Once upon a 04-10-2001, Sheldon Hearn hit keys in the following order:
>=20
> > first of all, be sure that absolutely nothing is writing to the disk
> > anymore. the inodes that have been freed last, will be the first to be
> > used again.
>=20
> Are you sure about that?

pretty sure. Wietse Venema said that in a Dr. Dobb's journal:

        For all intents and purposes, when you delete a file with
        "rm" it is gone. Once you "rm" a file, the system totally
        forgets which blocks scattered around the disk were part
        of your file. Even worse, the blocks from the file you
        just deleted are going to be the first ones taken and
        scribbled upon when the system needs more disk space.

http://www.ddj.com/articles/2000/0012/0012h/0012h.htm

i think it's because of better performance. if the system has no info about
which inodes are free to write to, it would have to look on the disc which =
one
can be used. if inodes are deleted, the system would benifit from keeping
references of those unallocated inodes in memory, so it wouldn't have to lo=
ok
on the disc. saves time...

some other links to similar articles can be found here:

http://www.fish.com/forensics/

just when i was in search of that article, i found tctutils, an extention to
Wietse's tct which might be usefull:

http://www.cerias.purdue.edu/homes/carrier/forensics/

martijn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE7vEaQw/5eikYCPQYRAiXWAJ9FJBvy57veMFyeBlZ1nY3NAgxepgCdEjnk
arRhfoViqTRxfjFioCHHkWY=
=jtm1
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]