Sent Items Logging

Snowman

You really appear to be an expert to find new problems.... good, very good, that I like much indeed. three stars for you friend ´coz you can not be applaused ***

friendliest yours -Ari

 

Krusty

heya my friend...hope you had a great Christmas...


LOL....problems seem to find me LOL

 

Experts Needed on this question:


It seems that outlook express has whats known as a "STORE ROOT"......this can be changed in the registry so that the Mail and News files can be stored on a another directory or partion..........

......is this related to this exploit

 

in the beginning of this thread Jack mention something to this effect.

 

Hi snowman,

Create a new folder on any partition then in OE :
Tools\Options\Maintenance and give the path to the new storage folder.

A solution if you don't use very often OE would be to put the mails storage folder with the different *.dbx on a ramdisk. Whenever you reboot a fresh storage folder will be recreate and nothing left on the disk.

I use a ramdisk for my TEMP, TMP and Internet Temp File :
impossible after reboot to retrieve anything.

Don't forget to save the needed mails on your HDD before shutdown.

Cheers,

 

Jack...thank you very much......if I may impose.....if this was set to plain c:/ would that do the trick.....your suggestion seems excellent......



snowman

 

JACK

did a quick search for a decent freeware ramdisk for win98........never found one..........going to ignorantly try one not specific to my os......reformat here I com LOL

 

Hi Snowman,

Here you are :
http://tinylink.com/?y2RyLYv7Zx

For WinNT/2K/XP (Free)

As you are running an older OS, let me know, I'll find another one, which I used to run a few years ago.

You may use this methode to create RAMdisks on Win98 :
(liimited to 32 Mo)

http://www3.sympatico.ca/rhwatson/dos7/v-ramdrive-sys.html

Rgds,

 

JACK

Thank you.......my os is win98/winME......the ramdisk would only be used for the folders aforementioned

soon as I get a few pots of coffee down I'll further read the info you so kindly linked......I bookedmarked.......getting myself in a totally new area here so going slow......

your's is the only logical answer that seems to fit the issue at hand. oh,, don't know if this is a biggie or not but thought to mention that my swapfile in use is much greater than un-used physical memory......is it correct to say that this would not be an issue with using a ramdisk since the swapfile is not going to be an intented part of the ramdisk


snowman

 

Hi snowman,

Yes, it is

If you have a lot of RAM, you may also use a fixed swap (for instance 512 Mo min and max) on a RAMdisk with AR Soft RAM Disk on NT OS. (tick in Properties general "emulate a local Hard Disk in order to put the pagefile.sys on the Ramdisk)

There are no freeware solutions for Win98SE but Cenatek offers this possibility (shareware)

Cheers,

 

Jack....most grateful for the extra time you shared with me on this...thanks .........
since this is an area where this feeble minded snowman has never venture too before it may take some time for the ice cube for a brain to thew and comprehend.......been a long long peaceful time since I messed with msdos....an even then I had no idea what I was doing LOL......oh my this is going to be very interesting


best

snowman...on the verge of a locked-up os

thank you compaq...for the restore disks

 

Snowy and others "fighting" this monster...I posted under Jack in another thread about the RamDisk being a great solution here - also I posted about a friend who uses a USB thumbdrive, flashdisk, whatever and has all his stuff point to his thumbdrive. After browsing, he pulls it out and zaps it with his demagnetizer/Degausser he got from eBay for $10. He also has one that his encryption proggy runs off of and there's no tracks of an encryption program anywhere on the drive. These things are getting cheaper by the day too. I mention them as an alternative if you have OS issues, etc with a RamDisk.

John
Luv2BSecure

 

This background info may help...
Ram Disk (privacy/speed)


Clear your Temporary Internet and Cookie directories with the flick of a switch
You probably clear your cookies and temporary internet files once in a while. Some clear it more often than others (for obvious reasons...;-). But if you've read our "Secure File Deletion" tutorial then you'll know that deleting files DOES NOT remove them from disk and it's quite easy to recover them. Then there is the persistent index.dat file that refuses to leave without a fight. - Are you paranoid? (hopefully you're not) but if you are or simply want to clear these "caches" of data with the flick of your reset button then the answer is RAM DISK!

Ram Disks are exactly as the name suggests. Using Ram Disk software you are able to assign part of your physical memory to act as a "drive" on your computer. You can then use this drive as any other drive on your system but the difference is the data is cleared no matter what upon a reboot (since all data on the RAM chip is lost). So you can see that the best things to store on a Ram Disk are your Temporary Internet files and Cookies. Every bit of persistent data will "vanish" without a trace when you want it to. There is also the added bonus of reduced disk activity and possibly enhanced performance.

