Sent Items Logging [Archive] - Wilders Security Forums

Primrose

December 23rd, 2002, 04:30 AM

The .dbx files are Microsoft Outlook Express folders and inboxes.

If you are using Outlook Express 5 you can find the files by doing a Windows 'Find' for *.dbx files. For OE4 try *.mbx

This link may clear up some mysteries for you.
http://content.techweb.com/winmag/fixes/2001/05.htm

By Dave Methvin

Updated February 9, 2001
(Saving Outlook Express Stuff and creating a backup for your mail so you never lose it again.)

Subject: Outlook Express!!

Losing mail can ruin your Day:

Mail, Love It -- Hate It Isn't It Great. So why is so little attention paid to good email backup? Most mail programs give you no help with the task. How do they expect you to recover your email after a crash, or move your mail to a new system? This week I'll give you some tips on how to prevent or recover from an email disaster in Outlook Express, the most-used email client on the Internet.

Emergency Data Recovery
Although .DBX files aren't plain text files, they do have the full text of your messages inside them. You can open them in WordPad in a pinch and extract important pieces of text. That's useful if the file becomes corrupted and OE can't read it. For example, OE may crash when you try to read a message in the folder or show that a folder is empty, even though the corresponding .DBX file is very big. In that case, rename the .DBX file to a .TXT extension and open it with WordPad. Then copy out whatever important text you can, and recreate a new folder in OE.

Also....

OLEXP: HotMail Messages Disappear in Outlook Express Folders (Q253474)

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q253474

OL2000: Differences Between Outlook and Outlook Express (Q257824)
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q257824

OL2000: Outlook Does Not Receive MSN E-mail Messages (Q268732)

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q268732

Read your MSN Internet Access e-mail on MSN Explorer
----------------------------------------------------

This program is based on MSN Hotmail, which is a Web-based e-mail service. When you upgrade to MSN Explorer, your e-mail Inbox will be converted from POP3 e-mail to Web-based e-mail automatically. This means all of your new e-mail will come to you in MSN Explorer and not in Outlook Express. If you need to see your old e-mail, you will be able to see it in Outlook Express.

Important details about your e-mail and newsgroups:

- You will not lose any e-mail. - Your e-mail address will not change - Your will receive all your new e-mail in MSN Explorer instead of Outlook Express. - Your old e-mail will remain in Outlook Express. - Your address book will be copied to MSN Explorer. It will also remain in Outlook Express. - You can access your newsgroups through Outlook Express.

Uninstalling MSN Explorer and reinstalling a prior version of MSN Internet Access will not switch your e-mail account back to your previous program.

One big benefit of the MSN Explorer e-mail system is that it allows you to access your e-mail form any computer around the world with an Internet connection! You must be connected to the Internet to get your e-mail.

Because Web-based e-mail does not require Outlook Express, some e-mail features have changed. For example, your address book is now web-based so you can access information on your contacts from any computer.

If you have any more question on email you will find the answer at these two links.

Microsoft Knowledge Base Dealing with OE and email
http://home.attbi.com/~jimpickering/

Inside Outlook Espress
http://www.tomsterdam.com/insideOE/faqs/index.htm

Ghost

December 23rd, 2002, 07:21 AM

Which is why I asked javacool to come up with a program that would "blast" all sent and received dbx folders a long time ago (hey, he's been busy, what can I say? ).

http://www.wilderssecurity.com/showthread.php?t=4278

Douglas

December 23rd, 2002, 08:24 AM

Well now I'm interested. I have never once used Outlook Express since reformatting my drive a few months ago. I have no Sent.dbx file, but in my Inbox.dbx, there were many listings, mainly dealing with this forum(as was the case with Vietnam_Vet).
What is M$ doing? I don't touch a program, yet it tracks me!
Anybody got a Red Hat for sale? ;)
Douglas

Primrose

December 23rd, 2002, 08:26 AM

I never had the pleasure of using any of the Microsoft email client programs ;) or their MSN Messenger all these years. It is bloatware and too many other alternatives out there to do the same job.

Douglas

December 23rd, 2002, 09:03 AM

Hi Primrose,
But as I said in my previous post, I have never once touched OE, yet it has logged me.

Douglas

JacK

December 23rd, 2002, 09:47 AM

Hello,

After deleting posts in OE, it's still possible to read ALL *.dbx files with DBXtract as just the path to the msgs is suppressed.

Info and d/l : http://www.oehelp.com/DBXtract/Default.aspx

The same tool exist for *.pst files (Outllook)

Go to OE>Maintenance and press "Compact" after deleting.

Then you will not be able to read them any longer.

Rgds,

JacK

snowman

December 23rd, 2002, 09:53 AM

A very good morning to all....wishing everyone the best of days.

Like just about everyone else I do not use outlook express....nor any other e mail client...an was obviously upset to see such tracking.........there may be a very simple explanation..if so I would be most interested in hearing it.
But one thing I wont do is trust M$ on this issue...the instructions given by M$ were totally incorrect.
Vet and Doug........were you guys able to delete the contents of the folder or the folder..as yet? It took me a few moments to do so but finally deleted the contents.....
I noticed the there is also an opinion to have the choice of where to store such information.....to another folder.....I will mess around with that tonight perhaps.
Like Lov2B my first thought was to erase the folder then let the os re-make a new folder......but was not sure if the os would do so.........an also wanted to make certain that in the future such information would not be logged again without a quick way of deleting it........also as John suggest.........erasing is highly suggested.....I sure did so.
I noticed that after deletion there remained some brief programing inside the sent items folder.....wondering about that.
This was not something that sat well with me...so much stored information under any circumstances can not be considered tolarable...imho.........in my sent items folder was a copy of a e-mail sent to me......good golly Ms Molly.....

will drop back later......best to all

snowman

FanJ

December 23rd, 2002, 09:58 AM

I made a mistake, sorry !
I have the Dutch version of Windows and OE.
So I should not have looked at "sent items.dbx" but at its Dutch version "verzonden items.dbx".

FanJ

December 23rd, 2002, 10:04 AM

{QUOTE-> quoting: JacK link=board=21;threadid=5669;start=15#37322 date=1040654845]
Hello,

After deleting posts in OE, it's still possible to read ALL *.dbx files with DBXtract as just the path to the msgs is suppressed.

Info and d/l : http://www.oehelp.com/DBXtract/Default.aspx

The same tool exist for *.pst files (Outllook)

Go to OE>Maintenance and press "Compact" after deleting.

Then you will not be able to read them any longer.

Rgds,

JacK
<-QUOTE}

Yep about that "compact"; I also posted that at the other thread (closed in the meanwhile).

Copy from the Helpfile of Express Assist (a program to make backup of your OE):
[hr]
Before making a backup file, please compact all of the mail folders [[From the Outlook Express menu, select File\Folders\Compact all folders]].

Compacting the folders removes the mail messages which have been deleted or moved. Prior to this, they are merely marked as "to be deleted". If you create a backup without compacting, it will take more time and space. In addition, when you restore you may be surprised to see messages that you thought had been deleted.

snowman

December 23rd, 2002, 10:24 AM

Following Jan's settings is how I deleted the contents of that folder. an yes...I also did a "compact"....sorry I forgot to mention that earlier..........

snowman

December 23rd, 2002, 10:43 AM

By the ways....I also cleaned System Restore.....otherwise it would replace those deleted entries if a restore was done.

javacool

December 23rd, 2002, 11:48 AM

{QUOTE-> quoting: Ghost link=board=21;threadid=5669;start=0#37313 date=1040646094]
Which is why I asked javacool to come up with a program that would "blast" all sent and received dbx folders a long time ago (hey, he's been busy, what can I say? ).

http://www.wilderssecurity.com/showthread.php?t=4278
<-QUOTE}

I am actively looking into it. :)

Just name the features you would want (including file names and locations you would want to have the option of cleaning), and I'll see what I can do. (I am quite busy, but I'll work on it around other projects.)

Best regards,

-Javacool

JacK

December 23rd, 2002, 11:50 AM

{QUOTE-> {QUOTE-> quoting: FanJ
Yep about that "compact"; I also posted that at the other thread (closed in the meanwhile).
<-QUOTE}
Hi Fanj ;)

So sorry, as the thread was closed, I did not look at it.

Best regards,

Douglas

December 23rd, 2002, 12:00 PM

Could someone please explain to me the REASON for this logging/tracking.
I go nowhere on the web that I would want to hide from my mother-in-law, yet this reminds of the telescreens in 1984. Every move I make is logged, behind my back, on my own computer (until people like our guest poster discover it). I can't seem to justify it.
Does anyone else have a different view? I need to be calmed down! ;)
Douglas

Vietnam Vet

December 23rd, 2002, 01:49 PM

Updating my experience with this issue, I did a little experimenting with these files. Using the shredder tool in SpybotS&D, I destroyed every file in that folder(11 files in my case). Checking with explorer, folder was empty. Reopened OE6.0 which automatically recreated all files except the pop3.log and smtp.log. Checked my mail and this recreated pop3.log. Sent myself an e-mail and the smtp.log was also recreated. All the previous info in these files was of course gone. I would think that simply deleting these files would have the same effect, without the obvious security feature of wiping them for those who have that need. Using Win98SE, IE6.0SP1 here, your mileage may vary. Question for the more knowledgeable, is this method acceptable? No ill effects that I can see, but I am not so gullible to think just because I can't see it, it is not there.

Question #2, why is that kind of stuff in the folders to begin with(firewall logs,etc.), and is the information being transmitted everytime I give OE permission to access the net? Using Zone Alarm free, so it either has permission or it doesn't. No middle ground. Again, thanks for any guidance.

Vietnam Vet

December 23rd, 2002, 02:12 PM

Thinking more about this, if someone who was not using outlook express, received one of those emails with some kind of nasty aboard, and they went to the folder in question here, they could then read the email, even though they deleted without opening it in their application of choice.

Would this put them at risk of letting the critter out, or just the opposite, be a safe way of looking at an email you were a little suspicious of? ???

