PDA

View Full Version : OT: Computer question!



Mcostello
02-16-2005, 11:57 PM
I know that this is machinery related as I use a computer in my shop. Question is" can anything stay resident on my hard drive after a full format with original install disk"? Spyware seems to have followed me home after a reinstall. Running every kind of protection possible.

.RC.
02-17-2005, 01:44 AM
I have always been told to format twice as some programs are persistant...Even better is to run one of those programs that after a format they write 0's and 1's all over the hard drive so that any info on it after a format cannot be recovered...

Thrud
02-17-2005, 02:10 AM
Fdisk the drive, then install the software.

Before you do that you can try Webroots "Spy Sweeper" free for 30 days - it is an excellent program worth buying.

You can also install from Microsoft's "Microsoft AnitSpyware Beta 1" down loadable from their site (MicrosoftAntiSpywareInstall.exe is the 6.22Mb file), also install SpywareBlaster, Ad-Aware Personal SE, and Spybot - Search & Destroy. After installing them make sure you upgrade them and immunize your system before you scan. Between these five you should be able to squash them all. Be warned though that Spy Sweeper should be run first and left resident - it catches lots of sneaky manuvers when you install crap off the internet of visit websites.

I use all five of these myself and I have a clean system - I have Norton SystemWorks and Internet Securities running as well and I can tell you first hand Norton catches very little, but they are also worth considering. We cun the Xp firewal and nortons on each computer, the serv as well - our hardware firewall shuts itself off if attacked (Happens every day now).

These are the only ones I know of that do not come with their own selection of trojan horses and spyware tah get installed along with "so called anti spyware" - therea re lots of pricks out there that will charge you for their garbage, and their garbage is half the problem. Download Managers also have lots of bad spyware - FlashGet installs about 120 of them, Free Download Manager installs at least 1 Trojan Horse - Net Transport & ReGet Deluxe donlt seem to have any, but ReGet is always asking you to buy it even if you are just trying it out - a Real PITA. The other Download managers that FlashGot (A Firefox plugin) supports are also Adware/Spyware laden - I have not tried "Internet Accelerator" though as I refuse to pay for it until I know it is good software.

Pay careful attention to Spy Sweeper when you install programs or go to internet sites - an Alert will pop up immediately telling you something is fishy - often a program is trying to initialise itself in the MSconfig files (your start up files for XP) - Spy Sweeper allows you to permit this or delete the program on the spot.

Pay close attention to what you are doing and do weekly updates and sweeps with these 5 programs and you should be "crapware" free.

Laptop users are in their own right the most pathetic group of retards with computers - they never learn and never listen and are repeat customers for crapware removal by Keeners (no, I don't mean IT professionals - techie/hackers aka "Keeners")

[This message has been edited by Thrud (edited 02-17-2005).]

oldironhead
02-17-2005, 09:47 AM
Data can remain at least partially intact on a hard disk even after formatting or even after the partition has been deleted. It may take forensic software to get at it but it is still there. The only way to remove the data with certainty, short of destroying the disk, is to use a good disk or file wiping software like Evidence Eliminator.

Victor

topct
02-17-2005, 10:07 AM
I wonder if anything remains on this,
http://img.photobucket.com/albums/v78/topct/Laptop.jpg

3 Phase Lightbulb
02-17-2005, 12:40 PM
If you format your hard disk, then YES, the data is gone and not recoverable. The magnetic field from the head(s) do span slightly wider than the actual cylinder width so you can sometimes read data outside of the normal head but if you're still using the original head and original alignment, then as far as your computer is concerned, the data is gone.

If you want to read data on a hard disk that has been formatted, then you'll need to physically open up your hard disk, and replace the heads with special multi-channel heads that have a wider width and are much more sensitive. You'll also need a special drive controller that is custom made for doing this.

This does not work on newer drives because the head tollerances are getting to the point where there is litterely zero overlap inbetween cylinders.