You need to have plenty of memory to "mount" a Ram Disk. Remember every bit of RAM is important for the well being of your system and the bigger your Ram Disk the less memory that is available for your system. Get a decent RAM monitor and see how much free physical memory you have left during your normal day to day use of your computer. Then think how much space you'll require on your RAM DISK. It may be that you need a new stick of RAM for everything to work smoothly.

First let's find some RAM DISK software!

Microsoft [sample] RAM DISK driver (with source code!) for Win2k
I don't really recommend this unless you are a tweaker/developer. In its current form there is a maximum disk size of 32MB and unfortunately the new disk identifies it self as a "Ram Disk" -not- "hard disk" hence some apps may "freak" out. Also you have to change registry entries to configure it. (I'm wondering why I'm even listing it here!)
AR RAM Disk for NT/2000/XP
This freeware software lets you create a RAM DISK and it can emulate it as a hard drive. For most people their physical memory will be the limiting factor for the maximum disk size. Configuring is achieved by launching the dialog settings box from within "Control Panel" - very easy to use. Remember a restart is required for any settings to take effect
Ramdisk9x / RamDiskNT
Whilst not free this software provides the richest feature set. There are lots of settings to optimize your Ram Disk including disk images. If you chose this software please read the documentation thoroughly as the various options are VERY powerful. Also it supports both the NT/2000/XP AND Win9x architecture.
For most who use NT/2000/XP I believe AR RAM disk will do the trick. Don't do anything silly like assigning large amounts of RAM for your disk as your system may suffer a royal stuff up. I also recommend more than 128MB of memory, preferably 256MB or more. Setting it up is pretty easy and you'll end up with a NEW drive with your choice of drive letter. (T:\ is a good one, it reminds you that its temporary). If you want more than just a simple Ram Disk then RamDisk9x/NT is the way to go.

Using your RAM DISK!

After you install the Ram Disk software and got a new drive working it's time to move the caches over to it.

IE CACHE
First lets set your IE Cache to be stored on your new RAM Disk. Create a folder on your new RAM DISK where you want your Temporary Internet Files to be stored. Creating directories on your new disk is the same as on a normal hard disk.

Now click Start -> Settings -> Control Panel -> "Internet Options", click "Settings" and then "Move Folder". Browse to the folder you just created on your RAM DISK, move the disk space slider to a new value that is less than your RAM Disk and then hit OK at all the prompts. Internet Explorer will recreate this folder upon every reboot.

Moving Cookies Dir
Moving your cookie directory to your RAM Disk a little harder. You'll have to edit these two keys in the registry so be careful.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\History
Change the key values from the current cookie location to your new RAM DISK. A reboot is required for this change to take effect. You'll know if you've done it right as you'll be able to delete the "old" cookie location without Windows complaining.

You can move anything "temporary" onto your Ram Disk. All data will be lost permanently upon a reboot or system shut down. I recommend not moving your Windows "temp" directory to your Ram Disk because some software store data in there which may be required after a reboot. That's an incorrect way to use the temp directory but unfortunately many software titles do so.

A ~30MB Ram Disk should be fine for tasks mentioned above, although if you have less than 128MB then it may actually be too big and will deny the system of valuable memory. If you have a lot of RAM such as 768MB or 1024MB you could make a massive 500MB RAM Disk. This will boost performance if you have to extract large amounts of data before installing it (there is virtually no "write/read" time on a RAM DISK). If you are a developer of software that creates lots temporary files at compile time then again this "large" RAM Disk method is good. Most Ram Disk software create drives with FAT16 as the file system hence the "disk" size is ~2GB (though I doubt most have this much to dedicate to a disk). Ram Disks work well in the NT/2000/XP environment as they have far superior memory management compared with the Win9x/ ME product line.

