Computer Security Warning Dangers of Zero Length Files

Fig. 1. Zero Lenght Files in Windows 98SE Catch Folder.

Many Personal Computers (PC) users mistakenly believe that when a file delete command is executed, all selected files will be instantly and completely deleted. Unfortunately that is not so. Ever since the earliest days, PC programs suffered from some serious deficiencies. Many of this is inherited from earlier CPM and DOS systems and other past endeavors. Not only this erratic behavior never gotten corrected many unscrupulous entities are taking advantage of this seemingly permanent flaw.

Since the beginning, and by definition, all files under the DOS operating system were marked deleted by a single marker byte written into the table of content. Various technical names were used for that table. In essence, none of the deleted files were ever physically obliterated, and all are still there waiting for their resurrection. The only time undelete was not or only partially possible, when newly created files used up some of the space that was marked free by the file delete byte.

Similar unpleasant happenings are observable in the folders usually referred to as "Catch Folders". Many of these files selected for deletion are not deleted by the web browser, or by many additional programs. Some of these survivor files have some protection attributes, or expiration dates usually set into the future. Many other undeletable programs use this flaw for their protection. Zero length files - Figure 1 - are not deleted by the most operating systems, since by definition - when a file has zero length, there is no file. In theory that is so.

In practice, since many operating systems used a granular storage space with fix resolution, every file ever written was always used up at least one storage unit. The smallest granule, or file unit size, is always the ratio of the maximum disk (partition) size divided by the maximum number of allowable uniquely identifiable storage units. If a user file contained only a single letter "A", it still resulted a file size of whatever the granularity of the operating system and available disk size determined. Into such a file the letter "A" was written, followed by the End Of File (EOF) character. All other following bytes were left as they were previously. On small floppy disks for a similar file, it is possible to use only 256 bytes, but on some hard drives 32 or 64K was (is) still required.

The way zero length files can store damaging information is that first they write the data into a file, then they move the EOF marker to the first character position. Unless there is not much free space available on that drive, the clandestine information happily survives. Even on disk copies, zero length file usually carefully protected and survive, as some time ago they were used as a file copy protection scheme. Even disk defragmenter programs avoid disturbing zero length files and carefully works around them.

Some of these files are used like cookies, others are more malicious, but none of them is used to your benefit. To see what is in these files, you have to change the EOF marker to the end of the granule, and then the file will be readable. One easy way to inspect them is by using some disk utilities, one of which is part of Norton Utilities, others are available as freeware or shareware on-line. Inspect your catch folders often, I do it always before going on-line, and show no mercy to any and all zero length files. Opening mail in a mail client program also result in many zero length files.