Welcome to Luca!globe
 The CPA Journal Online Current Issue!    Navigation Tips!
Main Menu
CPA Journal
Professional Libary
Professional Forums
Member Services
Nov 1992

DOS: disaster or security? (disk operating systems) (The CPA & the Computer)(November is Computer Month)

by McKay, I. Craig

    Abstract- Formatting disks to eliminate data with the use of disk operating systems poses a security risk. The newly released DOS 5.0 allows deleted files to be recovered and disks to be unformatted without the use of a separate utility. The standard format command does not wipe the disk clear of all data, thereby making it easy for anyone who gets hold of the disk to retrieve whatever is stored in it. The simplest way for DOS 5.0 users to safeguard data is to rash disks after use. A less costly alternative is to blank files, a standard procedure used for mainframe computers. This involves replacing the area vacated by the file with blanks or other characters. Another option is to physically erase all magnetically stored information using a degaussing machine. DOS 5.0 users can also ensure that data are unconditionally erased by typing "Format A:\u" instead of simply "Format A:."

Beware! Under the standard format with DOS 5.0, the data is not removed from the disk. It can be recovered by anyone who might obtain the disk.

Computer security has been a topic of great concern to accountants since the introduction of computers into the business world. Great strides have been made with respect to mainframe security during the last two decades. However, the tremendous proliferation of microcomputers has amplified concerns about the security of these machines.

The ability to protect data and programs and the capacity for disaster recovery has improved remarkably. Entire courses (and even certification programs) deal with these topics. Unfortunately, a major problem with respect to microcomputer data security has surfaced. In our minds, this problem is easily corrected with a little bit of information and the initiation of proper microcomputer security procedures.

The concepts discussed here are common knowledge to anyone with a background in computer programming. Most popular microcomputer applications are completely pre-written, requiring no programming modification by users. As a result, there are now millions of users who have little or no background in programming concepts. Consequently, techniques accepted as standard operating procedure on a mainframe are not used as widely on microcomputers. This is especially true with the most widely used operating system (DOS) currently on IBM and compatible machines.

The Problem

Consider a situation where a CPA firm is working on an audit engagement for a small client. Having a need to use additional disks on the audit, the accountants use some of the disks they carry with them. These disks had been formatted in the office at an earlier time. They have asked the client to copy specific data onto the disks so the accountants may perform additional analyses on the data.

Unknown to the accountants, the disks were not brand new. Instead, they had other clients' data on them, before they were reformatted. In fact, some of that data remains on the disks! With little effort this data can be recovered and viewed by the client the auditors are currently working with.

There are other situations perhaps more likely and less threatening where disks are circulated in an organization with data that may be of a confidential nature.

Several utility programs now exist that can assist in recovering deleted files. They are too numerous to list all of them, but two of the more prominent are Norton Utilities (Symantec Corporation) and PC Tools (Central Point Software). Both programs have utilities that were designed to help recover files that were accidentally deleted. They also can for recover files that were intentionally deleted and not meant to be recovered.

All mainframe programmers learn very early in their training that to erase something completely from storage, the pertinent data area needs to be overwritten, usually with blanks or spaces. Sadly, when IBM microcomputers came into existence, the programming for deleting or erasing files did not use this method. Instead, a delete or erase command in DOS simply replaces the first byte of the file name in the root directory with the lowercase Greek character sigma (E5 in hexadecimal code). This indicates to DOS that the file has been erased. DOS then zeros all the FAT (File Allocation Table) entries for that file so the data clusters previously allocated now appear to DOS as free space. (It should be noted here that DOS handles the "delete" and "erase" commands in the same way.)

Even more important than these specialized utilities packages is the recent proliferation of similar utilities with many of the more common operating systems and applications software. This increase in such utilities allows a greater number of users the ability to access the undeleted utilities--therefore increasing the risk of unauthorized access to sensitive documents. This would include, but not be limited to, the new version of the microcomputer operating system, DOS 5.0. as well as many word-processors and other applications packages. Until the release of DOS 5.0 in mid 1991, you normally needed to purchase a separate utility to recover deleted files, or to unformat a disk.

Basically, these recovery programs allow replacement of the missing byte of information in the file name with a new character to make the file name complete in the root directory. This character may be, but does not have to be, the same character as it was before.

The same process is available if a directory is removed. DOS treats subdirectories the same as files, when it is trying to locate them.

Further Considerations

What concerns are there if you do not use DOS but rather use only Lotus 1-2-3 or some similar program? Lotus 1-2-3 and most other new applications packages (spreadsheets, wordprocessing, and database to name but a few) use DOS to delete or erase their files, creating the same problem. Recovery is as simple as described above.