Primrose

December 23rd, 2002, 02:26 PM

{QUOTE-> quoting: Douglas link=board=21;threadid=5669;start=15#37320 date=1040652201]
Hi Primrose,
But as I said in my previous post, I have never once touched OE, yet it has logged me.

Douglas
<-QUOTE}

Hi Douglas,

Since I do not use the OE, every time I have installed any version of the Mircosoft OS I have then uninstalled the OE.
If you do not use it as your email client..you to can uninstall it also.. therefore ,I do not have any .dbx or other compacted file for my email much less any backup email files and this is also something everyone can change if the do use OE.

John

snowman

December 23rd, 2002, 02:31 PM

Vet

appreciated that you shared the info....there are nine folders in my case.......am getting ready to wipe them all.
.......once again...until you mention these folders I never thought to check them....when I did..behold stored information!! This really gets me po'ed!!!!!!

snowman with attitude

Douglas

December 23rd, 2002, 02:33 PM

Hi again Primrose,
{QUOTE-> If you do not use it as your email client..you to can uninstall it also.. <-QUOTE}
Which is exactly what I'm going to do. Thanks for the reminder.

Douglas

snowman

December 23rd, 2002, 03:01 PM

Just did a secure wipe of those 9 folders....shut-down and re-started...the folders did not return.....which is fine by me............no noticed changes in os....all working properly as much as I can tell.

going to give this subject a whole lot of thought......I do not use e mail.....no reason for anything to be in the in or out folders...........no reason for so many un-known url's....all traced to source now...........everything hand copied before secure delete..........

snowman with an attitude

snowman

December 23rd, 2002, 03:57 PM

NOTE:

looking over some of the information that has been copied I noticed that the only website information logged was that of a website where I had used a stored cookie....has anyone else noticed this??

snowman

snowman

December 23rd, 2002, 04:18 PM

NOTE

LOL..a few moments ago using a security program I disabled outlook express/msimn an much to my surprise four (4) un-installed programs on my desktop....their icons became the outlook express icon.....gee, now I just have to ask myself....will these un-installed programs somehow use outlook express once they are installed...lol

snowman

December 23rd, 2002, 04:56 PM

CORRECTION:::::::::

The information logged about the website WAS NOT that of a website where a store cokkie was used......it was that of a website where a program had been downloaded from.
..........want to keep all info as correct as possible.

Well everyone this has been a most interesting topic.......enjoyed the time sharing with all of you......there isn't anything else I can contribute so no point in my posting further comments. Joyest Christmas to one and All........

Snowman Chilled Out

FanJ

December 23rd, 2002, 06:00 PM

{QUOTE-> quoting: snowman link=board=21;threadid=5669;start=30#37385 date=1040678338]

NOTE

LOL..a few moments ago using a security program I disabled outlook express/msimn an much to my surprise four (4) un-installed programs on my desktop....their icons became the outlook express icon.....gee, now I just have to ask myself....will these un-installed programs somehow use outlook express once they are installed...lol
<-QUOTE}

Hi Snowman,

Maybe a corrupted Icon-cache? I'm of course not sure about this in your case, but these things can happen.

You could try the free RefreshEm to try to repair the icon-cache.
You can find RefreshEm here:
http://camtech2000.com/Pages/Useful.html

snowman

December 23rd, 2002, 06:23 PM

Jan....thanks....however this was done on purpose......a few of the security tools I have can really cause chain re-actions.......always for the good.
I just shut down the program and re-booted....all back to normal..........what the program did was reveal that the programs would use outlook express....updates maybe.

regards

snowman

luv2bsecure

December 23rd, 2002, 11:21 PM

Vet asked the question if simply deleting is enough. As Jack pointed out, a delete is not enough. Let's say you have a message in the sent folder.....you hit "delete" (yes you want to do this - get it in the delete folder.) BUT, from here, no - it is not secure to just empty the delete bin. All of that email is still on your hard drive and any software recovery program can pull that right back up. What I said and what snowy did is to erase the delete folder. Wipe it. This leaves nothing of your emails to pull up with a recovery program. Make sure it is DOD compliant 7-pass or Gutmann so that it is totally secure from even forensics.

I guess I'm being too all encompassing here. You may not need a wipe. If you DO wipe, you may only need a one pass wipe. As I have said many times - and this is important..... When it comes to privacy and securing your computer, do you want to hide your files from your children? The kid sister? If that is all you need to do, simply deleting I suppose would be fine. But, if you have security needs that go beyond that -- securely erase. Wipe. Beyond the simple, I protect as if a three-letter agency were going to impound my computer tomorrow and find all kinds of writings that these days they could call, "aiding the enemy," -- or whatever.

For me - and most people - (if you're using OE)......

1. Send all sensitive mail to delete folder.
2. Run a wipe of the Delete folder. (And yes, it does recreate itself upon reboot.)
3. Remember the routine and use it!

Yes, you could drag the Delete folder from it's deep path into a shredder. Most people I know just have a custom wash configuration or a self-made plug in to use with their Internet Wiper (like Window Washer or Tracks Eraser Pro - my personal favorite - but I actually use both) Everytime it's run - it wipes that delete folder, along with everything else.

BTW, I can't get anything from my .dbx files in plain text that are threatening in any way. I have never heard of this problem at all, so I don't know what to say. I'm reading the posts carefully though. It sounds very odd.

Happy Holidays To All!!

John
Luv2BSecure

snowman

December 25th, 2002, 12:36 AM

I don't usually make a comment as this one....

Folks may I truely suggest that you heed the advice of Lov2B......the man knows what he is talking about....an if you hesitate to use encryption.....consider the ease of use...there is nothing to it........an if you think that you will never need it.......ok fine...but its best to have it and know how to use it should the need arise........an John is the guy to see in that area

respectfully

snowman

Vietnam Vet

December 25th, 2002, 01:16 AM

Hi,

All of the following done offline.

Investigating further, destroyed all files in the folder again, rebooted, and as snowman noted, files are not recreated.

Opened OE: cleanup.log, inbox.dbx, offline.dbx, folders.dbx recreated. The inbox.dbx may create at this time because I have OE set to open that folder at start of the program.

Clicking on the other folders(outbox, etc.), recreates their corresponding .dbx file.

Closed OE: pop3uidl.dbx created.

The two log files(pop3.log, smtp.log) are created as stated in my earlier post.

Now, that is the way these files are recreated on my computer. Why they are not recreated at bootup, I do not know. The above scenario can be done at will.

"Vet asked the question if simply deleting is enough. As Jack pointed out, a delete is not enough. Let's say you have a message in the sent folder.....you hit "delete" (yes you want to do this - get it in the delete folder.) BUT, from here, no - it is not secure to just empty the delete bin. All of that email is still on your hard drive and any software recovery program can pull that right back up. What I said and what snowy did is to erase the delete folder. Wipe it. This leaves nothing of your emails to pull up with a recovery program. Make sure it is DOD compliant 7-pass or Gutmann so that it is totally secure from even forensics."

Sorry if I am not making myself clear, but that is not what I am asking at all. I understand what you are saying, Luv2BSecure, about the security involved. What I really wanted to know was if the method of using the shredder to destroy these files was acceptable, and I gather that it is. By the way, don't know if you use Spybot or not, but the number of passes is adjustable(actually used 10). Whether or not it meets the standards you mentioned, I can't say, but it does what I need.

"I guess I'm being too all encompassing here. You may not need a wipe. If you DO wipe, you may only need a one pass wipe. As I have said many times - and this is important..... When it comes to privacy and securing your computer, do you want to hide your files from your children? The kid sister? If that is all you need to do, simply deleting I suppose would be fine. But, if you have security needs that go beyond that -- securely erase. Wipe. Beyond the simple, I protect as if a three-letter agency were going to impound my computer tomorrow and find all kinds of writings that these days they could call, "aiding the enemy," -- or whatever."

No one uses this computer but me. I rarely use email. Other than notices of replies to posts, about the only email I get is Earthlink's monthly newsletter, which I do not read, just never unsubscribed. I get absolutely zero spam. If one of those three letter agencies you referred to, confiscates this computer, the result would be death by boredom. Will leave it up to everyone who reads this as to whether that is a good thing or bad.

"BTW, I can't get anything from my .dbx files in plain text that are threatening in any way. I have never heard of this problem at all, so I don't know what to say. I'm reading the posts carefully though. It sounds very odd."

E-mail is not the problem I am concerned with at all. It is all the other stuff that keeps mysteriously appearing in those files, and the files of a couple other posters(snowy and Douglas). Is Microsoft(or something else) tracking me, or possibly some problem with my computer? Since I am not the only one having this problem, I don't have a definite answer to that.

This is an example of what I am talking about. Went online to symantec home page and a microsoft tech bulletin search, nowhere else.