-3Ph

Evan
02-17-2005, 01:39 PM
Doing a regular full format does NOT erase or reformat the MBR (Master Boot Record). It is possible for problems to occur that affect the MBR. Some old viruses use the MBR to hide in. If you really want to fully erase the hard disc then go get the appropriate manufacturers utility for your make of drive and do a zero fill of the entire drive. I have seen situations where this was the only way to correct a problem with the drive.

As far as spyware goes a plain old format and re-install does the trick. The challenge then is to prevent re-infestation.

topct
02-17-2005, 02:39 PM
Well after trying all the free stuff out there to try and keep this computer working I've had no luck with it. I'm am definatly not very good with these things. I didn't even know how to cut and paste before I got onto this board. So I probably didn't use the stuff in the right way, I don't know. Very confusing stuff. I was getting that damn 'AboutBlank' thing. It is or was everwhere.

Anyway, not getting anywhere with anything, I decided to try Firefox and it's e-mail program.

I am not running any, I mean zero, spyware, popup blocker, nothing. Just plain old 98se. So far so good. I do see a bar that says something about a popup once in a while, but that is as far as it goes. No damage.

I have also installed it on a nieghbors computer, whose kid was goofing it up once a week [porno sites] at first, then it was going haywire everyday. It was getting really old reinstalling everything from scratch. Again since having him just use Firefox no problems.

Are we just lucky or what? I'm sold on it so far. It does say that all my e-mails are spam , so what? I just ignore that and read my mail.

After reading Thruds message (five pieces of software **** to keep his computer clean?) I like this way much better.

If I'm fooling myself, so be it, so far so good. I don't keep anything on this machine that matters anyway. My $.02



------------------
Gene

jkilroy
02-17-2005, 03:02 PM
Just download one of the many available delete utilities that will overwrite the same data area with 1's and 0's over and over until you feel comfortable.

If you are still worried you could just get a magnet and THAT will erase it pretty darn well. If thats not enough, do what we do at work, physically destroy the hard drive. Remove the platters and *polish* them with a 4" grinder on both sides, or put a smoke wrench to it.

------------------
James Kilroy

3 Phase Lightbulb
02-17-2005, 03:07 PM
You can still get pop-up Ads and other annoying HTML artifacts from any web browser depending on how sketchy your Internet service provider is.

A couple years ago I was writing an embedded web browser for a custom system and I was testing it using my standard Mediaone Broadband internet service.

I discovered something that at first, I couldn't believe. My internet service provider was actually watching outgoing HTTP /GET requests and occasionally "inserted" advertising into the HTML responses. I knew this because I was writing the HTML parser to parse my own fixed HTML files that I had been serving up on my own Web server that I was hosting from a private hosting company.

Mediaone was sticking in their own banner ads and pop-up windows by occasionally modifying HTML /GET responses..

I started to investigate this further and I tried to figure out under what conditions they were inserting their own advertising. It turns out that if I ever requested a URL that came from a website that was contracted with Mediaone for advertising, then I would "trigger" Mediaone's advertising system.

I sent some nasty email to Mediaone regarding this and they claimed a "computer malfunction" was causing this to occur and surprisingly it immediately stopped occurring. About 1 year later, I moved to a new house and I got Mediaone cable service again.. Sure enough, I was getting "modified" HTML from my own canned HTML server.. I sent another email to Mediaone and again their response was a computer problem was causing it and it immediately stopped occurring.

Well, to this day, I don't know how many other people have internet service providers that and inserting advertising into HTML get responses, but I keep a close eye on my service just waiting to catch them do it again.

Read your internet providers service agreement VERY carefully.

-3Ph


[This message has been edited by 3 Phase Lightbulb (edited 02-17-2005).]

.RC.
02-18-2005, 06:52 AM
To format the master boot record..type fdisk/mbr at the dos prompt

Elninio
02-19-2005, 09:35 PM
I just shot my brand new WD hardrive yestarday, i was rearanging the cables and the power cable touched one of the screwed comming from the case, it sparked and the computer turned off, when i rebooted the BIOS failed to recognise the disk, it was even getting power, and i tried some of my older disc, seems now im stuck with a 380 mb disk, so no more CAD till i get my disc back from BC(i live in ontario), http://bbs.homeshopmachinist.net//frown.gif

Evan
02-19-2005, 09:47 PM
[quote}To format the master boot record..type fdisk/mbr at the dos prompt [/quote]

Can't do that if you are running XP with NTFS.