An additional concern is now raised with the introduction of DOS 5.0. This upgraded version of DOS contains a number of utilities licensed from Central Point Software, the makers of PC Tools. These include the "Mirror," "Undelete," and "Unformat" utilities which has compounded the security issues greatly.

Until recently, reformatting the disk was the simplest method for handling these concerns. This would make sure the disk was truly wiped clear of all data. However, with the introduction of DOS 5.0, this becomes a questionable approach at best, and perhaps even exacerbates the problem.

The simplest method to prevent such a problem is to never reuse disks, simply trash them once used. Although this would probably please the company officers in charge of security, it leaves much to be desired. With the massive emphasis on cost control in these economically tight times, this would be an unacceptable approach in most companies.

What then can be done to counter this very real and dangerous concern (for the company's financial health--and perhaps existence)?

We have simplified our explanation to ease the understanding of the problems. However, the facts are explained to help in understanding why some methods will be more secure than others.

Basics of Microcomputer Disks and Disk Operating Systems

Before we go any further we will describe the physical and logical characteristics of microcomputer disks. This is so you know what is happening when you format your disk or delete files.

Disk Information

Information is stored on a disk in physical locations called sectors. However, as there can be hundreds of thousands of these sectors on a disk (for instance, 288,000 on a 144 megabyte (MB) hard disk), DOS groups them together into clusters. This way DOS can keep track of all sectors without using a great amount of memory to do so. The number of sectors per cluster varies with the type of disk being used.

Every disk, whether fixed or floppy, contains two main areas: the system area and the data area. The system area enables the operating system to find files and directories in the data area.

The system area on a floppy disk consists of three sections: 1) the boot record, 2) the file allocation table (FAT), and 3) the root directory.

Boot Record: The boot record always occupies the first sector of a floppy disk and enables the operating system of the host computer to identify the disk. This is because the boot record contains a list of the key logical and physical characteristics about the disk. These include the type of disk, bytes per sector, sectors per cluster, number of sectors, etc.

Also, the boot record consists of a short machine language program that starts the process of loading DOS into memory.

FAT Table: The file allocation table is a form of directory because it keeps track of all the clusters in the data area of the disk. It allocates a status to these clusters which indicates to DOS one of three things: 1) whether the cluster space is free, 2) whether the cluster is bad (i.e. can't be used by DOS and often caused by a physical defect on the disk), or 3) whether the cluster space is already in use.

Root Directory: This is the main directory. When you use the "DIR" command at the "A:||is greater than" or the "C:||is greater than" prompt, you will get a list of all the subdirectories and files that are in the root directory. Information stored in the directory includes the file names (including any extensions), file sizes, and dates and times. The dates and times indicate when each file was last saved, which can mean the file might have been changed on that date. Also DOS places a hidden entry (meaning it can not be seen by the standard DOS "DIR" command) in the root directory which includes the starting cluster number for each file and subdirectory in the root directory.

DOS requires a very specific order of these three parts of the system to be placed on the floppy disk. First is the boot record, then the FAT table, and third is the root directory.

The data area comprises the largest section of any disk and is the storage area for files and sub-directories. Apart from the root directory, DOS recognizes other directories (or subdirectories) as special types of files, and uses the same way of finding them as it does for files.

Everything stated above for floppy disks is also true for hard disks (or drives), with one difference. Until version 3.2 of PC DOS and version 3.3 of MS-DOS, the largest disk size that DOS could handle was 32MB. The solution around this limit was to partition the hard drive into multiple logical drives so that no partition or section would be greater than 32MB. On a hard disk that is partitioned, DOS places the partition table in the first sector of the hard drive. This will usually be on hard drives larger than 32MB. Although later versions of DOS do not have this limitation, there are still millions of machines that have partitioned hard drives. After the partition table, the other three parts of the system will follow.

As previously mentioned, this system information enables DOS to find files in the data area of the disk. If any of these are missing, and you try to access the disk, you will get one or more of a number of possible error messages. Two of the more common messages are:

* "Non-system disk or disk error replace and press any key when ready"; and

* "Bad or missing command interpreter."

The message you receive will depend on the error that has occurred. Different versions of DOS may also give you differently worded messages.


Every disk must be physically formatted before it can accept any data for storage. During a physical, or low-level format, a number of items of data are written to the disk including sector addresses. A physical format destroys all data on a disk including the system area. Generally, hard disks come physically formatted from the factory and only require logical formatting before use.