From deleted items.dbx:

<td class="windowbg2" valign="middle" align="center" width="6%" bgcolor="#F8F8F8"><img src="http://www.spywareinfo.com/yabbse/YaBBImages/thread.gif" alt=""></td>
***<td class="windowbg2" valign="middle" align="center" width="4%" bgcolor="#F8F8F8"><img src="http://www.spywareinfo.com/yabbse/YaBBImages/xx.gif" alt="" border="0" align="middle"></td>
***<td class="windowbg" valign="middle" width="48%" bgcolor="#AFC6DB"><font size="2"><a href="http://www.spywareinfo.com/yabbse/showthread.php?t=2439">1500 and still going!!!!</a> </font></td>
***<td class="windowbg2" valign="middle" width="14%" bgcolor="#F8F8F8"><font size="2"><a href="http://www.spywareinfo.com/yabbse/index.php?action=viewprofile;user=admin"><acronym title="View profile of Mike">Mike</acronym></a></font></td>
***<td class="windowbg" valign="middle" width="4%" align="center" bgcolor="#AFC6DB"><font size="2">5</font></td>
***<td class="windowbg" valign="middle" width="4%" align="center" bgcolor="#AFC6DB"><font size="2">49</font></td>
***<td class="windowbg2" valign="middle" width="27%" bgcolor="#F8F8F8"><font size="1">December 13, 2002, 11:50:37 AM
by <a href="http://www.spywareinfo.com/yabbse/index.php?action=viewprofile;user=cnm">cnm</a></font></td>
</tr><tr>
***<td class="windowbg2" valign="middle" align="center" width="6%" bgcolor="#F8F8F8"><img src="http://www.spywareinfo.com/yabbse/YaBBImages/thread.gif" alt=""></td>
***<td class="windowbg2" valign="middle" align="center" width="4%" bgcolor="#F8F8F8"><img src="http://www.spywareinfo.com/yabbse/YaBBImages/xx.gif" alt="" border="0" align="middle"></td>
***<td class="windowbg" valign="middle" width="48%" bgcolor="#AFC6DB"><font size="2"><a href="http://www.spywareinfo.com/yabbse/showthread.php?t=2310">:::AHEM::: Update to the downloads page</a> </font></td>
***<td class="windowbg2" valign="middle" width="14%" bgcolor="#F8F8F8"><font size="2"><a href="http://www.spywareinfo.com/yabbse/index.php?action=viewprofile;user=admin"><acronym title="View profile of Mike">Mike</acronym></a></font></td>
***<td class="windowbg" valign="middle" width="4%" align="center" bgcolor="#AFC6DB"><font size="2">2</font></td>
***<td class="windowbg" valign="middle" width="4%" align="center" bgcolor="#AFC6DB"><font size="2">102</font></td>
***<td class="windowbg2" valign="middle" width="27%" bgcolor="#F8F8F8"><font size="1">December 11, 2002, 08:03:16 AM
by <a href="http://www.spywareinfo.com/yabbse/index.php?action=viewprofile;user=TonyKlein">TonyKlein

From inbox.dbx:

<H2>November 2002</H2><HR/><a href='/technet/security/bulletin/MS02-065.asp'>MS02-065 : Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414)</a>

</p><H2>October 2002</H2><HR/><a href='/technet/security/bulletin/MS02-055.asp'>MS02-055 : Unchecked Buffer in Windows Help Facility Could Enable Code Execution (Q323255)</a>

<a href='/technet/security/bulletin/MS02-054.asp'>MS02-054 : Unchecked Buffer in File Decompression Functions Could Lead to Code Execution (Q329048)</a>

</p><H2>September 2002</H2><HR/><a href='/technet/security/bulletin/MS02-053.asp'>MS02-053 : Buffer Overrun in SmartHTML Interpreter Could Allow Code Execution (Q324096)</a>

<a href='/technet/security/bulletin/MS02-050.asp'>MS02-050 : Certificate Validation Flaw Could Enable Identity Spoofing (Q329115)</a>

</p><H2>August 2002</H2><HR/><a href='/technet/security/bulletin/MS02-048.asp'>MS02-048 : Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates (Q323172)</a>

</p><H2>March 2002</H2><HR/><a href='/technet/security/bulletin/MS02-014.asp'>MS02-014 : Unchecked Buffer in Windows Shell Could Lead to Code Execution</a>

<a href='/technet/security/bulletin/MS02-013.asp'>MS02-013 : 04 March 2002 Cumulative VM Update</a>

</p><H2>February 2002</H2><HR/><a href='/technet/security/bulletin/MS02-006.asp'>MS02-006 : Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run</a>

</p><H2>December 2001</H2><HR/><a href='/technet/security/bulletin/MS01-059.asp'>MS01-059 : Unchecked Buffer in Universal Plug and Play Can Lead to System Compromise</a>

</p><H2>November 2001</H2><HR/><a href='/technet/security/bulletin/MS01-054.asp'>MS01-054 : Invalid Universal Plug and Play Request Can Disrupt System Operation</a>

</p><H2>April 2001</H2><HR/><a href='/technet/security/bulletin/MS01-022.asp'>MS01-022 : WebDAV Service Provider Can Allow Scripts to Levy Requests as User</a>

</p><H2>March 2001</H2><HR/><a href='/technet/security/bulletin/MS01-019.asp'>MS01-019 : Passwords for Compressed Folders are Recoverable</a>

<a href='/technet/security/bulletin/MS01-017.asp'>MS01-017 : Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard</a>

</p><H2>November 2000</H2><HR/><a href='/technet/security/bulletin/MS00-091.asp'>MS00-091 : Incomplete TCP/IP Packet Vulnerability </a>

</p><H2>October 2000</H2><HR/><a href='/technet/security/bulletin/MS00-081.asp'>MS00-081 : New Variant of VM File Reading Vulnerability</a>

<a href='/technet/security/bulletin/MS00-079.asp'>MS00-079 : HyperTerminal Buffer Overflow Vulnerability </a>

<a href='/technet/security/bulletin/MS00-075.asp'>MS00-075 : Microsoft VM ActiveX Component Vulnerability</a>

<a href='/technet/security/bulletin/MS00-074.asp'>MS00-074 : WebTV

The info from deleted items.dbx appears to be old data, (possibly scripting?) from the spywareinfo web site page. Note, I did not visit that site. The info from inbox.dbx is apparently current info from the microsoft page which I did visit. I don't see why any of that stuff should be in either file. OE was not running while online.

OK, if anyone can explain this or offer a course of action, I would be most grateful. That is about as clear as I know how to make this. I can clean the files, no problem. Question is, how is this getting in the files and is it going out to where ever when OE accesses the internet? I don't know that I would consider any of the example given as threatning, but it is a clear cut invasion of my privacy if this kind of thing is being sent to someone.

Must apologise for the length of the post, but this has me annoyed to say the least.

On a happier note, wishing everyone a happy and safe holiday season, and many more to come.

luv2bsecure

December 25th, 2002, 04:08 AM

{QUOTE-> Sorry if I am not making myself clear, but that is not what I am asking at all. I understand what you are saying, Luv2BSecure, about the security involved. What I really wanted to know was if the method of using the shredder to destroy these files was acceptable, and I gather that it is. By the way, don't know if you use Spybot or not, but the number of passes is adjustable(actually used 10). Whether or not it meets the standards you mentioned, I can't say, but it does what I need.
<-QUOTE}
{QUOTE-> OK, if anyone can explain this or offer a course of action, I would be most grateful. That is about as clear as I know how to make this. I can clean the files, no problem. Question is, how is this getting in the files and is it going out to where ever when OE accesses the internet? <-QUOTE}

I am sorry Vietnam_Vet.......I thought by the questions and comments above that you were interested in the emails, and asking about dragging them to the shredder I took as a security question you were not sure about. I know I answered to the best of my ability. Snowy had some nice things to say, that was kind of him and I appreciate his nice words, but I will tell you --- I am lost on your last question above. As I said, I have not heard of this, never have seen it before and this is all new to me. Because it's not in my OE files doesn't mean a thing. Apparently something is not quite right here. With your description, snowman's description, it sounds very strange indeed. That's why in my last post I said, {QUOTE-> "I have never heard of this problem at all, so I don't know what to say. I'm reading the posts carefully though. It sounds very odd." <-QUOTE}
I think we may be expecting too much though if we expect to have answers to this mystery here and now from anyone on this board. After all, snow just opened this thread on the 22nd and today is the 25th (Christmas Day :) ).

But knowing the people on this board, and my own curiosity, there are more than a few people trying to figure this out. One thing is clear, if you have cleaned tracks - it has left some things and they are showing up in strange places. You didn't go to Mike's Spyware site that day but obviously you did at some point and some tracks are (oddly) in OE .dbx files. The "yaBB" references are all to the forum software used here and at Mike's spywareinfo.com site as well.

BTW.... In your first post you said the system-made .dbx folders (inbox, sent, draft,delete) were recreated on boot. In your last post, did I understand you to say it did not recreate "delete" when you rebooted? I agree it's all more than interesting - it's very disturbing in fact. I'm right there with snowy on the anger - and the privacy intrusions it could cause. But, right now it's Christmas and it will take some time for everyone to get down to it and try to figure out what's going on.

Again, I'm sorry if I was confused by you asking about the shredding, etc and thinking you were asking if the method would work. Sometimes when a thread takes off like this one, it's hard to keep track, but I honestly thought I answered your questions except for having the answer to the big question which we may not have for awhile.

Happiest of holidays! I'm up late listening for Santa sightings on the radio.

John
Luv2BSecure

Douglas

December 25th, 2002, 08:59 AM

Vietnam_Vet said
{QUOTE-> I can clean the files, no problem. Question is, how is this getting in the files and is it going out to where ever when OE accesses the internet? <-QUOTE}
That's exactly my question and problem!
L2BS said
{QUOTE-> But knowing the people on this board, and my own curiosity, there are more than a few people trying to figure this out. <-QUOTE}

So forget Christmas dinner! ;D We're counting on you all!

Douglas

snowman

December 25th, 2002, 11:10 AM

Good Morning to all..an to all a MERRY CHRISTMAS DAY!

Well so as we don't go off in differant directions....seems we all agree that be it e-mail or the Folders/Files......they should be SECURELY DELETED........in case of the VET he used the SHREDDER in spybot.....I understand Vet that you are asking how secure is the Shredder's over-writing.....to answer that the type of over-writing being used would need to be known...such as DOD....or what ?

As Lov2B noted its the Christmas holiday an responses may be slow in coming.......only reason I am here today is due to deep snow outside........
In the mean time I am still testng....right now I see this exploit as something of a KEYLOGGER type.....an VERY DANGEROUS!!!! FE: I did some business in Zurich this past friday.....an removed the program used monday late night.......well highly private account information was retained in one of the folders we are discussing....yikes!! Did a wipe using Gutmann
We all seen to agree that deleting the folders/files is not the real issue. The issue is HOW IS THE INFORMATION BEING LOGGED IN THOSE FOLDERS?????\

So far I found...

(1) one e mail that was sent to me
(2) information on a previously used isp
(3) A listing of the COMPLETE contents of my C drive both M$ and non-M$ programs listed therein
(4) The programing code of a couple of websites
(5) information related to several programs un-installed..BUT NOT ALL programs that have been uninstalled
(6) Certain url's.....

My question....is outlook express BEING EXPLOIT.....or is this a problem caused by outlook express....

snowman

December 25th, 2002, 11:24 AM

So as no one takes offense by the use of the word "EXPLOITED" let me clearly say here and now that no accusasions are being made. The word "exploited" is used in the context of there being a possible security issue in either outlook express or the WINDOWS os

snowman

December 25th, 2002, 12:00 PM

because several people are having this issue.....each with their own settings,. security programs and os's......the only two things I notice we have in common is that Outlook Express is installed and the Windows os is being used

No particular website.....no particular program is being logged..........the only commonality being the above listed.

uninstalling outlook express may not be the answer...thats yet unknown....the information being logged may just find its way elsewhere on the os......
shortly I will be shutting down from the internet and boxing the computer.....in a couple or so days......bout all I can say is that I sure hope you folks find an answer to all this..........somehow I think the answer is going to be a simple one....hopefully anyway..

JacK

December 25th, 2002, 12:46 PM

Hi snowman,

Some possible explanations :

a Spy Software to secretly spy on and monitor computer activity which would use OE to send info to whose installed
thi progy and not a build in SMTP server, some are really difficult to detect ?

VNC server, PCAnywhere or some progy of the kind installed
on yur computer and a client could have use your machine to post some mails ?

A backdoor which might be eradicated a while ago ?

OT : if you never use OE, you could make a rule in your FW preventing msimn.exe IN and OUT to stay protected ?

Is the phenomenon reproducible ?
If yes, could your use a Sniffer ?

Just my 5 pences, I never heard about something of the kind before.

Rgds,

snowman

December 25th, 2002, 04:29 PM

JACK

thanks much for taking of your time to reply........upon first seeing the exploit my thoughts were the same as yours......have since ruled much of that out.......differant people involded.....differant os's......we would all have had to unknowningly installed or been exploited by a particular snake program........odds are very high against that.

yes..reproduced at will.......no outbound traffic........

the rest of this post is just in general info.......perhaps pieced together may be useful.

my earliest logging was the e mail....Nov. 2.2002...it was received......not answered. The logging could have been going on longer.....I never checked.......my last reformat was just prior to november............
java and activeX never allowed with the exception of windows update applet and a couple of extremely secure business java applets..........outlook express blocked by firewall always..........
numerous security programs set to prevent .exe and forced install........numerous scripts prevented.....no cookies allowed........registry cleaned after each install of new program and after un-install of any program.....os constantly checked., monitored for keyloggers....trogans..viruses.......internet scan....download scan..os scan....constantly......all programs updated.....no known snakes in os........all new programs scan for trogans/virus before install..........numerous other security measures in place..........

after wipe of folders in question......new folders contain information......not of a personal nature but of the os........most in programming code......cc++ (is that right lol)

one thing continues to bother me for some reason....in outlook express....tab: Connection:.......Internet Connection Sharing.....* outlook express shares your internet connection settings with internet explorer*** an this has me wondering if IE is involded......just wondering.......did check settings in IE...very secure.

JACK.....a couple of the url's that were logged has me highly on alert...in fact my security has been lowered deliberated to see if any attempts are made on the os...

No I have never heard of this before either.......but strongly advise everyone to pay attention....this aint santa coming down the chimmey......its a major privacy exploit.....
to what extent the exploit can be used is best left to the experts to decide.........it bothers me that the Sent Folder was loaded with information........hopefully it never left the os.......no passwords are kept...can't connect. You can bet I would never use a credit card or send e mail.......
this may not be popular to hear..but this makes many security programs absolutely useless....no not virus and trogan scanners.........but many other type programs useless........cleaning of the index.dat wont clean these folders FE....wiping the os wont help either....these folders need to be manually removed.

also......after deleting the folders I left them deleted for several hours.....then re-made them..instantly the folders contained logged information.

snowman

December 25th, 2002, 04:36 PM

Presently the INBOX folder contains instructions on how to use outlook express and numerous listing about the os.

JacK

December 25th, 2002, 05:17 PM

Hi Snowman,

Did you try to set you stored *.dbx (x:\Documents and Settings\user\Application Data\Identities\{xxx-yyy-zzz-aaa-bbb}in WinXP for instance) on another partition in new file
and see if it's still reproducible ?

Really wierd, indeed.

Rgds,

snowman

December 25th, 2002, 06:35 PM

JACK

no I have not done that as yet....decided to wait and see what reveals itself in those files........
the files are in my control.....its the logging that isn't.....whats causing the logging...........questions many ..

so far the newly created files just logged the os date...its not going outbound........
spent the past two days going through the registry....looks clean.....ran scans for every known trogan/virus/keylogger/snake.......clean....but you can bet this hound will keep tracking........

wondering why everyone is not experiencing this???
oh..re-checked setting in outlook...IE..os....looks ok....
can only suggest others get involded.....work as a team.

snowman

December 25th, 2002, 06:45 PM

*Of Special Note*

Nothing new has been logged in the newly created files over the past seven hours.

this I find very strange.....if a snake was in my os it would log constantly.........

snowman

December 25th, 2002, 07:05 PM

NOTE

Blocked all the urls formerly logged....then update every program on the computer...all updates worked fine....therefore, the urls ARE NOT TO UPDATERS..

snowman

December 25th, 2002, 07:40 PM

JACK

just a quick THANK YOU for hanging in there with me today.......would have been kinda lonesome here all by myself LOL
Now will leave this to "others".......since I wont be on the net much longer its no real issue in my case.....but did find it rather "odd" that this exploit does exist.
Hope you had a very merry Christmas......

best regards

snowman

J at H

December 25th, 2002, 07:52 PM

I was a bit short of time last days to keep up with this thread fully, sorry!.
But somehow I keep on thinking that IEClean can do a good job here.

snowman

December 25th, 2002, 08:19 PM

just found this info......I have not tryed any of this as yet

http://www.mdcc.edu/ctd/train/sentfolder.htm

J at H

December 25th, 2002, 08:21 PM

I don't have the IEClean Helpfile here (where I am now at the moment), so some link and quote:

http://www.nsclean.com/iedetail.html

IEClean allows you to remove all traces of your newsgroup activities when using either "Internet Mail and News" or "Outlook Express" news reader. By default it only wipes out recordings of the actual messages in the newsgroups you've visited and read messages in (yes, the complete text is stored by MSIE - imagine the wasted disk space). You can also configure IEClean to wipe out several ancillary pieces of newsgroup records if you wish to clean out the subscriptions.

IEClean allows you to clean Internet Mail and News or Outlook Express' trash folder of mail you've trashed. You can also have IEClean remove other email folders if you wish by using the "PRIVACY tab" settings to identify other folders you want cleaned up in addition to the default emptying of just the trash folder. You may also clean up to 10 additional folders anywhere in your system. This can be helpful if you use an external mail/news program, and wish to clean it along with your browser files.

JacK

December 25th, 2002, 09:21 PM

{QUOTE-> quoting: snowman link=board=21;threadid=5669;start=45#37733 date=1040865568]

just found this info......I have not tryed any of this as yet

http://www.mdcc.edu/ctd/train/sentfolder.htm
<-QUOTE}

Hi Snowman,

The link is related to Outlook and not OE, isn't it ?

Best regards,

snowman

December 25th, 2002, 10:04 PM

JACK

oops...had not noticed that......going through the registry for two days has my eyes seeing triple LOL

ok my friend...I think we may be getting somewhere.....please see if you can follow me on this...
I opened outlook express.....went to VIEW TAB.....then CLICKED ON FOLDERS........there upon a window opened showing all the folders......clicked on each folder etc......each SHOWING EMPTY.........ahah!!!
went back to the other aforemention PATH.......an behold..THE FOLDERS WERE NOT EMPTY!!!!!

so..outlook express says the folders are empty but in fact they are NOT ACTUALLY EMPTY..........thanks M$

Furhermore...the information in the folders regarding my os may be......repreat MAY BE....scans I had done on the computer..FE: defrag....virus scan etc........possible you think??

I have no "guess" about the websites an why they are showing in the folders......perhaps they scanned the computer...?? all guesses welcome LOL

I have no guess on why the urls were in the folders...all guesses welcome......

still can not understand why this is happening just certain people and not everyone...my version of outlook express is the newest...fully patched...thanks M$

Yes Jack IECLEAN may be the tool for this job.....I've never used it though........but heard its really good.......
So...this is NOT AN EXPLOIT in the true sense of the word........but yet privacy wise it does reveal much to much...so in that sense...its a security hole...imo
whew...its been a very long day......haven't ate yet..its on the stove now............but at least some light showing on this subject............an now.....is IECLEAN the Only solution or is there other.............

Jack I truely appreciated your help..time and interest......I needed to know what was happening before doing business tomorrow........an now it seem that the information does not leave the computer.......friend I'll sleep tonight without nightmares lol...........

warm regards

snowman

Vietnam Vet

December 26th, 2002, 03:56 AM

Luv2BSecure,

I think I may have done it to you again. Let me clear the air here before we go any further.

The comment about me being annoyed was in no way, shape, or form aimed at you(or anyone else for that matter). I was talking about this issue. I have nothing but the utmost respect for you. I do not post much, so most people probably do not have a feel for who I am, but I have seen your posts many times and I know you know what you are talking about. I am very glad that you have taken an interest in this topic and have tried to help. I take nothing you say lightly, believe me. So if it sounded even slightly that way, please accept my sincere apologies. It was not meant that way.

"I think we may be expecting too much though if we expect to have answers to this mystery here and now from anyone on this board. After all, snow just opened this thread on the 22nd and today is the 25th (Christmas Day )."

Agreed 100%, with apologies to the snowman for leaving him here stranded by himself today. I was enjoying Christmas with the family and have not had a chance to drop by all day.

"But knowing the people on this board, and my own curiosity, there are more than a few people trying to figure this out. One thing is clear, if you have cleaned tracks - it has left some things and they are showing up in strange places. You didn't go to Mike's Spyware site that day but obviously you did at some point and some tracks are (oddly) in OE .dbx files. The "yaBB" references are all to the forum software used here and at Mike's spywareinfo.com site as well."

This has me extremely confused. A lot of the info that shows up in these files is not "new". It appears that something keeps track of just about everything that happens on this computer and wierd bits and pieces are showing up in these particular files. At one point, I even found the host file list used by Spyblocker in one of those files. My gut feeling is that this is not a malicious thing at all, but instead, some kind of screwy windows thing. The problem is I do not KNOW that.

"BTW.... In your first post you said the system-made .dbx folders (inbox, sent, draft,delete) were recreated on boot. In your last post, did I understand you to say it did not recreate "delete" when you rebooted? I agree it's all more than interesting - it's very disturbing in fact."

I went back and reread my posts and I cannot find where I said that. I did say that they were recreated after restarting OE in one post. In fact, they do not exist even as I type this, having made a point of not opening OE. System has been rebooted multiple times, since destoying the files.

"Again, I'm sorry if I was confused by you asking about the shredding, etc and thinking you were asking if the method would work. Sometimes when a thread takes off like this one, it's hard to keep track, but I honestly thought I answered your questions except for having the answer to the big question which we may not have for awhile."

Absolutely no reason to apologise, as I hope I made clear at the beginning of this reply. Somewhere on one of the forums that I frequent, I read something about the common use of the English language keeping the U.S., Great Britian, and Australia forever apart. An appropriate comment, perhaps. ::)

Enjoy what is left of the holiday season, everyone, and be safe.

Vietnam Vet

December 26th, 2002, 04:13 AM

Snowman, wanted to extend my apologies to you for leaving you out in the snow by yourself today, and to also say that I appreciate all the research and testing you have been doing trying to get to the bottom of this issue.

Enjoy the holiday season, it is far more important to remember what this time of the year is really about and take the time to reflect on that. Best Wishes and Good Luck.

snowman

December 26th, 2002, 12:57 PM

VET

no apology needed my friend.....on Christmas Day people should be with their families......it just happen I was snowbound.....otherwise I would have been long gone too. LOL

Vet...the research continues......its said elsewhere NOT TO DELETE THE FOLDERS forever.......not sure on that......comments welcome.

what I finanally did...was re-create the folders....opened each folder and either did a delete or cut of the contents..........that was several hours ago an as yet there has not been any new information asdded to any of the folders although I expect there will eventually be something in there. UN_CHECK KEEP A COPY IN SENT FOLDER in outlook express........
there appears to be a couple of possible work-arounds that may be easier...........but as JACK suggest IECLEAN may be something to seriously look at.
yes definitely this is a privacy thing in that a clear record is kept..........an it does appear to be a windows issue.
it can be keep within control manually......an yes Lov2B gave good advice on doing a secure wipe.....otherwise all the delted information could be recovered fairly easy
man my eyes burn...lol.......overslept.....sour attitude LOL
need a long hot shower.........

snowman

snowman

December 26th, 2002, 01:31 PM

QUESTION:

there appears to be the option to have outlook express save the contents of these folders in another folder of the users choice.........

just as a matter of enlightenment........is it possible to create one folder say on the desktop or elsewhere that could quickly be encrypted or deleted an have that stored information sent to that folder...............it would be nice to be awear of every possible option in this matter. by doing it this way a person could secure delete the contents.......without going through the other steps previously mention in this thread......it would also be quicker to securely delete.....instead of wiping the entire un-used c drive..........

snowman

December 26th, 2002, 02:10 PM

* so far....running puter extensively no new info logged**

A couple of thoughts:

a couple or so years ago a young lady came up with a way to clean the index.dat files on a winME each time it booted without the user having to do anything....once the file was created in my computer...........would it be possible to do this in this case.......but for all os's ?

my concern here is that its natural for me to forget.....heck I did not even know those files existed......an if someone came up with something devoted strickly to this issue that worked auto.........problem resolved!

consider for a moment...if IECLEAN can clean these folders........I don't know that it can....but if it can......then M$ could have plugged this during production.....as to why that was not done.......your guess is as good as mine.

when stored records are kept in a manner such as this thats bad news..........anyone can just open those folders an gain access to very private information...perhaps not in the case of everyone but if just one person loses such information it could be awful.......imo this is worse than any keylogger out there......any joe/jane can gain access.....can this be done over the internet.......by scanning those folders...........anyone care to guess how many people don't use a firewall.........

this truely bothers me.....cleaning these files AFTER THE FACT wont help if those folders are full during a scan.........

I keep checking the folders an mine are empty.....so maybe this will work for me..........others wont be so fortunate.............

snowman

December 26th, 2002, 07:55 PM

Was discussing this topic with a group earlier......an may just let this thing do its thing..........computer hard drives can be used in court as evidence.......might be interesting to see what these folders log.

turning the table around a little here.......track the trackers

Vietnam Vet

December 26th, 2002, 09:19 PM

Hi snowman,

Tried creating a folder in a different location and that was not a problem. Outlook Express creates it's little bundle of .dbx files there without a complaint and also happily continues to put all the extra info in them,as well. Trashed them once more, then dumped folder I created. Open OE and it recreates my folder for me(helpful little S.O.B.), and continues to keep track of my life(very helpful little S.O.B.).

From my experience, the info in these .dbx's is randomly scattered through each of them without being in a precise cronological order of events. These files seem to pull this info out of some kind of log on my computer at random. If I destroy them, and then recreate them immediately, the info generated in them may be something totally different. For example, I could read my post to L2BS from early this morning in one file and when it had been recreated seconds later, the info had parts of the Spyblocker host file in it. Maybe this is logical if there is a malicious reason for this, as I guess someone could easily put this stuff together once they had received it. Would just quit using OE altogether but I don't know that it has been established that OE is even at fault here. The info gets in the files, irregardless of whether OE is granted permission to access the internet. For now, those .dbx files will not be allowed to exist on this computer pending further testing as I am really not worried about email capabilities on a regular basis.

Will keep checking as different ideas pop into my head or suggestions are posted. Thanks everyone.

LowWaterMark

December 26th, 2002, 11:50 PM

I, like some others in this thread, looked through all my OE dbx files, in the same relative folder location on my c: drive, and found nothing unexpected within them. Yes, the files existed, one file for each OE folder, and yes, they did contain the text of the messages that are actually in the corresponding OE folder, but, they did not contain any extra system information, website pages, URLs, or anything similar.

Said by Snowman: {QUOTE-> ok my friend...I think we may be getting somewhere.....please see if you can follow me on this...
I opened outlook express.....went to VIEW TAB.....then CLICKED ON FOLDERS........there upon a window opened showing all the folders......clicked on each folder etc......each SHOWING EMPTY.........ahah!!!
went back to the other aforemention PATH.......an behold..THE FOLDERS WERE NOT EMPTY!!!!!

so..outlook express says the folders are empty but in fact they are NOT ACTUALLY EMPTY..........thanks M$ <-QUOTE}

Said by VIETNAM_VET: {QUOTE-> From my experience, the info in these .dbx's is randomly scattered through each of them without being in a precise cronological order of events. These files seem to pull this info out of some kind of log on my computer at random. If I destroy them, and then recreate them immediately, the info generated in them may be something totally different. For example, I could read my post to L2BS from early this morning in one file and when it had been recreated seconds later, the info had parts of the Spyblocker host file in it. <-QUOTE}

These two observations of OE's behavior have one thing in common. The dbx files are recreated by OE, and they end up containing an odd assortment of bits and pieces of various information from your system. The idea that the data varied, and that it was "bits and pieces" of valid information, or even sometimes some very old information from around the system, made me wonder...

So, I wanted to see if I could force this behavior myself... I decided to create a few extra OE folders to see what happens when new dbx files get created. In OE, I selected "New Folder..." from the file menu. Once created, I moved a single 1KB text email message into each new folder than went to Windows Explorer and took a look at the new dbx files that OE made to contain these messages. They were "pre-extended" to a size of 139KB even though only a 1KB message was placed in them.

I looked through these dbx files and in addition to the text of the 1KB email messages, there was some random text in them. The nature of the text made me think that what was happening here was that OE was using a file access routine that forced the creation of a minimum sized dbx file (139KB on my XP system) for any new OE folder generated. And, that the "extra" data contained within these files was nothing more than whatever was on the disk drive at the location where the data blocks were pieced together to build the new file.

This sounds just like the same mechanism you’d use to do disk drive data scavenging (pre-extending a new disk file to a large size, without the benefit of setting any initial values (i.e. either space or zero-chr filling) in the data blocks. By not clearing the existing data or giving the data blocks any initial value, you end up with what looks like random data from previously deleted (but not wiped) files from the disk. In many cases, this could be the contents of the most recently used and de-allocated temporary files.

Said by Snowman: {QUOTE-> what I finally did...was re-create the folders....opened each folder and either did a delete or cut of the contents..........that was several hours ago an as yet there has not been any new information asdded to any of the folders although I expect there will eventually be something in there. UN_CHECK KEEP A COPY IN SENT FOLDER in outlook express........ <-QUOTE}

Said by VIETNAM_VET: {QUOTE-> From my experience, the info in these .dbx's is randomly scattered through each of them without being in a precise cronological order of events. These files seem to pull this info out of some kind of log on my computer at random. If I destroy them, and then recreate them immediately, the info generated in them may be something totally different. <-QUOTE}

Well, if these files were created to a minimum size by OE, and contained just whatever was on the disk at that time and location, then if you edited the files and manually blanked out all the contents, then I could see how this could leave you clean from then on. The files still exist, so they don't get recreated or extended again. Well, at least until you actually write data into these OE folders by placing a valid email message into them, which might cause OE to further extend these files, picking up more random bits and pieces of deleted data blocks.

What do you think? Might this be what’s happening here?

LowWaterMark

snowman

December 27th, 2002, 12:36 AM

LWM

John...yes. its very possible that it goes just as you stated......personally I think you are right on point here.
(oh by the way, thanks for jumping in on this)

Still some things I don't quite understand......first, I agree with you in that alot of the bits appear to be "left-overs".....but I can't reproduce that...tryed to all day....but this may be due to the way I now have outlook ex set.....
in my case it was not "bits" but "complete" .....an for the life of me can't see where those url's came from..........that one e mail was harmless in context.....yet privacy wise I see this as a major issue....
my serious question is could these folders be scanned over the internet....an the contents revealed to the scanner...........this is not likely to happen to someone like you or I.........an yet all those people out there who don't use firewalls.....ouch! could those same folders be used to hide a BOT if a scanner was able to download one.....
when the holidays are over most likely I will box-up the ye ole computer again....but it really bothers me leaving this matter "open"..........an I most sincerely hope that persons like yourself will find a solution
in closing...after you cleared those folders did you go back to outlook ex an do a "compact" then re-check the folders again.....if so were they still empty???

luv2bsecure

December 27th, 2002, 12:45 AM

All I can say is - wow, wow and wow.

