1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Want to do a text string search of free space on a disk

Discussion in 'All Other Software' started by Alex Ethridge, Jan 8, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Alex Ethridge

    Alex Ethridge Thread Starter

    Joined:
    Apr 10, 2000
    Messages:
    9,038
    Does anyone know of a program that will do a text string search of the free space on a hard disk?
     
  2. lotuseclat79

    lotuseclat79

    Joined:
    Sep 12, 2003
    Messages:
    20,583
    Hi Alex,

    I do not know of any such program. Most text string search programs only operate on files that can be opened in file systems. Free space is usually reserved in a pool within the file system as a set of inodes. As such, when a file is deleted, it's contents remain, but the data is still there on the disk - is that the free space you are talking about?

    If that is the case, then it seems to me, you should immediately shut down your system, and boot up a Live CD (Linux would be suitable), and then run a file recovery program which could potentially place the recovered files into another partition so as not to disturb the existing state of the file system being probed for deleted files to be recoverd or at least put into one new place on the same file system if another partition is not feasible.

    Sounds like a forensic task, so there may be forensic toolkits out there with the capability to do this in some way.

    Other than that, you might have a look at the Windows Sysinternals complement of tools to see if they have a tool that can do this task. I know that they have a tool that can wipe the deleted file space that has been freed up.

    -- Tom
     
  3. Alex Ethridge

    Alex Ethridge Thread Starter

    Joined:
    Apr 10, 2000
    Messages:
    9,038
    Yes.
    Exactly but, there are no tools I can find under $4000 or so, give ot take $500. Maybe something in Linux; but, I know nothing about Linux
    I won't say I've thoroughly examined everything there is; but, I cannot find anything that searches free space.
     
  4. Frank4d

    Frank4d Retired Trusted Advisor

    Joined:
    Sep 10, 2006
    Messages:
    9,126
  5. lotuseclat79

    lotuseclat79

    Joined:
    Sep 12, 2003
    Messages:
    20,583
    Hi Alex,

    Here are some free forensic resources:
    FoundStone at: http://www.foundstone.com offers Free Forensic Tools with a Forensic Toolkit. Try Resources then Free Tools link. Looks like foundstone was bought up by McAfee, so I don't know if it is still available (it is now a division of McAfee). Here is the new link to the free tools. I don't know if any of the tools do what you want, however.

    Note: since Windows NTFS file system is of a different design than that of a Linux or Unix, it would probably need Windows oriented forensic tools to interface with the NTFS file system whereas the Linux/Unix oriented tools for those file systems:

    I do know of a Windows forensic toolkit, but it is only for memory images, not disk.

    I know from looking at the webpage that you can try before you buy for free as long as you need: WinHex: http://www.x-ways.net/winhex/index-m.html I would certainly try it!

    Also, here's more info I have that you can explore to see if it will help in your quest:
    * Browse the protected storage area

    Protected Storage Explorer: http://www.forensicideas.com

    http://www.forensicideas.com/downloads/PSESetup.zip (50KB)

    * Protected Storage Code Project article

    http://www.codeproject.com/tools/PSExplorer.asp

    * Download Freeware Utility

    http://www.codeproject.com/tools/PSExplorer/PSESetup.zip (1149 KB)

    If you discover what works, please let us know in this thread. It sounds like it would be a very useful tool to have and run on a regular basis.

    I still think that a competent file recovery program redirected to another partition would be a great way to do this kind of program. It would save the files already deleted but still existing for later search in an area that would not disturb your current free space.

    On the other hand, a useful program would be one that outputs a map of the free allocated areas on a disk, and a complementary program would be one that takes the output of that program and performs the scans that you desire. A third complementary program would be one that wipes any hits detected by the second program as an alternative action if so desired.

    -- Tom
     
  6. lotuseclat79

    lotuseclat79

    Joined:
    Sep 12, 2003
    Messages:
    20,583
    Found The Sleuth Kit which may contain some tools of interest to you.

    -- Tom
     
  7. DaveBurnett

    DaveBurnett Account Closed

    Joined:
    Nov 11, 2002
    Messages:
    12,970
  8. Alex Ethridge

    Alex Ethridge Thread Starter

    Joined:
    Apr 10, 2000
    Messages:
    9,038
    FYI Disk Investigator does not search free space. I've run several tests and found it does not.

    I created six files with a certain unique text string in them. I deleted three of them and then did a search for the string. Disk Investigator found only the files that had not been deleted.
     
  9. Alex Ethridge

    Alex Ethridge Thread Starter

    Joined:
    Apr 10, 2000
    Messages:
    9,038
    Frank4d,
    I have an e-mail in to Acronis inquiring whether their disk editor will do an automated search of the disk's free space. Thanks for the link.

    lotuseclat79,
    I downloaded SleuthKit several days ago and I can't mke much of it. So far, nothing jumps out at me. I have too much to learn about file systems and the associated storage methods before I can understand what all that stuff does. SleuthKit's main page has prodded me to do that.

    I haven't had a chance to check out your other links; but, I get back and let you know what I find.
     
  10. lotuseclat79

    lotuseclat79

    Joined:
    Sep 12, 2003
    Messages:
    20,583
    Hi Alex,

    If you really want to dig into file system design, you can download this pdf document on the BFS, the BeOS FS, Practical File System Design. It is free to download, and is also a book from Morgan Kaufmann in SF, CA circa 1999, but now out of print.

    Also, from the author, you can download his file system construction kit and experiment with changing the C code that manipulates free and used disk blocks here. In a uniz/linux environment use gunzip <file> and then tar -xf <file> to uncompress and then extract the files from the tar ball, i.e. fs-kit-0.4.tgz download file.

    I like that you brought up this thread/topic as it looks like a tool gap the more I think about it. The Win SysInternals folks now at M$ do have a tool to wipe free space, i.e. recently deleted file space.

    -- Tom
     
  11. DaveBurnett

    DaveBurnett Account Closed

    Joined:
    Nov 11, 2002
    Messages:
    12,970
    Now that IS curious because it does for me.
     
  12. Alex Ethridge

    Alex Ethridge Thread Starter

    Joined:
    Apr 10, 2000
    Messages:
    9,038
    I'll recheck my settings and run the test again.

    Thanks for the persistence.
     
  13. DaveBurnett

    DaveBurnett Account Closed

    Joined:
    Nov 11, 2002
    Messages:
    12,970
    Mine was Fat32
     
  14. Alex Ethridge

    Alex Ethridge Thread Starter

    Joined:
    Apr 10, 2000
    Messages:
    9,038
    Mine is FAT32 also. I reran the test and it worked as you said.

    I don't know what I did wrong the first time; but, it worked this time. I have one possible theory why: The first time I did it, I created the files and saved them, I deleted the files immediately and ran the search immediately. This time (the time it worked), I restarted the computer and then ran the search.

    Maybe disk cacheing had something to do with it; I don't know.
     
  15. Alex Ethridge

    Alex Ethridge Thread Starter

    Joined:
    Apr 10, 2000
    Messages:
    9,038
    It will be interesting to find out if Disk Investigator will search the free slack space in a used cluster.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/669465

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice