advanced digital forensics investigators or researchers, but I've had enough discussions recently to understand that some of these issues aren't universally understood. For non-forensics readers, think of this as a privacy column.

Formatting a partition lays out an appropriate filesystem on the partition--all of the bookkeeping structures that enable the operating system to track allocated and free blocks, the allocation of blocks to specific files, and metadata associated with files, such as names, access/creation/modification dates, file permissions, etc.

A particularly interesting issue for computer users and digital forensics gurus alike is that in general, formatting destroys much of the bookkeeping information, but does not destroy most data blocks.

There's a common misconception about the difference between quick formatting and formatting under Windows operating systems. Quick formatting does just what the name implies--quickly initializes a file system, leaving much of the partition untouched. The misconception is that since a "regular" format takes so much longer, that the data blocks on the partition are being scrubbed. In fact, the delay is a check for bad sectors on the partition and this test is non-destructive--a check is made that each sector can be properly read. Thus "regular" formatting does not destroy most of the data blocks and file carving can retrieve a lot of information from a formatted partition.

Linux? Same story. Creation of an ext2/3 filesystem (without the -c option, which checks for bad blocks) is fast and leaves most data on the partition intact. Adding a check for bad blocks to the mkfs operation still leaves most data intact.

Linux to create a FATx partition? Same story.

The punchline is that most data survives format operations. That's great news for accidental format operations--I recently recovered a large quantity of email for a (large!) company, where a re-format had wiped out Outlook email several months before the problem was turned over to me. In the meantime, the computer had been used heavily.

The news isn't so good for people *trying* to erase data blocks. In that case, /dev/zero is your friend.

Posted by Golden at March 18, 2005 3:19 PM

Comments

Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?