We help IT Professionals succeed at work.

How to remove a filename from the FAT??

ramsejp
ramsejp asked
on
I want to remove all traces of a filename from the FAT.  When I delete it regularly the file's first letter is just replaced with a '?'.  I want to be sure no trace is left.  Right now I write like 50,000 files and delete them to overwrite the filename.  This is ok but I'd like to be able to do it faster.  If you know what the minimum number of files I have to write to do it under FAT16, FAT32 and NTFS, that would help also.  

Thanks,
Jason
Comment
Watch Question

Commented:
Just a thought that I haven't tried:

Rename the file first, then delete it.

If the rename changed the same sector, then you've essentially erased the name.  If you rename it as a single character, then the delete will erase the that character.
SILVER EXPERT
Top Expert 2014

Commented:

Author

Commented:
renaming the file doesn't work because the fs treats it as though you deleted a file then created a new one.  So, the original filename is still there with the '?' in front.

That's why I write a ton of files to the fat so it will overwrite the filenames that no longer exist on the drive.
SILVER EXPERT
Top Expert 2014

Commented:
Jason,

What does the entry name in the catalog matter?  The contents of the file are the important thing to protect.

I need to know more about how this file is used by your application.

Some suggestions (depending on answers to the above):
* use a memorymapped file
* use a small disk partition and format it.
* use a RAM disk
* use an illegal file name
* partially defrag the disk

Author

Commented:
the file is already there.  i have no control over the original file.  I want to remove all traces of the file, which include filename.  Example why the filename matters:

FBI comes to your house.  You erase your bomb making instructions on the machine but the filename stays in the FAT as "?ow To Make A Bomb.txt".  Is this important??

This is an extreme example put what about porn filenames, "?oung girls.jpg", that your wife finds after you've told her you weren't looking at porn?

It matters.  All i need to do is completely remove all evidence of a filename given the complete filename and path.  I don't care if it's written over or whatever as long as it's gone.

Commented:
LOL--"what about porn filenames...that your wife finds after you've told her you weren't looking at porn?"

If that's the state of your marriage, and she's that technically skilled, you're in trouble anyway! ;)  P.S. watch out for website monitors and hidden video tape machines in your walls!

--
Of course, I understand the reason behind the question, and there are manual solutions such as Norton DiskEdit, but I'm not sure which API to use, if any, and whether it depends on which O/S you use.  E.G. Win95/98/ME may require a different solution from WinNT/2K.

Since this one goes directly to the hardware, I suggest looking for a solution in the various drivers.


BRONZE EXPERT
Top Expert 2012

Commented:
This is pretty simple and is basically what Norton does. Do the following:
1. Open the file for Binary, Write access.
2. Write null string of length equal the length of the file.
4. Close the file
5. Delete it

Something like:

Sub WipeClean(ByVal FileName As String)
Dim Buffer As String
Dim Handle As Integer

Handle = FreeFile
Open FileName For Binary Access Write As Handle
Buffer = String$(LOF(Handle), 0)
Put #Handle, , Buffer
Close Handle
Kill FileName

End Sub

Call it as follows:
WipeClean "d:\temp\Test.txt"

Anthony
BRONZE EXPERT
Top Expert 2012

Commented:
To clarify #2 should read:

Write a string of length equal the length of the file composed of null characters (Chr$(0)) or some other character.

Anthony

Commented:
That's good for the file contents, but to clear the filename, you'd have to open then disk sector File Allocation Table "file" and locate that file and remove it.  I think that the Norton tools do this at low-level and bypass Windows (at least they used to years ago.)
well zapping a file is pretty easy
zapping its name completely from the fat is something else
if i remember well there was an interrupt under good old dos to directly write disk sectors and that was used to change a filename in the fat
i doubt if it can be done under windows,unless maybe if you make a program that runs in the kernel, but if that can be done with vb i have no idea
what comes to my mind is:
there are a limited number of files that can live in the root of a disk
so if you place your sensitive files in the root
then if you want to overwrite their names just kill all these files,write files to the root until the root is full,now these filenames will be overwritten,then again kill all these files,the result will be these sensitive filenames will have disappeared
if you want to make sure the contents of these files will be gone also you will first have to overwrite that contents with rubbish,or better yet with innocent content

Commented:
The limit in the root used to be 255 files (Win 3.1), but that may have changed with newer versions of DOS/Windows.