As a final note never store important data on your Ram Disk as a system crash may mean a reboot and a reboot means loss of all data on the Ram Disk.
http://www.comsec.2ya.com/

 

MAJOR PROBLEM MAJOR PROBLEM


Ramdisk is totally useless as a solution to this exploit.
furthermore, due to the enormous amount of information collected and stored by the exploit RAMDISK IS ABSOLUTE USELESS AS A PRIVACY TOOL


I was prepared to accept the use of ramdisk as a solution......until doing more experiementing. all of which anyone can re-produce.
ok,,,,the folders are sent to ramdisk......but someone gains access to the computer an changes the setting in outlook express to have the folders again be sent to outlokk express............the newly created folders in outlokk express WILL BE FULL NO MATTER HOW MANY TIMES THEY WERE TRASHED BY RAMDISK.....!!!!!
to experiment I sent the folder to c:\windows\temp then wiped the folders using DOD........closed the window and immediately re-opened a new window...the folders were re-created FULL OF INFORMATION
my thought was to send the folders to the temp internet folder an have its contents deleted when the browser closed.........pretty much the same as ramdisk in part.....the folder would be in the index dat file an could be cleaned then C wiped......the point is that the folders would have been deleted......but no good...even wiping those folders wont prevent the collection and storage of information that could very easily be obtained by simply changing the setting

 

Oh yes we do have a very major issue here....its the collection and storage of information that is the real issue...not the folders or where the folders are kept.

several times in this thread I said that many privacy tools were useless because of this exploit........an the more I experiment the more truth to that statement un-folds

a person can send those folders to MARS...but just let some change the setting...an have the folders be sent back again to outlook express or anywhere on C drive...an the folders are re-created full of information.....this time there was an e mail from M$ in one folder.....fully intake after previously deleting with DOD........
please prove this to be in-correct....I honestly want this to a mistake by me.....but its not

 

To save time: before someone says: "No, the information would be sent to ramdisk"""""

sorry...NO THE INFORMATION IS NOT SENT TO RAMDISK
in fact,, the information is stored in the os...then sent to the folders........no matter where the folders reside...the information remains stored in the os

 

If what you are saying is true, snowy....and I have no doubt if you have run this a few times - then you are correct in saying the answer to this is still elusive.

One thing I'm not sure I caught on to - are you saying that when you deleted the folders from Temp or wherever - Ram Disk, other paths than normal --- that the usual system .dbx files were recreated in the normal "Application Data" location? Also, the email from/to Microsoft (I can't remember) when did you receive/write that? Was it AFTER the folders had been deleted - or - are you saying that the newly recreated .dbx files had OLD information in them?

Of all the messages related to this, I would have to say this bothers me the most.

Could you get a screen capture - not a paste - of what this looks like when opened in notepad?

John
Luv2BSecure

 

John

the folders were re-created in C;\windows\temp....which was correct as that was the path

Did try to copy "some" of the info to post here but wont copy......my system does not have a screen capture installed at the moment....un-installed numerous programs prior to "boxing" it a few weeks ago......but it would present another problem if I took a screen shot......a great deal of personal info would be shown publically....accounts etc......

Yes John I fully tested this both using the tenp file and the internet temp file.........would not matter

"OLD" information re-appeared......but strangely the "date" was 'NEW"..........same info though

 

**having a difficult time staying connect..please excuse the numerous posts.****


JOHN

Specifically.....NOT ALL of the Old information was re-created..........oddly the info that I maunally just plain deleted by delete or edit....as mention in one of my earlier posts.....most of that is not being re-create....just bits of it....but with a new date stamp......

John this is getting way over my head so please you and everyone feel free to throw out any suggestions..

also......I am again look at the "STORE ROOT" in the registry........it can be changed.........but here I need help/advice........if changed to c:/mail where would that send it...........this tweak is what I am about to try....an there is no one worse than me about backing up the registry LOL

call in a feeling but I think the answer if there is one is with the Store Root....

 

From: "Microsoft Outlook Express Team" <oe5@microsoft.com>
To: (clip clip clip clip )
Subject: Welcome to Outlook Express 5
Date: Sat, 28 Dec 2002 22:55:30 -0500
MIME-Version: 1.0
Content-Type: text/html;
   charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400


***************************************

John

this is the M$ e mail that keeps being re-created.....had to clip my name and ip out to post.........also, not able to copy by normal copy................an please remember this e mail has been wiped no less than 10 times/7 wipes each time

 

WHAT HAPPENS IF:


"Identity" was deleted from the registry

and/or


There was no Path in "Store Root"

************

by deleting Identity would outlook express still be able to send mail......but without the persons name....after all isn't that what setting up an account in outlook ex is..creating an identity?? pop 3 should still work...no lost of connection either.......well?

Store root: if there was no Path., just where in heck could all the collected info be store (in Folders) no where!!
in may still be in the os somewhere but not accessible......an even a new identity was set up.....would it automatically have info..........