I cannot believe the time and effort that has gone into this! That is GREAT!! And to think it's been done over the Christmas holiday. I've hardly had a chance to turn around for several days, and it's like Sherlock Holmes has made a visit to the board!

First, to VET, thank you for your post. I wasn't personally offended in any way - so it wasn't really necessary, but it was appreciated nevertheless. I know this must be terribly frustrating.

Second, to snowy, somehow again it was appropriate for snowman to be doing all of this research over Christmas. Just by your name alone! I was stunned to return to the board and see what all you have done in the way of trying to figure this out. Have you slept? Have you stopped to eat? Talk about getting down to business! Good job!! I don't like this talk about you boxing up the puter though. Not at all -- you have too much to offer here. This thread is the perfect example!

The only thing I was thinking about the problem with the .dbx files as far as moving them to an encrypted portion of the disk - or something similar - is that if there is still some anxiety that the information found within these files (unwanted info) is being sent out via smtp when the program is being used legitimately - that wouldn't help much. However, reading all the info I have to agree that this is more than likely a Windows quirk and nothing malicious involved.

LowWaterMark, as usual, had some interesting thoughts and maybe worth doing some experimenting with. However, the thing that really baffles me is that I securely wipe the Deleted Items .dbx file (when I use OE), it is recreated, and I have no problems at all. So, I wonder about that as far as LWM's possible theory. However, different OS could come into play here possibly. One thing is for sure: it's a mystery. And a second thing is a given: SNOWY NEEDS SOME SLEEP.

John
Luv2BSecure&Snowy'sPostsToo&Don'tWantToSeeHimPackThePuter

snowman

December 27th, 2002, 01:09 AM

Lov2B

John..my dear friend I warmly thank you for all.......actually I enjoyed myself...slept well but maybe not enough.....ate alittle of this and that....lol an was doing research into business matters at the same time....had a ball.....

as for boxing the puter..its for the best....truely I enjoy helping others in however small way I can.....an yet my lack of computer knowledge leaves me dangling like a kite in a storm...........there is so very little I can offer that it may be harmful when ment to be good.......
now is a time when the security community needs to pull together.......many depend on people like yourself and LowWaterMark....they lurk..they read..they learn..from folks like you guys....this world belongs to those like yourself who really have something to offer.......my compliments....an from those you have not yet met...thank you.....you were there for them...

warm regards

snowman

eyespy

December 27th, 2002, 01:52 AM

{QUOTE-> quoting: snowman link=board=21;threadid=5669;start=60#37951 date=1040969376]

.....an yet my lack of computer knowledge leaves me dangling like a kite in a storm...........there is so very little I can offer that it may be harmful when ment to be good.......

<-QUOTE}

Snowman,
I strongly disagree !
You sniff out issues better than an Ant Eater on an Ant hill ! ;D

Keep that' Puter out for a while yet, so you don't have to shovel any snow !!

As for those "sent items" files....I have Incredimail on my PC and those 'Sent items" files are found under the heading..."sent items.imm" and "sent items.imh" in the Incredimail directory !!

Regards,
bill ;)

snowman

December 27th, 2002, 02:41 AM

EyeSpy....LOL...very nice of you....appreciated...much!

at the risk of the mods delting this link...please read....

http://eyeonsecurity.org/advisories/Incredimail

snowman

December 27th, 2002, 02:44 AM

big OOPS.....guess I do need sleep..I didn't see this:

*Vendor Status: Informed on 08 May 2001, issues a fix on 17th May 2001*

Vietnam Vet

December 27th, 2002, 03:57 AM

Hello,

"I looked through these dbx files and in addition to the text of the 1KB email messages, there was some random text in them. The nature of the text made me think that what was happening here was that OE was using a file access routine that forced the creation of a minimum sized dbx file (139KB on my XP system) for any new OE folder generated. And, that the "extra" data contained within these files was nothing more than whatever was on the disk drive at the location where the data blocks were pieced together to build the new file."

Based on my experience with this, I would have no trouble at all in accepting this as the explanation for this rather strange(on the surface) behaviour. On my 98SE machine, I believe the file size was 137kb if memory serves.

"However, reading all the info I have to agree that this is more than likely a Windows quirk and nothing malicious involved."

This is my gut feeling for this issue, but I do not possess the knowledge or experience of people such as you or LowWaterMark and must by necessity ask for your help in figuring out what is going on.

"as for boxing the puter..its for the best....truely I enjoy helping others in however small way I can.....an yet my lack of computer knowledge leaves me dangling like a kite in a storm...........there is so very little I can offer that it may be harmful when ment to be good......."

I am going to agree with eyespy here. I think you underestimate your ability to help people. And it is obvious from posts all over this forum, how well you are liked. If for health reasons or simply peace of mind, you feel the need to get away every now and then, then by all means do so. But do not forget that you are missed by many.

And the following is from Spybot's helpfile concerning the shredder:

The first 5 shreds are using pre-defined bit pattern that should make even hardware recovery impossible. Any further pass will use a random bit pattern that is changing every few Bytes.
Please notice: one pass is not enough to shred a file, as the heads of your hard disk won‚t hit the same track 100,00% of the time. There are small differences of a few µm that will allow pros to reconstruct even overwritten data. That is why multiple shreds are necessary, and why different patterns should be used.

Warning: This tool is designed to remove files so they can not be recovered again! If you use it, be aware of that!

Disclaimer: I tried my best to finally shred every given to this tool. But I can't guarantee that files will be unrecoverably extinguished.

Just a FYI only.

LowWaterMark

December 27th, 2002, 04:43 PM

{QUOTE-> However, different OS could come into play here possibly. <-QUOTE}

Yes, the different OS's and OE versions could be making a big difference in the behaviors we are all seeing, and so could the different file systems, FAT## versus NTFS. There could be both subtle and significant differences in how the "empty" space in these dbx files gets "filled" from freely available disk blocks.

Other factors probably come into play as well. Such as, what other programs are running people's systems? How much data do they store in true "temporary" files, and when do they release these back as free disk blocks? What about the disk's cluster size (the minimum addressable amount of space on the disk) and any space allocation algorythms related minimizing file fragmentation? I don't know...

This is certainly interesting. :D

snowman

December 27th, 2002, 05:15 PM

Well here is a twister.......folders were empty all yesterday........went to outlook express....did a "compack"...delete etc........AN A SECOND SET OF FOLDERS APPEARED NEXT TO THE OTHER FOLDERS!! an the second set of folders....which were named the same as the other foldrrs except for this (1) below each folder...WERE FULL OF INFORMATION.......mostly code...os related....again instruction on outlook express........
Prior to doing the "compack" I had clean the index dat..MRU's Cache.....Defra'ed....an wiped all un-used space
on c drive 7 times with DOD

I am convinced just about that this issue is with Windows an not outlook express....that info is being stored somewhere in the os.........eyespy does not use outlook express.......don't know if he has outlook ex on his os...but he says the same folders appear on this machine.....

yes this is indeed interesting.....an seemingly no known way of preventing the storeage of the collected info. I did elimate a couple of this....downloaded a program but nothing was logged either from the website or the program..........also, I do not use cookies so thats not a part of this picture.......never use activeX......java only for applets an in a sandbox
the implications of what could possibly result because of this exploit...innocent as it may be..is enormous. This throws computer privacy back to the dark ages. Its already been shown that private accounts can be logged.....what about credit cards...other accounts..etc....good golly MS Molly.......

Krusty

December 27th, 2002, 05:32 PM

Snowman

You really appear to be an expert to find new problems.... ;D good, very good, that I like much indeed. three stars for you friend ´coz you can not be applaused ***

friendliest yours -Ari

snowman

December 27th, 2002, 05:58 PM

Krusty

heya my friend...hope you had a great Christmas...

LOL....problems seem to find me LOL

snowman

December 27th, 2002, 07:20 PM

Experts Needed on this question:

It seems that outlook express has whats known as a "STORE ROOT"......this can be changed in the registry so that the Mail and News files can be stored on a another directory or partion..........

......is this related to this exploit

snowman

December 27th, 2002, 07:22 PM

in the beginning of this thread Jack mention something to this effect.

JacK

December 27th, 2002, 08:18 PM

{QUOTE-> quoting: snowman link=board=21;threadid=5669;start=75#38085 date=1041034836]

Experts Needed on this question:

It seems that outlook express has whats known as a "STORE ROOT"......this can be changed in the registry so that the Mail and News files can be stored on a another directory or partion..........

......is this related to this exploit

<-QUOTE}

Hi snowman,

Create a new folder on any partition then in OE :
Tools\Options\Maintenance and give the path to the new storage folder.

A solution if you don't use very often OE would be to put the mails storage folder with the different *.dbx on a ramdisk. Whenever you reboot a fresh storage folder will be recreate and nothing left on the disk.

I use a ramdisk for my TEMP, TMP and Internet Temp File :
impossible after reboot to retrieve anything.

Don't forget to save the needed mails on your HDD before shutdown.

Cheers,

snowman

December 27th, 2002, 10:07 PM

Jack...thank you very much......if I may impose.....if this was set to plain c:/ would that do the trick.....your suggestion seems excellent......

snowman

snowman

December 27th, 2002, 11:04 PM

JACK

did a quick search for a decent freeware ramdisk for win98........never found one..........going to ignorantly try one not specific to my os......reformat here I com LOL

JacK

December 28th, 2002, 06:49 AM

{QUOTE-> quoting: snowman link=board=21;threadid=5669;start=75#38105 date=1041048294]
JACK

did a quick search for a decent freeware ramdisk for win98........never found one..........going to ignorantly try one not specific to my os......reformat here I com LOL
<-QUOTE}

Hi Snowman,

Here you are :
http://tinylink.com/?y2RyLYv7Zx

For WinNT/2K/XP (Free)

As you are running an older OS, let me know, I'll find another one, which I used to run a few years ago.