And for all other folders (directories) the size was unlimited (actually limited by disk space.)

--
It seems that maybe you need to start looking into the source--how does this file get on your system, and can you possibly prevent it from showing up there?
BRONZE EXPERT

Commented:
ramsejp

renaming a file DOES NOT create a new copy of the file, so you can rename it from JenaJameson.jpg to j, and even if there is an entry in the FS that says ?enaJameson.jpg , that will not point to your file anymore, that space is ocupied by "j" now, so if you first rename the file and then overwrite with a zero lenght string, or wipe it entirely doing what aikimark or acperkins told you.


if you overwrite with a zero byte string or just create the file (open "j" for output as 1) and then just (CLOSE) the file the data will still remain somewhere in your hard drive, but will not be recuperable by those handy utilities (norton unerase etc etc etc), you would have to do it manually sector by sector identifying wich one belongs to your file. (imagine this in an hex editor on a large disk like the one you use for your porn) would be really difficult, but if you want to be sure, then just wipe it as they told you already, and after wiping it rename it, (the only thing that will remain probably will be the file name, but not the data)
SILVER EXPERT
Top Expert 2014

Commented:
It would seem quicker to just rename the file 50000 times rather than write the file.

I guess it seems a little late to ask if you've tried the Kill VB statement and the DeleteFile API...but have you?

What about sending the file to the recycle bin and then deleting the file from there with the shell APIs?

Author

Commented:
arana:

I just tested this again on an Me machine.  I created a .txt file called "dog" with dog written to it.  Then I renamed the file "cat" and changed all the dogs to cats and deleted it.  I then ran my undelete utility and it listed both "dog" and "cat".  I undeleted "dog" and it contained all cats.  So it must create a new filename the points to the same location as the old filename, keeping the old filename in the FAT.

Is there a way to just rename a file in VB?

Anyone know some code that will list out the fat?

Commented:
Rename in VB:

Name "oldname" As "newname"

Listing the FAT?  Don't know.

Author

Commented:
I used the Name function above to change the name to a random string 100 times, then I deleted the file.  The original name still showed up in the undelete program.  I guess it doesn't really matter how many times you rename it since the actual location of the filename only gets renamed once.  And, it's not even getting overwritten, just 'removed' from the table.  I guess I need a way to find the physical location of the filename so I can overwrite that area...

Getting rid of the data isn't a problem, it's the name.  So far, the only way I've been able to do it involves creating a ton of files that eventually fill up the table, I guess, obscuring the name.  Only problem is this can take forever.

Any more ideas?
SILVER EXPERT
Top Expert 2014

Commented:
Although I've seen references to a Defrag API, there doesn't appear to be reliable documentation on its use or warnings.

In any event, you would need to put a volume lock on the partition in order to fiddle with FAT.  That will cause considerable concurrency and performance problems.

You would do well to look into some of the commercial file wipe products and see if you can live with them (shelling out to them or have them start automatically).

Of course, some version of windows have their own Defrag utility.  However, you problem becomes one of starting them with the correct parameters (in addition to the concurrency and performance problems mentioned earlier).
OK the following will tell you how many files can at the most still be written to your disk:
Private Declare Function GetDiskFreeSpace Lib "kernel32" Alias "GetDiskFreeSpaceA" (ByVal lpRootPathName As String, lpSectorsPerCluster As Long, lpBytesPerSector As Long, lpNumberOfFreeClusters As Long, lpTotalNumberOfClusters As Long) As Long

Private Sub Command1_Click()
    Dim NumberOfFiles As Double
    Dim NumberOfBytes As Double
    HowMuch NumberOfFiles, NumberOfBytes
    Print NumberOfFiles; " Files for a total of "; NumberOfBytes; " Bytes"
End Sub

