linebacker

hi all
can someone help me with a question regarding deleting files. if i open a file say using fopen("myfile","w"); this will delete the contents of the file but can the contents be retrived. there is an application called evidence eliminator which when deleteing files writes over the file several times to stop the contents from being retrived. is there really a need for this. i though when you open a file for writing the contents fo the file is destroyed and cannot be retrivied.
thanks

Berto

When you delete something you dont actually physically delete it, just the pointer to that memory location is changed, so until that memory location has something written over it, the information is still retrivable, becasuse it is still there.

Dizzutch

if you use fopen("myfile", "w") you get the pointer to the beginning of that file returned, now depending on your FileSystem the bytes are all contiguous, and you could write your own file eraser, that goes over every byte in the file, and write /dev/null, or /dev/zero to it or something like that.
Dizz

__________________
naked pictures of you | PFO F@H stats

Ooble

Sounds easy enough: find the file size, open it, write that many NULL bytes to it, and close it. Repeat for good measure. And finally, delete it.

__________________
Me :: You :: Them

Dizzutch

right, but if you're on windows you might have a problem, cuz NTFS and FAT FileSystems get fragmentated, so you might write over some stuff you don't want to write over.

__________________
naked pictures of you | PFO F@H stats

Pizentios

Another reason to switch to linux :-)

__________________
Profanity is the one language that all programmers understand.

Check out my Blog <---updated Nov 30 2007!

Dizzutch

exactly.. so on windows, you'll have to make an array of all the addresses of the file, cuz the way the FS works is that it has the address, and then a pointer to the next address, so you'd need to grab all those, and then go through and delete them.

__________________
naked pictures of you | PFO F@H stats

kurifu

Actually most file securing software gets information about extactly where on the disk to find the files and overwrite the file data with different data, sometimes they do it many times to weaken previous magnetic resonance which can remain on the disk.... you can just opent he file, overwrite the entire contents (file needs to be at least the same length) and repeat the process a few times than call delete on the file, but a professional program would also rename the file a few times as well, this helps to make the filename unrecoverable too.... actually this type of thing is seemingly really easy to do...

If you wanted to get really advanced you would find a way of completely removing the file pointer in the file table by safely over writing it such that others can not even begin to speculate as to where on the disk the file could have been... this is much more complex though and you could damage your file system if you do it incorrectly.

__________________
Clifford Matthew Roche &lt;geek@cliffordroche.com&gt;
Web Hosting: http://www.crd-hosting.com
Consulting: http://www.crdev-consulting.com

Ramlag

If you use your hardisk a lot i believe that once the file is deleted eventually you'll overwite the location of any info thats there anyway.

I also believe that when you get people like forensics who try to recover information from a hard disk they check for anomolies at the byte level reading either a 1 or a 0 ect... if you really wanna clear a hardisk completely you need to like somone else said overwrite all the indiviual bytes as 1's or 0's ... a few times... like.

First time... = 1 0 1 0 1 0 1 0
Second time = 0 1 0 1 0 1 0 1
Third time... = 1 1 0 0 1 1 0 0
Fourth time = 0 0 1 1 0 0 1 1

Ect, or throw in a few random ones... even this way its still recoverable if not done enough times, but expect them to spend a LOT of cash trying to recover it. Still the best way is allways the magnet ... followed by a sledge hammer followed by some sort of home made napalm if you are that worried.

You could however if you are using windows run defrag a few times to group stuff together, find the adresses of the "empty" spaces and fill those full of 1's and 0's (carefull with the windows swap file if you do that, a 100% full hard disk is quite annoying).

linebacker

first off thanks to everyone for their input i didnt expect so many replies.

now the nity grity. when you say write over the file many times do you mean once the file has been deleted find the location on the drive then write over the sectors where the file is stored???. i thought that if open the fie with fopen the contents is destroyed anyway.