It is but common that System Managers, Information Technology Management Asset Owners, DBAs, CISOs, etc; face with the threat of losing data available in the IT Assets due to various reasons. The Strategies to maintain RPO and RTO in the Management Plan as part of BCMS is again the charter of these Managers/Owners. (Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are two of the fundamental concepts in Business Continuity Management System (BCMS)). These Managers/Owners perform extra-digital activities do undertake ‘Damage Control’ when encountered with Non-Standard Risks. One such threat is the reduction of Files and Folders to ZERO KB (or 0 Bit/Byte Files).
What do ‘zero bytes’ mean?
“Zero bytes“ simply refer to ‘no space and data left‘. If a hard disk shows ‘0 bytes’, it means that the hard drive has become RAW and has zero space to store more data. Further, at the same time, if a File earlier was of some size more than ‘0’, and now has become ‘0 KB’, this tantamount to an infection or corruption. When one right-clicks the Hard Drive/Storage and opens the ‘Properties’, it shows you that there are ‘0 bytes’ of used space, free space, and capacity. One cannot write and add data in the internal or external hard drive inspite of the storage medium showing ‘0 Kb’. Sometimes, you might receive an error message reading “Access Denied Error“. This is but a form of corruption that has taken place on a healthy Storage Medium. Similarly, a file cannot exist as ‘0’ KB; this occurs when an external execution is operated on it (or the cluster/sector on which it was associated has been infected). [There is no concept of a 0 kb file, as there are attributes and metadata that is associated and they cannot disappear or go missing in thin air.]
The ‘Principles of Component’ theory; does not allow a scenario in which a file with some data or a folder with few files changing to a “ZERO KB” file or folder, without it being manipulated upon. This manipulation or corruption on files/folders/storage is possible due to three dependencies: (a) the file itself being operated upon, (b) the pointer to the file and the medium on which the file/data resides is operated upon, (c) the Storage Medium is operated upon (or the File System is operated upon).
The Logical Inference
Hence, what could this form of behaviour be? Coming back to the file turning into a “zero kb” file; we can intuit two Logical Inferences:
Firstly; If a file is created and the same is provided a name (let’s say a MS Word (.docx) document), then a few sentences are typed in the body and then the sentences are deleted, further we save and exit. We find on ‘right click’ of the file, in the ‘properties’; that the file has some size and is never a ZERO KB (BIT) file. This is because a file will draw a few attributes from the Application/OS and, also associate a few Meta Data as also the attributes (like ‘Name of the File’, Extension, etc) and then build a consolidated space model and project it as the space occupied on the medium (even if the body text is Zero).
Secondly; It can also be inferred that those files on a storage medium, which were of a certain file size abinitio once, cannot turns to a ‘Zero KB’ file, as this does not vacate any space on the medium/storage device (Hard Disk). This then has no logic of a file turning literally ‘Zero KB’ of size.
Historical Details
The creation of a ‘ZERO KB’ file, may have been done by many of us at the ‘Programming School’ when the “ustaad” would have throws at us challenge, as part of the upskilling classroom activity. There are many ways that one can manually create a ‘zero-byte’ file: for example, saving empty content in a text editor, using utilities provided by operating systems, or programming to create it. On Unix-like systems, the shell command “$ touch filename” results in a ‘zero-byte’ file filename. This is apart from the process in which a program creates a file but aborts or is interrupted prematurely while writing to it.
However, there are scripts and codes that can perform operations on Files and Folders (Data) that were abinitio of a certain size; then operated upon to show ‘Zero kb’. Well, these are act of Malicious intent.
The concept is very simple, while creating a ‘zero kb‘ file; the “write” is nothing but cached in memory and this is only flushed to disk at a later time (page cache), a program that does not flush its ‘writes‘ to disk or terminate normally may result in a ‘zero-byte’ file. When the ‘zero-byte’ file is made, file system does not record the file’s content on storage, but only updates its index table.
Now the explanation to reduction of a ‘Sized‘ file to ‘Zero KB‘ file: A file is but binary ‘Zeros and Ones‘ held in an array sharded internally to a storage media. Further, the pointer to these sharded ‘zeros and ones‘ is connected by address pointers from segments/sectors which is the related ‘first bits and the last bits‘ in the series. Subsequently, the index table holding the address to the first cluster/sector/segment, that then connects the pointers. If at any stage, one can disturb the pointer to the index, and corrupt the addresses to each of the sharded details– the aim is achieved. (This is possible by a malicious action using codes).