Private Sub HowMuch(NumberOfFiles As Double, NumberOfBytes As Double)
    Dim a As Long
    Dim SectorsPerCluster As Long
    Dim BytesPerSector As Long
    Dim NumberOfFreeClusters As Long
    Dim TotalNumberOfClusters As Long

    a = GetDiskFreeSpace("C:\", SectorsPerCluster, BytesPerSector, NumberOfFreeClusters, TotalNumberOfClusters)
    NumberOfFiles = CDbl(NumberOfFreeClusters)
    NumberOfBytes = CDbl(SectorsPerCluster) * BytesPerSector * NumberOfFreeClusters
End Sub

so if you write that many files (they may be empty) and then kill the porn file,write 1 more file, the name will be overwritten
however there is a way to do it in much less writes:
write 1 file that is as long as the free diskspace
then kill the porn file and write 1 more file
however the maximum lenght of a file depends on your os
say your os only permits 2 Gig files you will have to write (freediskspace/NumberOfBytes) files of 2 Gig before killing the porn file and write 1 more file

sorry correction
(freediskspace/NumberOfBytes)
should be:
(NumberOfBytes/2 Gig)
oh yes
dont write gigabytes of data just move the filepointer as follows:

Private Type Filetype
    something As String * 1024
End Type
Dim TheFile As Filetype

Private Sub Command1_Click()
    Open "c:\test.tst" For Random As #1 Len = Len(TheFile)
        Put #1, 10000, TheFile
    Close #1
End Sub

that will at once write 10 Meg to the file
(10000 * 1024)
BRONZE EXPERT

Commented:
take a look a this utilitie
(not sure if you NEED to do it by VB specifically)

this one overwrites your filenames:

http://www.east-tec.com/eraser/compare.htm


write
at least 8 patterns
to the file

patterns:  (all zeroes, all 1's,alternated,random) etc.

00,ff,aa,55,random
\--------v--------/
    RANDOM order
to insure it wont be recovered

it would be interesting to find a way to OVERWRITE the filename by VB code, i'll keep tunning...! :)
arana
>>it would be interesting to find a way to OVERWRITE the filename by VB code, i'll keep tunning...! :)
read the 3 previous comments
BRONZE EXPERT

Commented:
i was talking WITHOUT filling the directory, something more elegant.

erasing the file and then filling the directory will also work, then you will have to delete all your fake files.


may be something more direct

Author

Commented:
pierrecampe:

that's what I was doing already but without the knowledge of how many I needed to write.  thanks for the info, i'll try that and let you know how it goes.  if anyone finds, as arana puts it, "something more elegant" please let me know.  the file creating method can take a while.

jason

Commented:
Again, I have to question the source of this file.  Maybe there's a different way to approach the problem that will prevent the file from ever being placed on your drive with the undesired name...or is it other people's drives that you're trying to fix?

Author

Commented:
right, it's not just limited to my drive.  family, friends, at the office, etc.

Commented:
And is this something that is recurring so you have to do it over and over?

1) If someone else is generating this file, do you really care if it's erased (unless you're trying to hide a virus that you placed on their system!)  It's not that I'm accusing, but if you're that concerned about hiding a trail of something, then it's usually tied in with unethical practices or something that you're terribly ashamed of (and that you shouldn't be doing on others' machines.)

2) If you create this file (through some other process, like viewing a website) why can't you use a different method to create the file so it starts with a different name?

3) If the file starts out there, then this is possibly a one-time fix, and the method you're using now will suffice.

Being that you're obviously concerned with secrecy over this, I don't know that we can really help anymore than this.

Author

Commented:
all i need is a way to remove all traces of the filename using vb or even some other language as long as i can hook it into vb, quicker than the way i do it now.  that's it.  there is NO way to affect the way the file the put on the hd or prevent it from being put on the hd.  Ever gone to a site you thought was innocent enough but it actually took you somewhere else or popped up a background window of something you didn't want to see?  if so, that site could have easily set a cookie on your machine and called it whatever it wanted to call it and fill it with whatever text info it wanted to fill it with.  this is just one example.  i NEED to be able to remove the filename without taking 30 minutes to do it.