A logical format resets all information in the system area so that the disk is ready for new data. This involves the operating system resetting the system area of a disk, including the boot record, the FAT table, and the root directory. The existing data area is not overwritten. However, the system or bookkeeping information has been reset so that DOS doesn't know where any of the old data files are.

All versions of DOS prior to 5.0 used to perform a physical and logical format on a floppy disk every time the format command was used. However, DOS 5.0's format command now only performs a logical format. The user can specifically instruct DOS 5.0 to perform both types of format, using a special switch on the format command: "format a: /u," which instructs the operating system to perform an unconditional format on the disk in "A:" drive. This involves writing over all bytes on the entire disk (physical format), and resetting the system area (logical format).

Through version 4.1, DOS did a format that made recovery of data on a floppy disk impossible. This was because it did a physical format first, and then automatically followed with a logical format. This results in both the FAT table and the root directory being filled with zeros, and all data sections on the disk being filled with the hexadecimal ASCII character (F6).

This process of logically formatting the disk without a physical format is also called a "safe" format. That is fine, as long as your intent is to recover data lost to a format command. However, it also means that people who should not have access to the data may be able to recover it.

This data can be viewed by using the "view/edit" utility on PC Tools (version 7), and the "disk editor" utility on Norton Utilities 6.01. Since DOS 5.0 is now using utilities licensed from the developers of PC Tools, you can also unformat just using DOS. To do this, use the DOS 5.0 "UNFORMAT" command.


Just as there are some utility programs capable of recovering deleted files, there are some capable of extracting data from formatted disks. Again, two of the most widely used are Norton Utilities and PC Tools. Their format commands save the system information contained in the boot record, FAT table, and root directory into a separate, hidden file which cannot be erased by the standard DOS delete command.

Norton Utilities uses an IMAGE.DAT file and PC Tools uses a MIRROR.DAT file to store the vital system information. Norton Utilities (version 6.01) uses an "UNFORMAT" command to recover disks that have been accidentally or intentionally formatted. When "UNFORMAT" is used, it first looks for an IMAGE.DAT file. This file is created when a disk is formatted using Norton's "SAFORMAT" command, or when the "IMAGE" command is invoked. UNFORMAT also works without the IMAGE.DAT file and can reconstruct a disk based on the data files it finds. However in these circumstances full recovery is unlikely.

Another feature of Norton's UNFORMAT is that it can work with MIRROR files created by PC Tools or DOS 5.0. These files contain the same, vital information as IMAGE.DAT and is therefore just as valuable. The PC TOOLS (version 7.01) "UNFORMAT" command works in the same way.

Some Solutions

One way to solve this problem is to follow the standard procedure for mainframe computers. This is to fill the area previously occupied by the file with blanks or some other characters. There are a number of professional utilities that will do this easily. "WIPEINFO" from Norton Utilities is an example of this type of utility.

Do not be lulled into complacency by false security in blanking files using the operating software. From experience we can assure you that most applications packages handle information the same way as DOS does. Although DOS may no longer be able to get to the data, that data is still very much there. Many professional utilities packages will allow recovery of the data. Usually, these will require a deeper knowledge of microcomputer techniques.

The accompanying flowchart has been designed to assist you in deciding what procedure would work best for your situation.

Still another method would be to get a degaussing machine which physically removes all magnetically recorded data from the disks. If there are large numbers of disks that need to be cleared, this can become a cost effective method.

A simple but effective way to be sure all disks are formatted unconditionally, would be to make a small batch file. This file would be called "format.bat" and have only one line it. This one line would call up a renamed format.com file. To begin, rename format.com to xformat.com (or some similar name). The one line batch file would be "xformat A:/u", assuming your formatting normally takes place in drive A.

In order to safeguard company and client data, proper microcomputer security procedures need to be initiated. Since the new version of DOS has changed the way formatting disks is handled, we recommend that you unconditionally format (using the "/u" switch on the DOS 5.0 FORMAT command) all disks when the data is no longer needed. However, there are times, when this can not be done.

An example of this is if the data you want to eliminate is on your hard drive. Admittedly, an unconditional format on the hard drive would adequately remove the data. Just the same, this is likely to make you the least popular person in the office. Few people will appreciate having to lose all their work because the hard disk was formatted.

We have discussed alternative methods of providing for better security when removing old data from disks. The particular method used will depend on the circumstances. Each organization will have varying needs.

If these simple instructions are followed, a major security concern with respect to your microcomputer systems will be removed.

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices

Visit the new cpajournal.com.