3 Phase Lightbulb
02-20-2005, 12:34 AM
<font face="Verdana, Arial" size="2">Originally posted by Evan:
[quote}To format the master boot record..type fdisk/mbr at the dos prompt

Can't do that if you are running XP with NTFS.</font>

The MBR has nothing to do with the Operating system, or any filesystem formats within the partition's. The MBR is the first logical 512 byte sector on the disk containing 4 partition tables with one being marked as bootable. The first 466 bytes are available for 16-bit 8086 code and the next 64 bytes contain (4) partition talbes 16 bytes in size. The last two bytes are a 55AA signature.

The MBR has nothing to do with the operating system your using, or the file format that was chosen within one of the 4 master partition tables, or any extended partition tables.

The boot code within the MBR looks within the 4 partition tables for a bootable partition. If one is found, then the bootsector for that partition table is loaded into memory at jumped into. Each partition has their own boot sector which takes over from there.

I have Windows XP installed on an NTFS partition, Fedora3 installed on an ext3 partition, and Solaris installed on a VFS partition.

-3Ph


[This message has been edited by 3 Phase Lightbulb (edited 02-19-2005).]

Thrud
02-20-2005, 01:46 PM
<font face="Verdana, Arial" size="2">Originally posted by 3 Phase Lightbulb:

If you format your hard disk, then YES, the data is gone and not recoverable. The magnetic field from the head(s) do span slightly wider than the actual cylinder width so you can sometimes read data outside of the normal head but if you're still using the original head and original alignment, then as far as your computer is concerned, the data is gone.

-3Ph</font>

Sorry bud, but you are DEAD wrong. Data can be recovered in most cases, over 90% of the time by specialist in the field. This include drives that was been in intense fires! Forensically speaking nearly all data ever written to the drive can be recovered - the extent of which depends on how much money you are willing to spend do it as extensive reading and writing may require a supercomputer to make sense of the recovered data. Recovery to this extent always takes place in a class 10 clean room. I know of a customer here in Edmonton that paid $30,000(US$) for data recovery off of his laptop drive as the info was not replaceable and vital to his work. A good reason to learn to backup on a regular basis critical data...

The ONLY way to secure data off a hard drive from others is the throw the drive into a hammer mill and turn it to metal fines. This is a requirement for the federal government in Canada - especially in Revenue Canada



[This message has been edited by Thrud (edited 02-20-2005).]

JRouche
02-20-2005, 02:24 PM
<font face="Verdana, Arial" size="2">Originally posted by Thrud:
The ONLY way to secure data off a hard drive from others is the throw the drive into a hammer mill and turn it to metal fines. .]</font>


Naw, just take it with you during your next MRI, it will get wiped.

Or a degausser will work.

JRouche

3 Phase Lightbulb
02-20-2005, 03:12 PM
<font face="Verdana, Arial" size="2">Originally posted by Thrud:
Sorry bud, but you are DEAD wrong. Data can be recovered in most cases, over 90% of the time by specialist in the field. This include drives that was been in intense fires! Forensically speaking nearly all data ever written to the drive can be recovered - the extent of which depends on how much money you are willing to spend do it as extensive reading and writing may require a supercomputer to make sense of the recovered data. Recovery to this extent always takes place in a class 10 clean room. I know of a customer here in Edmonton that paid $30,000(US$) for data recovery off of his laptop drive as the info was not replaceable and vital to his work. A good reason to learn to backup on a regular basis critical data...