Coming back to the history of this form of attacks. This problem was earlier reported on Windows System back in year 2011. This has also been observed in Linux Systems. We observe that any file format can turn corrupt or any selective pattern can be turned corrupt by infecting them selectively and reducing them to ‘0 Kb‘ (Zero Kb/Bytes).
Why Files Become 0 Bytes?
There is no other Logical Reason, to the cause of a file or a folder or a Storage Medium becoming ‘0 Bytes’; other than for the fact that the file has been operated upon, thereby resulting in a ‘0 Kb’ File . After deliberation, one is able to attribute Three Postulates to ‘Why a File/Folder/Storage Medium shows Zero Bytes (or 0 KB)’.
Postulate 1: Hard Drive Shows 0 Bytes
Any Storage Medium always run the risk of inherently becoming corrupt by default due to mechanical or digital errors; or explicitly being operated upon to result in corruption by design. Bugs or Codes can also be persistent and act incrementally to perform clandestine actions to slowly reduce the Storage Medium in showing “0 Kb“. This can be through the concept of the ‘Dominos Effect’ action. This act can also be a ‘Shoot to Kill‘, action, instead of slow poisoning process.
Hard drive (Storage Medium) “0-byte” is also obvious primarily because of hard drive (Storage Medium) corruption. Several factors can result in the corruption of the hard drive (Storage Medium). The following are some of those factors:
-
-
- Malicious software infection and virus attack
- Formation of bad sectors on the hard drive
- Unexpected computer system crash
- Interruption when resizing the hard drive partitions
- Improper shutdown or sudden power outage of the PC
- Improper removal of the external hard drive, without safe permission
-
Postulate 2: Selective Files turning to 0-byte
If a Selective set of files in a packeted chunk is corrupted, it shows you zero-length or zero bytes; this is a resultant of external operation on the files. Many factors can result in zero-length files:
-
-
- A Targeted Malicious or Virus Attack
- Improper management of RAID or Fluctuations in Spin Speed while ‘read’ or ‘write’
- The interruption when transferring, downloading and uploading files
- The interruption when creating the program files
- The index table in the file system is corrupted
- Malicious insertion of a Bug or a Virus, or persistent malicious code triggered by an event or time
-
Postulate 3: Files turning to 0-byte
If files in random nature is corrupted, especially in a sharded ecosystem, it will show zero-length or zero bytes of random files. Many factors can result in zero-length files:
-
-
- Malicious insertion of a Bug or a Virus, or persistent malicious code triggered by an event or time
- Formation of bad sectors or the cluster on the complete storage space
- Unexpected computer system crash
- Improper shutdown or sudden power outage of the PC
- Improper removal of the external hard drive, without safe permission
- A Targeted Malicious or Virus Attack
- Improper management of RAID or Fluctuations in Spin Speed while ‘read’ or ‘write’
- The interruption when transferring, downloading, and uploading files
- The pointers/links/indexes in the file system is corrupted
-
Conclusion
In general, System Managers/System Owners/CISOs, do not pay much attention to the size of files or folders, unless there is an encounter while retrieving of the specific file/packet/data/storage. But these stakeholders will be worried when the size of these file/packet/data/storage turn to ‘zero Kb‘. There are recovery methods available through Enterprise solutions, to recover or re-map the file/packet/data/storage. However, it is best to identify the cause, especially for any backdoor/virus/bug/storage defects/program file errors/Program file corruption/Malfunction/etc; before resorting to its management. There is a possibility of an APT being embedded into the Enterprise Network/Data Center; which is causing the files turning corrupt. In such eventualities, one should be able to fix the cause first. Subsequently, restoration of the 0-byte files can be handled. The sensitization action is a dire essential, when this Non-Standard manipulation is noticed with in the Enterprise. Sanitization actions both at Storage and Application/OS level prior to the restoration through Enterprise Solutions or by restoration from DR or DAT or Mirror is also to be undertaken as a practice.