Author

Commented:
all i need is a way to remove all traces of the filename using vb or even some other language as long as i can hook it into vb, quicker than the way i do it now.  that's it.  there is NO way to affect the way the file the put on the hd or prevent it from being put on the hd.  Ever gone to a site you thought was innocent enough but it actually took you somewhere else or popped up a background window of something you didn't want to see?  if so, that site could have easily set a cookie on your machine and called it whatever it wanted to call it and fill it with whatever text info it wanted to fill it with.  this is just one example.  i NEED to be able to remove the filename without taking 30 minutes to do it.
SILVER EXPERT
Top Expert 2014

Commented:
why VB?

There are several commercial wipe and internet cleanup utilities available.

Author

Commented:
please, i know i can buy it.  i don't want to buy it.  i want to know how to write it.  vb because that's what i'm already writing it in and already have some other parts of the utility written in vb.
BRONZE EXPERT

Commented:
The FAT differs from 12 bit "floppy" 16 bit FAT, 32 Bit FAT32, You can can track down all clusters allocated to a particular file by following what is called a cluster chain. you should find your self a good Media Editor for editing raw data.. http://www.whitehatinc.com/techassist/byteback/
BRONZE EXPERT

Commented:
Dont think VB is going to cut it
BRONZE EXPERT

Commented:
Im sure it can be done in VB but Visual Basic makes some things very easy, other things are ridiculously
difficult. For example, Editing raw data. there are a plenty of samples that show how to read FAT but none i've seen in VB.. Most all for UNIX LINUX and OS/2.
here is a sample showing how to decode a 12 bit FAT.
msdos's debug can display the FAT.
F0 FF FF FF 4F 00 05 60-00 07 80 00 09 A0 00 0B
 C0 00 0D E0 00 0F 00 01-11 20 01 13 40 01 15 60

A decoded form of entries 2 through 9 is shown here:
Entry: 2 3 4 5 6 7 8 9 ...
Value: <FFF> <004> <005> <006> <007> <008> <009> <00A> ...


You can can track down all clusters allocated to a particular file by following what is called a cluster chain. Let's follow the cluster chain starting with cluster 3. Here is how we find its matching entry in the FAT, using three steps:

Divide the cluster number by 2, resulting in an integer quotient. Add the same cluster number to this quotient, producing the offset of the cluster's entry in the FAT. Using cluster 3 as a sample, this results in Int(3 /2) + 3 = 4, so we look at offset 4 in the FAT.

The 16-bit word at offset 4 contains 004Fh (0000 0000 0100 1111). We need to examine this entry to determine the next cluster number allocated to the file.
If the current cluster number is even, keep the lowest 12 bits of the 16-bit word. If the current cluster number is odd, keep the highest 12 bits of the 16-bit word. For example, our cluster number (3) is odd, so we keep the highest 12 bits (0000 0000 0100), and this indicates that cluster 4 is the next cluster.

Please have a look here
http://www.nuvisionmiami.com/books/asm/workbook/DecodingFAT12.htm



SILVER EXPERT
Top Expert 2014

Commented:
One last idea from me on this question...
1. Overwrite the contents of the files, at least three times, with garbage/random characters.
2. Delete the file.
3. Launch the defragger utility.  If possible, tell the utility to only defrag the FAT, not the actual files on the drive.

==========================================
ramsejp,

Are you still participating in this discussion?
Has your wife/mom/government removed your browsing priviledges or your PC? (for lack of an answer to this question)

Since this question is getting stale, please consult with Community Support about what to do with this question's status.
BRONZE EXPERT
Author of the Year 2009

Commented:
Hi ramsejp,
It appears that you have forgotten this question. I will ask Community Support to close it unless you finalize it within 7 days. I will ask a Community Support Moderator to:

    Refund points and save as a 0-pt PAQ.
    *** nobody answered the question.  I think the  solution will involve turning off Undelete monitoring before renaming.

ramsejp, Please DO NOT accept this comment as an answer.
EXPERTS: Post a comment if you are certain that an expert deserves credit.  Explain why.
==========
DanRollins -- EE database cleanup volunteer
SILVER EXPERT
Top Expert 2014

Commented:
I think there IS a solution.  PC Magic allows you to hide directories.  There is also a version that encrypts the contents of the hidden directory.  Applied to the problem stated by ramsejp, one could hide the temporary internet files directory or the nefarious_deeds directory.  PC Magic makes the directory visible only when you've entered the correct password.