The ONLY way to secure data off a hard drive from others is the throw the drive into a hammer mill and turn it to metal fines. This is a requirement for the federal government in Canada - especially in Revenue Canada

[This message has been edited by Thrud (edited 02-20-2005).]</font>

Actually, I'm DEAD right. You failed to read all of my message, or you just didn't understand what I said. Try again, here is the same message:



<font face="Verdana, Arial" size="2">Originally posted by 3 Phase Lightbulb:

If you format your hard disk, then YES, the data is gone and not recoverable. The magnetic field from the head(s) do span slightly wider than the actual cylinder width so you can sometimes read data outside of the normal head but if you're still using the original head and original alignment, then as far as your computer is concerned, the data is gone.

If you want to read data on a hard disk that has been formatted, then you'll need to physically open up your hard disk, and replace the heads with special multi-channel heads that have a wider width and are much more sensitive. You'll also need a special drive controller that is custom made for doing this.

This does not work on newer drives because the head tollerances are getting to the point where there is litterely zero overlap inbetween cylinders.

-3Ph
</font>




[This message has been edited by 3 Phase Lightbulb (edited 02-20-2005).]

Paul Alciatore
02-20-2005, 04:49 PM
I didn't read all the answers but, hard drives are dirt cheap. You can likely get a larger one than the original for less $s. Use the new drive for the boot disk and reformat the origainal one for a data backup drive - don't put any programs on it. This will give you great backup in case the main drive fails.

Paul A.

.RC.
02-20-2005, 10:24 PM
<font face="Verdana, Arial" size="2">Originally posted by Thrud:
[B] Sorry bud, but you are DEAD wrong. Data can be recovered in most cases, over 90% of the time by specialist in the field.</font>

Probably right but then most people do not format drives and if they do they just do a format....If you run one of those programs that write 1's and 0's all over the drive several times the data is virtually irrecoverable....Even the US government recommends one program(not sure which one) with about 10 rewrites of 1's and 0's for sensitive data....

3 Phase Lightbulb
02-21-2005, 12:21 AM
There are 3 levels of data recovery that we provide...

#1: A user deleted a file but the file's data is still intact on the disk. This is a high level delete operation. Most file system implementations keep old file chains/vnodes intact to help avoid disk fragmentation. When the disk physically becomes full, deleted file chains are then used. Basic filesystem knowledge is needed to recover files that have been deleted. In most cases, utilities alresdy exist to do this. This is the most comon request at a data recovery center.

#2: A disk drive has stopped working due to a physical failure. The drives controller has died, or the cylinder stepper motor has died, or the drive has fallen out of alignment, or any other physical problem occured preventing you from reading/using the drive. Sometimes, you just need to replace the onboard drive controller, and then all of the data is readable again. Sometimes you need to open up the drive and repair/replace the stepper, or a head, or just realign the system. This is also relativly easy to do with the proper equipment and facilities. A class 1000 clean room is sufficient.

#3: The physical drive is intact, but the data has been over-written (Same as a format). Trying to recover data that has been over written is never "90%" as Thrud suggests. In fact, it's never the same technique and varries from device to device. You'll never be able to recover all bits so this technique is only good for recovering self explaning data like 7-bit ASCII (Not programs, or structured data files). If you have this textual information on a sector:

"I know that this is machinery related as I use a computer in my shop"

If you over write it with 0xFFs, or whatever, you might be able to read latent magnetic fields off to the side of the head's magnetic radius, but you'll probably decode something that looks like this instead:

Original:

"I know that this is machinery related as I use a computer in my shop"

Example of what you might be able to read using special multi-channel wider heads:

"4jk4ow7tratvthishisJmachiFery4re6ated*asPO usrea&co3pute4*ifgm36shdp"


You can fill in the missing bits and figure out what the message is, but it's far from perfect and like I said, it's almost never even attempted. Only the manfufacture can generally provide the tools to do this -- especially with RLL encoding.

If you want to protect your data, use 128-bit encryption, or use a solid-state disk/drive like an IDE/CompactFlash disk.

