-
Notifications
You must be signed in to change notification settings - Fork 2
/
ReadMe.txt
91 lines (67 loc) · 3.53 KB
/
ReadMe.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
FileSlackSpace v1.0
The objective of this tool is to zero out file slackspace.
What is file slackspace?
Slackspace is the unoccupied space on a disk. Files are organized into sectors
that make up a cluster where each sector has a set size, in bytes, where data
from a file is distributed contiguously until the sector is full. Once the
sector is full, the data moves onto the next one. Most of the time the file
size is not an exact multiple of a Sector, thus leaving empty space.
Why is it important to deal with slackspace?
Deleting a file is an often misunderstood concept. The data is not usually
deleted at all, but rather marked as free space for another file to write
over. This results in lingering data that the user thinks he or she deleted.
The data can then be retrieved by unauthorized users. This tool can eliminate
the risks of lingering data by writing meaningless data to a file's slackspace.
This tool was written in c++ using Microsoft Visual Studios 2012 on Windows 8.
How to Use:
Upon installation, run the application through the command prompt as an administrator.
Make sure you navigate to the tool's directory. To run the tool simply type in
removeSlack.exe followed by one of the menu options bellow.
Options:
-f [ --fileclean ] arg Choose a file to clean its slack space
-d [ --driveclean ] arg Choose a drive to clean all of its files
-h [ --help ] Displays help message with options
For example you can type in "removeSlack.exe -h " or "removeSlack.exe
--help" (without the quotes) in order to get the option menu to pop up.
When using the fileclean or driveclean you must enter a valid directory
after using a flag. For example "removeSlack.exe -d "C:\Users\Public\Documents" "
(without outside the quotes).
Warnings:
-Sometimes files under 1KB might fail because they are usually written in
the MFT(Master File Table).
-Might not work on FAT32
-file names or folders with spaces will crash the program(using quotes
for the argument will fixes this)
Example use:
Below is an example where removeSlack is on the desktop and you want to use
it to clean a folder's file(s) on the desktop that is call 'Test.'
C:\Users\Public\Desktop> removeSlack.exe -d "C:\Users\Public\Desktop\Test"
current functions:
strChange()
This function takes in an input string and converts it into a wstring.
fileCreate()
This is the core function that does all the workload such as creating file
handles, getting disk and file information.
allDirFiles()
This function uses boost function in order to iterate through all files in
a folder and call fileCreate for each individual file.
ClearSlack()
This function saves the current state of the file and then begins to resize
the target file. After resizing the file to take up the full amount of space
on the disk, it will use the old state of the file to trim all the data written.
It will repeat this process a few times to make sure the old slackspace data is
written over.
main()
Main function that uses boost parsing from the command line in order to
parse arguments according to given flags.
To Do:
1. Implement compatibility with FAT32 file system.
2. Add options to display file data or disk data.
Resources:
The following to link and pdf have a great deal of information on how files are organized
on disk.
http://www.wd-3.com/archive/luserland.htm
http://grayscale-research.org/new/pdfs/NTFS%20forensics.pdf
Contact information:
(name)Diego Urquiza
(email)Diego_Urquiza@Mcafee.com