Did some backups today and filled my external 250 gig. I've had to cut out some of what goes on that drive and in trying to delete these files, the system hung up. Naturally, I didn't like the idea of just turning off the external drive in the middle of writting, but everything was frozen and I didn't have much choice. Sure enough, the drive had problems after this and I couldn't fix them when the computer was already booted. Since this was a USB drive, I wasn't sure it would be mounted when the system first booted so it could be scanned. Luckily, it was and the problem has been taken care of. It's irritating you can't simply tell this operating system to not touch a drive so you can do things like repair utilities.
I went to assist in a court case this morning as a "computer expert". I didn't believe I was qualified to challenge the forensic evidence, but I was sure left with questions as to how what they had qualified as evidence. I don't know many of the details about the case and from what little I do know, I'm not sure I want any more details. The forensic evidence from the computer was from unallocated clusters, where apparently several unlogged conversation from Yahoo IM had been found. This data was not from a swap file and the way it apparently got onto the hard drive was a sort of over-run process. This is the only explanation I can come up with: When files are written to disk, they don't always fill an entire cluster. Operating systems like XP typically format using 4k cluster sizes. When writting data to disk, extra data is needed to pad the remaining bytes in the cluster until the data size is an even divisible of 4k. This data at the end is basically the result of a buffer over-flow, so in theory could read from essentially anywhere in memory. Since operating system like XP are often doing something that requires writing to disk, this can happen a lot. In practice, however, things are more complected. At most, the ammount of overrun data is 1 byte less then 4k for this scenario. But even if that happened and happened regularly, we're talking 4k of however much memory the system has, say 256 MB. The likely hood of overruns always happening with memory block that happen to be next to IM conversation blocks really seems like a long shot. Not only that, it seemed there was a lot of damming evidence pulled out with this method from several dates. And from what I was told, these conversations had happened a long time ago and the data recovered more recently.
While I don't really doubt the authenticity of the data presented, I do question how it was obtained. I've considered doing a test using Yahoo IM on a virtual machine to see how much conversation data is left on disk-- I simply can't believe such a random process could have preserved so much information.
In light of this, I scheduled GPG
to wipe free space on my drives regularly and I would encurage anyone who uses IM to do the same. In the age of "heightened security" to "prevent terrorism", it's better not to have the raiments of a humorous subversive conversation possibly sitting around on your hard disk because you never know if you might have to explain it to a jury one day.
Pictured is a shot with fairly active lines. It will become part of my Doors gallery when I assemble that.