-3Ph



[This message has been edited by 3 Phase Lightbulb (edited 02-20-2005).]

oldironhead
02-21-2005, 10:14 AM
Formatting or partition deletion WILL NOT WIPE THE DISK SURFACE CLEAN OF ALL PREVIOUS DATA. It simply writes new cluster boundaries, partition boundaries, directory structures, etc. to specific locations on the disk. After a format or partition deletion, any new file system created by a format won't recognize any of the previous data on the disk. MOST OF THE ORIGINAL DATA IS STILL THERE UNLESS IT IS OVERWRITTEN BY THE NEW FILE SYSTEM. Any good forensic software such as Encase can easily find this data.

There are numerous file and/or disk wiping utilities available that can overwrite the entire accessable surface of the disk or selected parts of it. Once this is done, the original data is not recoverable unless the disk is opened in a clean room and the 'margins' of the disk tracks are examined with specialized hardware. This is expensive and results will vary.

To address the original question, it is likely that a format is adequate to rid a computer of any spyware.

lklb
02-21-2005, 10:17 AM
I use eraser on my computers this is freeware (open source) -options include 30 or32 x writeover of files . I believe this option is DOE spec for hard disk wiping.
Anyway, included with this is a floppy disk image utility called dban (daric's boot and nuke) if you are fdisking the drive you might want to try it.
http://www.heidi.ie/eraser/ LK

3 Phase Lightbulb
02-21-2005, 11:46 AM
<font face="Verdana, Arial" size="2">Originally posted by oldironhead:
Formatting or partition deletion WILL NOT WIPE THE DISK SURFACE CLEAN OF ALL PREVIOUS DATA. It simply writes new cluster boundaries, partition boundaries, directory structures, etc. to specific locations on the disk. After a format or partition deletion, any new file system created by a format won't recognize any of the previous data on the disk. MOST OF THE ORIGINAL DATA IS STILL THERE UNLESS IT IS OVERWRITTEN BY THE NEW FILE SYSTEM. Any good forensic software such as Encase can easily find this data..</font>

There are many, many, many different programs that format disks in many, many, many different ways. To say "Formatting or partition deletion WILL NOT WIPE THE DISK SURFACE CLEAN OF ALL PREVIOUS DATA" would be silly.

Older versions of Microsoft "format" will always destructively test each sector in the new partition unless you use the "/q" - [q]uick format option.

Some format programs format by just laying down a new filesystem structure as you assumed (usually selectable via a switch), some destroy/test each sector within the partition prior to laying down a new filesystem, and some filesystems (not FAT) need each sector to have a unique signature written to all free sectors/blocks so a format on that type file filesystem is always destructive. I must have written over a dozzen format utilites myself over the years for different platforms/filesystems and they all could be destructive.

In the days before IDE, all MFM, RLL, and ESDI controllers needed the format program to physically test each sector with a special destructive rolling bit pattern to insure each sector is valid. If the sector turns out to be bad, then the format program adds an entry to a special area on the disk reserved for marking bad sectors. Today, IDE drives do this automatically when a bad sector is found. The firmware that runs on an embedded controller on every IDE drive auto-maps out bad sectors. This is the only reason why you don't need to format every sector on your IDE drive.

-3Ph

Evan
02-21-2005, 12:16 PM
3 Phase,

If you use a boot floppy for Win 98 or ME to fdisk /mbr on a system with a NTFS file system you will render the system unbootable. The MBR contains within the partion information a system ID field. This identifies whether the system is FAT16, FAT32 or NTFS. Using a standard Win 98 or ME boot floppy with the fdisk /mbr command will write this field to FAT32.

Note also that the fdisk /mbr command is an undocumented command and is not officially supported by Microsoft.


<font face="Verdana, Arial" size="2">System ID Field

Another element of the partition table is the System ID field. It defines which file system, such as FAT16, FAT32, or NTFS, was used to format the volume and the FT characteristics of the volume. The System ID field also identifies an extended partition, if one is defined. Windows 2000 uses the System ID field to determine which file system device drivers to load during startup. Table 32.3 identifies the values for the System ID field.</font>

Here (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp)

[This message has been edited by Evan (edited 02-21-2005).]