 

just found the above e mail from M$ IN THE REGISTRY

thats why it wont wipe/delete....but whats this url to M$...why is that also in the registry as part of this e mail...am I suppose to trust M$....M$ just revealed that it has my isp's name...my e mail account......an full steam ahead to spam me........or profile

 

Its late., and I am tired.....maybe I was way off base in that last post..........the M$ url could be generated when the account was established......as part of outlook exp......someone else will have to tackle that......


Good Night

Snowman

 

Goodnight, buddy. I must tell you that again -- you have worked hard! You NEED some sleep!!!

Thanks for your hard work - and you think you aren't needed. Whew! What are we going to do with you?

John

 

NO matter how you cut it or try to work with any type of OS or machine language..you will still come down to the fact that recoverability has always been the major goal of any design..building in to it as much redundancy as possible to maintain the structure..the goal has always been to prevent failure and the software industry has struggled with that for many year. Any system is only as secure as it weakest link.

So it still comes back to this type of information.

( I have since lost the site that contained this write up but I am sure someone can find it again to read all of it)
__________________________

Secure File Deletion


You may or may not know that when you delete a file (and empty the recycle/trash bin or similar storage area) that the actual file doesn’t get deleted. It remains on the disk good as gold. This applies to magnetic storage such as Floppy disks, and the common hard disk

Let’s take the Windows operating system as an example since most the world uses it. Most of this however also applies to Linux and Mac.

When you delete a file what actually happens is that the OS removes the reference to the file from the File Allocation Table (FAT). This reference had the details such as where on the disk the file was. So when the Operating System doesn’t see this it marks that area of the disk as “free space”, but we now know that only the reference is removed, the data physically remains on the disk. Even though the data remains on the disk the OS believes it’s not there, thus the file remains on the disk until another file is created over it, and even after that it might be possible to recover data by studying the magnetic fields on the platter surface.

Recovering Deleted File

Since we know that when a file is removed that the data still remains then it’s perfectly logical that software utilities exist to un-delete this data back to life. (How else do the Fed’s do it?).

Recovery tools do not read the actual file system. They read the contents of the actual disk, thus it can list the “deleted” files and offer an undelete option.

Files are stored in clusters on the disk. Say/assume each cluster was 8192b in size and you wanted to recover a 14KB file. First the file is stored on two clusters (note, that a file is stored on 1 cluster or more. One cluster cannot hold two files). The recovery tool will simply extract the data in the clusters and actually save it, thus the operating system can see it again.

Now you can understand why deleting a personal file, or clearing your Internet Cache doesn’t mean it’s gone for ever. This document doesn’t go deep into data recovery. The aim is to make the data non-recoverable.

Securely Deleting Files

There are several software tools that will “securely” delete your files. Let’s examine them to see how they work. Rather than deleting your file normally you use a secure deletion tool to do the job. What it actually does is it removes the reference to the file (as Windows does). Then the tool inspects the clusters on which the data exists and overwrites them with random data which is determined by complex mathematic algorithms. One “pass” means overwriting the clusters once and will render most commercial recovery tools useless. However even one pass is considered weak as agencies such as the FBI or CIA (who have the money) can probably recover most of the data. 7 passes is what’s considered as “military” grade. As the number of passes increase the chance of actually recovering the file with today’s technology decreases close to an exponential rate. Most tools allow you to delete files using it, and also “wipe” free space – that is over writing clusters that were marked as free space. The more passes you select the longer it takes for the task to complete. Also note that most of the on the shelf tools require strict rules to operate. Basically the data you want to recover has to be “perfectly” there on the disk (even though it’s not referenced). Take that 14KB deleted file mentioned earlier and remember how we assumed it was stored on two clusters. Say that you saved another file, and it was saved on one of those clusters. Suddenly for most on the shelf tools that file can no longer be recovered although law enforcement agencies can still recover parts of the file and inspect it for vital evidence.

Your best chance of recovering a file is when it hasn't been deleted via a secure deletion tool and when you use a recover tool just after the file was deleted normally. The longer you wait the higher the chance that the operating system has placed a new file over the area you want recovered.

Formatting the hard disk simply re-creates the file system, again the old data remains on the disk (but the OS can't see it). Some recover tools can dig into "old" deleted partitions and recover the files that use to be in them.

Links
------

Eraser - A freeware secure file deletion tool, also wipes free space and has inbuilt scheduler. (Windows)

Drive Rescue - A freeware application to recover files that were "normally" deleted. Recovers files, and files within deleted partitions. (Deleted partition can be "viewed" and files within recovered)

Using the above tools you can really understand this concept. Delete a file using Windows, then use Drive Rescue to recover it. Delete a file using Eraser and all you will see is garbled data when you try recovering it using the recovery tool.