You may use this methode to create RAMdisks on Win98 :
(liimited to 32 Mo)

http://www3.sympatico.ca/rhwatson/dos7/v-ramdrive-sys.html

Rgds,

snowman

December 28th, 2002, 10:04 AM

JACK

Thank you.......my os is win98/winME......the ramdisk would only be used for the folders aforementioned

soon as I get a few pots of coffee down I'll further read the info you so kindly linked......I bookedmarked.......getting myself in a totally new area here so going slow......

your's is the only logical answer that seems to fit the issue at hand. oh,, don't know if this is a biggie or not but thought to mention that my swapfile in use is much greater than un-used physical memory......is it correct to say that this would not be an issue with using a ramdisk since the swapfile is not going to be an intented part of the ramdisk

snowman

JacK

December 28th, 2002, 12:06 PM

{QUOTE-> quoting: snowman link=board=21;threadid=5669;start=75#38190 date=1041087840]

is it correct to say that this would not be an issue with using a ramdisk since the swapfile is not going to be an intented part of the ramdisk

snowman
<-QUOTE}

Hi snowman,

Yes, it is :)

If you have a lot of RAM, you may also use a fixed swap (for instance 512 Mo min and max) on a RAMdisk with AR Soft RAM Disk on NT OS. (tick in Properties general "emulate a local Hard Disk in order to put the pagefile.sys on the Ramdisk)

There are no freeware solutions for Win98SE but Cenatek offers this possibility (shareware)

Cheers,

snowman

December 28th, 2002, 12:42 PM

Jack....most grateful for the extra time you shared with me on this...thanks .........
since this is an area where this feeble minded snowman has never venture too before it may take some time for the ice cube for a brain to thew and comprehend.......been a long long peaceful time since I messed with msdos....an even then I had no idea what I was doing LOL......oh my this is going to be very interesting

best

snowman...on the verge of a locked-up os

thank you compaq...for the restore disks

luv2bsecure

December 28th, 2002, 05:48 PM

Snowy and others "fighting" this monster...I posted under Jack in another thread about the RamDisk being a great solution here - also I posted about a friend who uses a USB thumbdrive, flashdisk, whatever and has all his stuff point to his thumbdrive. After browsing, he pulls it out and zaps it with his demagnetizer/Degausser he got from eBay for $10. He also has one that his encryption proggy runs off of and there's no tracks of an encryption program anywhere on the drive. These things are getting cheaper by the day too. I mention them as an alternative if you have OS issues, etc with a RamDisk.

John
Luv2BSecure

Primrose

December 28th, 2002, 10:54 PM

This background info may help...
Ram Disk (privacy/speed)

Clear your Temporary Internet and Cookie directories with the flick of a switch
You probably clear your cookies and temporary internet files once in a while. Some clear it more often than others (for obvious reasons...;-). But if you've read our "Secure File Deletion" tutorial then you'll know that deleting files DOES NOT remove them from disk and it's quite easy to recover them. Then there is the persistent index.dat file that refuses to leave without a fight. - Are you paranoid? (hopefully you're not) but if you are or simply want to clear these "caches" of data with the flick of your reset button then the answer is RAM DISK!

Ram Disks are exactly as the name suggests. Using Ram Disk software you are able to assign part of your physical memory to act as a "drive" on your computer. You can then use this drive as any other drive on your system but the difference is the data is cleared no matter what upon a reboot (since all data on the RAM chip is lost). So you can see that the best things to store on a Ram Disk are your Temporary Internet files and Cookies. Every bit of persistent data will "vanish" without a trace when you want it to. There is also the added bonus of reduced disk activity and possibly enhanced performance.

You need to have plenty of memory to "mount" a Ram Disk. Remember every bit of RAM is important for the well being of your system and the bigger your Ram Disk the less memory that is available for your system. Get a decent RAM monitor and see how much free physical memory you have left during your normal day to day use of your computer. Then think how much space you'll require on your RAM DISK. It may be that you need a new stick of RAM for everything to work smoothly.

First let's find some RAM DISK software!

Microsoft [sample] RAM DISK driver (with source code!) for Win2k
I don't really recommend this unless you are a tweaker/developer. In its current form there is a maximum disk size of 32MB and unfortunately the new disk identifies it self as a "Ram Disk" -not- "hard disk" hence some apps may "freak" out. Also you have to change registry entries to configure it. (I'm wondering why I'm even listing it here!)
AR RAM Disk for NT/2000/XP
This freeware software lets you create a RAM DISK and it can emulate it as a hard drive. For most people their physical memory will be the limiting factor for the maximum disk size. Configuring is achieved by launching the dialog settings box from within "Control Panel" - very easy to use. Remember a restart is required for any settings to take effect
Ramdisk9x / RamDiskNT
Whilst not free this software provides the richest feature set. There are lots of settings to optimize your Ram Disk including disk images. If you chose this software please read the documentation thoroughly as the various options are VERY powerful. Also it supports both the NT/2000/XP AND Win9x architecture.
For most who use NT/2000/XP I believe AR RAM disk will do the trick. Don't do anything silly like assigning large amounts of RAM for your disk as your system may suffer a royal stuff up. I also recommend more than 128MB of memory, preferably 256MB or more. Setting it up is pretty easy and you'll end up with a NEW drive with your choice of drive letter. (T:\ is a good one, it reminds you that its temporary). If you want more than just a simple Ram Disk then RamDisk9x/NT is the way to go.

Using your RAM DISK!

After you install the Ram Disk software and got a new drive working it's time to move the caches over to it.

IE CACHE
First lets set your IE Cache to be stored on your new RAM Disk. Create a folder on your new RAM DISK where you want your Temporary Internet Files to be stored. Creating directories on your new disk is the same as on a normal hard disk.

Now click Start -> Settings -> Control Panel -> "Internet Options", click "Settings" and then "Move Folder". Browse to the folder you just created on your RAM DISK, move the disk space slider to a new value that is less than your RAM Disk and then hit OK at all the prompts. Internet Explorer will recreate this folder upon every reboot.

Moving Cookies Dir
Moving your cookie directory to your RAM Disk a little harder. You'll have to edit these two keys in the registry so be careful.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\History
Change the key values from the current cookie location to your new RAM DISK. A reboot is required for this change to take effect. You'll know if you've done it right as you'll be able to delete the "old" cookie location without Windows complaining.

You can move anything "temporary" onto your Ram Disk. All data will be lost permanently upon a reboot or system shut down. I recommend not moving your Windows "temp" directory to your Ram Disk because some software store data in there which may be required after a reboot. That's an incorrect way to use the temp directory but unfortunately many software titles do so.

A ~30MB Ram Disk should be fine for tasks mentioned above, although if you have less than 128MB then it may actually be too big and will deny the system of valuable memory. If you have a lot of RAM such as 768MB or 1024MB you could make a massive 500MB RAM Disk. This will boost performance if you have to extract large amounts of data before installing it (there is virtually no "write/read" time on a RAM DISK). If you are a developer of software that creates lots temporary files at compile time then again this "large" RAM Disk method is good. Most Ram Disk software create drives with FAT16 as the file system hence the "disk" size is ~2GB (though I doubt most have this much to dedicate to a disk). Ram Disks work well in the NT/2000/XP environment as they have far superior memory management compared with the Win9x/ ME product line.

As a final note never store important data on your Ram Disk as a system crash may mean a reboot and a reboot means loss of all data on the Ram Disk.
http://www.comsec.2ya.com/

snowman

December 28th, 2002, 11:59 PM

MAJOR PROBLEM MAJOR PROBLEM

Ramdisk is totally useless as a solution to this exploit.
furthermore, due to the enormous amount of information collected and stored by the exploit RAMDISK IS ABSOLUTE USELESS AS A PRIVACY TOOL

I was prepared to accept the use of ramdisk as a solution......until doing more experiementing. all of which anyone can re-produce.
ok,,,,the folders are sent to ramdisk......but someone gains access to the computer an changes the setting in outlook express to have the folders again be sent to outlokk express............the newly created folders in outlokk express WILL BE FULL NO MATTER HOW MANY TIMES THEY WERE TRASHED BY RAMDISK.....!!!!!
to experiment I sent the folder to c:\windows\temp then wiped the folders using DOD........closed the window and immediately re-opened a new window...the folders were re-created FULL OF INFORMATION
my thought was to send the folders to the temp internet folder an have its contents deleted when the browser closed.........pretty much the same as ramdisk in part.....the folder would be in the index dat file an could be cleaned then C wiped......the point is that the folders would have been deleted......but no good...even wiping those folders wont prevent the collection and storage of information that could very easily be obtained by simply changing the setting

snowman

December 29th, 2002, 12:08 AM

Oh yes we do have a very major issue here....its the collection and storage of information that is the real issue...not the folders or where the folders are kept.

several times in this thread I said that many privacy tools were useless because of this exploit........an the more I experiment the more truth to that statement un-folds

a person can send those folders to MARS...but just let some change the setting...an have the folders be sent back again to outlook express or anywhere on C drive...an the folders are re-created full of information.....this time there was an e mail from M$ in one folder.....fully intake after previously deleting with DOD........
please prove this to be in-correct....I honestly want this to a mistake by me.....but its not

snowman

December 29th, 2002, 12:13 AM

To save time: before someone says: "No, the information would be sent to ramdisk"""""

sorry...NO THE INFORMATION IS NOT SENT TO RAMDISK
in fact,, the information is stored in the os...then sent to the folders........no matter where the folders reside...the information remains stored in the os

luv2bsecure

December 29th, 2002, 12:27 AM

If what you are saying is true, snowy....and I have no doubt if you have run this a few times - then you are correct in saying the answer to this is still elusive.