3 Phase Lightbulb
02-21-2005, 12:56 PM
<font face="Verdana, Arial" size="2">Originally posted by Evan:
3 Phase,

If you use a boot floppy for Win 98 or ME to fdisk /mbr on a system with a NTFS file system you will render the system unbootable. The MBR contains within the partion information a system ID field. This identifies whether the system is FAT16, FAT32 or NTFS. Using a standard Win 98 or ME boot floppy with the fdisk /mbr command will write this field to FAT32.

Note also that the fdisk /mbr command is an undocumented command and is not officially supported by Microsoft.

Here (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp)

[This message has been edited by Evan (edited 02-21-2005).]</font>


The fdisk /mbr command does NOT change the partition table in any way. The original partition table is read from the original MBR, and is re-written to the MBR. Only the boot-strap code and the 55AA signature at the end of the MBR are updated. This is the sequence that "fdisk /mbr" does:

-Read the 512 byte sector at CHS:0/0/1
-Save the 4 master partition tables
-Create a new MBR in memory with new boot-code.
-Copy in the old partition table into the new MBR in memory.
-Write back the 512 byte MBR to CHS:0/0/1

I already know this, but microsoft also states this

Microsoft: "Fdisk has an undocumented parameter called /mbr that causes it to write the master boot record to the hard disk without altering the partition table information. "

Here:

http://support.microsoft.com/kb/q69013


-3Ph



[This message has been edited by 3 Phase Lightbulb (edited 02-21-2005).]

.RC.
02-22-2005, 01:44 AM
So the question remains if you do a fdisk /mbr on a NTFS formatted drive and do a format will the system boot up when you put the XP cd in the drive???????

Interestingly I have my HDD partitioned into 3 drives two running NTFS and 1 Fat32....I have had no problems with this arrangement running XP....

Evan
02-22-2005, 02:06 AM
Sure, if the system is set to boot from CD it will do so. A few notes though. You can't do a repair install of XP from a previous service pack level to a later one such as a Service Pack 1 CD to a machine that has been updated to Service Pack 2. It will just screw the system beyond repair. Also, if you want to use FAT32 the formatter included on the XP install CD isn't able to format more than 38 gigs in FAT 32. Don't ask me why, only Microsoft knows. If you want to use a FAT32 volume of greater than 38 gigs then you need to use a Win 98 or Win ME boot disk to format the drive. You might ask why would you want to use FAT32? Well, it can be accessed from a Win 98 boot disk if everything turns to poo. This isn't as important if you have a Knoppix boot CD handy.

Also there are some file and folder depth and total objects limitations in FAT32 that NTFS deals with much better. This isn't usually a problem for most users. However, in XP there have been and may still be some serious problems with NTFS which is the default file system for an XP install. The original XP had at least five bugs that could result in total loss of the file system on the next boot with no chance of recovery. Those have been patched but I have zero confidence that Microsoft has found and fixed all possibilities.

This isn't exactly new, Win 98 has a write behind caching problem that shows up on faster computers that are able to shut down before all disk writes have completed. That also has a patch.

Thrud
02-22-2005, 02:25 AM
3 Phase Lightbulb:
Thank God the days of CompSurfing a Hard Drive are over - that was a real PITA. Don't think I can remember how to even call the ESDI cards anymore to format the drive either - but who cares about old crap with piss poor capacity these days? Just remembered - Debug!

I have to agree with you on what you said, what I meant was even these random write programs are not totally secure and it is posible (but extremely time consuming and expensive) to retrieve latent written over data but rarely at high percentage rates - however spook agencies (NSA, CIA, CSIS, MI5) have equipment and software available to them that the commercial industry does not. This is why complete destruction of the platters is the ONLY secure way of preventing data theft from happening.

I learned a long time ago how to destroy hardrives with a simple program - but this does nothing to the data - it reneders the drive useless and in need of recalibration by the OEM, the data is intact. In a case like this you might be inclinded to toss the drive, but if you did, I could recover the drive and recover every bit of data off the drive intact using a commercial service or returning it to the OEM for daa recovery. This is why my Government hammermills the drives under the scrutiny of a CSIS officer - real data security begins with real paranoia (a good thing).