You might need to encrypt the nefarious_deeds files with a different algorithm and password in order to feel completely safe.

Note that a judge can order you to unhide or decrypt files.  Failure to comply will land you in jail on a contempt of court charge.  Depending on what you are storing on your PC, you might not be covered by the fifth amendment to the constitution (if you are a US citizen).  

Also, the NSA can usually decrypt most encrypted files that are protected by commercially available software.  If your nefarious_deeds pertain to national security threats, then forget about it.  We wouldn't help you do something like this anyway.
BRONZE EXPERT
Author of the Year 2009

Commented:
The issue here is very simple:  How can a person remove the remnant of the FILENAME from a DIRECTORY after that file is DELETED (all discussion of the FAT is totally irrelevant).  There are plenty of completely legitmate reasons to need do this (e.g., to protect business secrets; to erase traces of a file that contains your creditcard number or passwords; to erase the filename of a picture of your dog so that a hacker can never know the name of your dog, which is your password to your account on your bank's website...)  There is no need to bring NSA and court orders and kiddy porn into the discussion.

What amazes me about this question is that nearly every expert came in with how to obliterate the file conents, and ramsejp had to explain over and over again that it's all about obliterating the fileNAME.

-- Dan

Commented:
Dan, again I agree with your decision, but ramsejp was also very elusive about the source of the file and why it needed to be erased.  We offered many alternate ideas which could have been viable in some circumstances.  You'll notice that the very first comment was in the right vein, but was rejected by ramsejp.  After that, much of the conversation went toward removing traces of the file contents rather than the file name, as you pointed out.
Dan
consider the following:
i have given a complete and correct answer to the question
the method i explained is the ONLY way it is possible in pure VB to totally erase any remnand of the filename of a deleted file
also consider what ramsejp wrote:
************************
pierrecampe:
that's what I was doing already but without the knowledge of how many I needed to write.  thanks for the info, i'll try that and let you know how it goes
************************
but ramsejp never did let me know, did he/she ?
so i think moving the question to the paq with 0 point is reasonable
but restituting the points i dont find reasonable
however whatever you decide to do with it, is ok by me
greetings
Pierre
SILVER EXPERT
Top Expert 2014

Commented:
Dan,

I'd recommend splitting the points amongst the experts who gave their time.  Non-participation of the question asker doesn't absolve them from spending their points.
BRONZE EXPERT
Author of the Year 2009

Commented:
Thanks for the input.  
aikmark,
I can buy that.  Will you mind going through the posts here to identify the experts who addressed the actual problem (and not the erasing file content side issue) and listing them?  I'll then recommend a split between these experts.

- Dan
BRONZE EXPERT

Commented:
maybe this guy is a Evidence Eliminator developer (i read somewhere this is written in VB)

should try to see how EE works,
"file was already there"
"the fbi comes..."
"the porn site that..."

all those sound like some comercial cleanup program.!

just a comment.
(still want to know if there is an easier way, maybe renaming the file Nth. times would be faster than creating Nth files)
BRONZE EXPERT

Commented:
also pierrecampe suggested creating a HUGE file and then kill the target and create a new file, i dont think that would work, since filling the HD with data even  if you have only one file stills lets you create a LOT of directory entries (0 byte files).


it is interesting still.
BRONZE EXPERT

Commented:
also pierrecampe suggested creating a HUGE file and then kill the target and create a new file, i dont think that would work, since filling the HD with data even  if you have only one file stills lets you create a LOT of directory entries (0 byte files).


it is interesting still.

Author

Commented:
It's me!  Sorry about not responding.  The way I ended up doing it was the same way I began the thread doing it.  Basically writing a lot of files and then deleteing them to push the orginial filename off the table.  I think based on everything, pierrecampe is most deserving since that is, aparently, the best way to remove a filename using VB.

Jason
arana
yes you'r right, the way to do it is: write as many zero lenght files as there are free clusters, then kill the offending file and write 1 file more
and that is what i said at first, but then i got carried away on the topic and forgot what it was about in the first place,sorry my fault

Explore More ContentExplore courses, solutions, and other research materials related to this topic.