One thing I'm not sure I caught on to - are you saying that when you deleted the folders from Temp or wherever - Ram Disk, other paths than normal --- that the usual system .dbx files were recreated in the normal "Application Data" location? Also, the email from/to Microsoft (I can't remember) when did you receive/write that? Was it AFTER the folders had been deleted - or - are you saying that the newly recreated .dbx files had OLD information in them?

Of all the messages related to this, I would have to say this bothers me the most.

Could you get a screen capture - not a paste - of what this looks like when opened in notepad?

John
Luv2BSecure

snowman

December 29th, 2002, 12:36 AM

John

the folders were re-created in C;\windows\temp....which was correct as that was the path

Did try to copy "some" of the info to post here but wont copy......my system does not have a screen capture installed at the moment....un-installed numerous programs prior to "boxing" it a few weeks ago......but it would present another problem if I took a screen shot......a great deal of personal info would be shown publically....accounts etc......

Yes John I fully tested this both using the tenp file and the internet temp file.........would not matter

"OLD" information re-appeared......but strangely the "date" was 'NEW"..........same info though

snowman

December 29th, 2002, 12:49 AM

**having a difficult time staying connect..please excuse the numerous posts.****

JOHN

Specifically.....NOT ALL of the Old information was re-created..........oddly the info that I maunally just plain deleted by delete or edit....as mention in one of my earlier posts.....most of that is not being re-create....just bits of it....but with a new date stamp......

John this is getting way over my head so please you and everyone feel free to throw out any suggestions..

also......I am again look at the "STORE ROOT" in the registry........it can be changed.........but here I need help/advice........if changed to c:/mail where would that send it...........this tweak is what I am about to try....an there is no one worse than me about backing up the registry LOL

call in a feeling but I think the answer if there is one is with the Store Root....

snowman

December 29th, 2002, 01:00 AM

From: "Microsoft Outlook Express Team" <oe5@microsoft.com>
To: (clip clip clip clip )
Subject: Welcome to Outlook Express 5
Date: Sat, 28 Dec 2002 22:55:30 -0500
MIME-Version: 1.0
Content-Type: text/html;
***charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400

***************************************

John

this is the M$ e mail that keeps being re-created.....had to clip my name and ip out to post.........also, not able to copy by normal copy................an please remember this e mail has been wiped no less than 10 times/7 wipes each time

snowman

December 29th, 2002, 01:35 AM

WHAT HAPPENS IF:

"Identity" was deleted from the registry

and/or

There was no Path in "Store Root"

************

by deleting Identity would outlook express still be able to send mail......but without the persons name....after all isn't that what setting up an account in outlook ex is..creating an identity?? pop 3 should still work...no lost of connection either.......well?

Store root: if there was no Path., just where in heck could all the collected info be store (in Folders) no where!!
in may still be in the os somewhere but not accessible......an even a new identity was set up.....would it automatically have info..........

snowman

December 29th, 2002, 01:43 AM

just found the above e mail from M$ IN THE REGISTRY

thats why it wont wipe/delete....but whats this url to M$...why is that also in the registry as part of this e mail...am I suppose to trust M$....M$ just revealed that it has my isp's name...my e mail account......an full steam ahead to spam me........or profile

snowman

December 29th, 2002, 01:49 AM

Its late., and I am tired.....maybe I was way off base in that last post..........the M$ url could be generated when the account was established......as part of outlook exp......someone else will have to tackle that......

Good Night

Snowman

luv2bsecure

December 29th, 2002, 01:59 AM

Goodnight, buddy. I must tell you that again -- you have worked hard! You NEED some sleep!!!

Thanks for your hard work - and you think you aren't needed. Whew! What are we going to do with you?

John

Primrose

December 29th, 2002, 07:23 AM

NO matter how you cut it or try to work with any type of OS or machine language..you will still come down to the fact that recoverability has always been the major goal of any design..building in to it as much redundancy as possible to maintain the structure..the goal has always been to prevent failure and the software industry has struggled with that for many year. Any system is only as secure as it weakest link.

So it still comes back to this type of information.

( I have since lost the site that contained this write up but I am sure someone can find it again to read all of it)
__________________________

Secure File Deletion

You may or may not know that when you delete a file (and empty the recycle/trash bin or similar storage area) that the actual file doesn’t get deleted. It remains on the disk good as gold. This applies to magnetic storage such as Floppy disks, and the common hard disk

Let’s take the Windows operating system as an example since most the world uses it. Most of this however also applies to Linux and Mac.

When you delete a file what actually happens is that the OS removes the reference to the file from the File Allocation Table (FAT). This reference had the details such as where on the disk the file was. So when the Operating System doesn’t see this it marks that area of the disk as “free space”, but we now know that only the reference is removed, the data physically remains on the disk. Even though the data remains on the disk the OS believes it’s not there, thus the file remains on the disk until another file is created over it, and even after that it might be possible to recover data by studying the magnetic fields on the platter surface.

Recovering Deleted File

Since we know that when a file is removed that the data still remains then it’s perfectly logical that software utilities exist to un-delete this data back to life. (How else do the Fed’s do it?).

Recovery tools do not read the actual file system. They read the contents of the actual disk, thus it can list the “deleted” files and offer an undelete option.

Files are stored in clusters on the disk. Say/assume each cluster was 8192b in size and you wanted to recover a 14KB file. First the file is stored on two clusters (note, that a file is stored on 1 cluster or more. One cluster cannot hold two files). The recovery tool will simply extract the data in the clusters and actually save it, thus the operating system can see it again.

Now you can understand why deleting a personal file, or clearing your Internet Cache doesn’t mean it’s gone for ever. This document doesn’t go deep into data recovery. The aim is to make the data non-recoverable.

Securely Deleting Files

There are several software tools that will “securely” delete your files. Let’s examine them to see how they work. Rather than deleting your file normally you use a secure deletion tool to do the job. What it actually does is it removes the reference to the file (as Windows does). Then the tool inspects the clusters on which the data exists and overwrites them with random data which is determined by complex mathematic algorithms. One “pass” means overwriting the clusters once and will render most commercial recovery tools useless. However even one pass is considered weak as agencies such as the FBI or CIA (who have the money) can probably recover most of the data. 7 passes is what’s considered as “military” grade. As the number of passes increase the chance of actually recovering the file with today’s technology decreases close to an exponential rate. Most tools allow you to delete files using it, and also “wipe” free space – that is over writing clusters that were marked as free space. The more passes you select the longer it takes for the task to complete. Also note that most of the on the shelf tools require strict rules to operate. Basically the data you want to recover has to be “perfectly” there on the disk (even though it’s not referenced). Take that 14KB deleted file mentioned earlier and remember how we assumed it was stored on two clusters. Say that you saved another file, and it was saved on one of those clusters. Suddenly for most on the shelf tools that file can no longer be recovered although law enforcement agencies can still recover parts of the file and inspect it for vital evidence.

Your best chance of recovering a file is when it hasn't been deleted via a secure deletion tool and when you use a recover tool just after the file was deleted normally. The longer you wait the higher the chance that the operating system has placed a new file over the area you want recovered.

Formatting the hard disk simply re-creates the file system, again the old data remains on the disk (but the OS can't see it). Some recover tools can dig into "old" deleted partitions and recover the files that use to be in them.

Links
------

Eraser - A freeware secure file deletion tool, also wipes free space and has inbuilt scheduler. (Windows)

Drive Rescue - A freeware application to recover files that were "normally" deleted. Recovers files, and files within deleted partitions. (Deleted partition can be "viewed" and files within recovered)

Using the above tools you can really understand this concept. Delete a file using Windows, then use Drive Rescue to recover it. Delete a file using Eraser and all you will see is garbled data when you try recovering it using the recovery tool.

JacK

December 29th, 2002, 07:25 AM

{QUOTE-> quoting: snowman link=board=21;threadid=5669;start=90#38310 date=1041141623]

From: "Microsoft Outlook Express Team" <oe5@microsoft.com>
To: (clip clip clip clip )
Subject: Welcome to Outlook Express 5
Date: Sat, 28 Dec 2002 22:55:30 -0500
MIME-Version: 1.0
Content-Type: text/html;
***charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400

<-QUOTE}

Hi Snowman,

This one will always be recreated, it's part of the install, like when you install a FAX progy : after installing you get a welcome FAX message which was never sent. Rebuilding the *.dbx and this "mail" never received from outside comes back. Even on computers without any connexion get this "mail".

Windows must keep some info about your accounts in the registry otherwise you would not be able to send any mail.

That's where a NT system is more secure : only users with rights on determined folders should access these data.

Cheers,

snowman

December 29th, 2002, 02:13 PM

Primrose

very nice reply.....appreciated. In my case all deletes are actually wiped....never less than 7 times with DOD.......everyday the used space on C drive wiped...often several times each day....never less than one wipe....each weekend wiped with Gutmann.............before each wipe everything cleared..index dat etc..cache..
certainly agree with you on the need for secure wipe.......an wipe your comments about the nature of software/computers..............

JACK

appreciate the info.......soon as I wake-up alittle more I will change that Store Root.....
being a person who never uses e mail I am in a position to play with the setting a bit......lost of sending e mail wont bother me............if needed will use a web mail.......mostly just curious to see what happens...........will not delete Identity.......just change the Store Root

STATUS: at the moment no "old" info is being re-create other than that "welcome e mail" which as Jack point out is "normal"...........
info only related to the C drive/os is created "new"....I believe this is only because of.....as Primrose pointed out... a secure "wipe" has been done..numerous times.......otherwise old info would appear.

one thought to share..........its been clearly shown through out this topic that the "exploit" in question collects private information and stores it............as yet no clear solution has been found.............its also been shown that if someone can access the computer...change the settings.......any information Not secure wiped can be recovered without the use of third party tools...(info in those folders)

Here is a situation where a PERSONAL commitment to security comes into play.........a commitment to SECURELY WIPE in particular........several poster have already give great suggestions on that subject......an are more experts than I..........they are best to offer comments

DESKTOP SECURITY: preventing access to the computer.
This is a topic all to itself.....yet obviosly some desktop security is needed..........an not some toy of a program that any K grader can bypass.....imo desktop security will be co