Does Eraser totally defeat RMF?

[spy1]

I ask because I've just become interested in this subject after seeing what a program like yours can recover after running all my "normal" clean-up type programs (CleanCache, CCleaner, SBS&D and Index.dat Suite). Also please note that both NTRegOpt and SysInternals "PageDefrag" were run prior to using your recovery tool, plus, Windows is set to clear the pagefile at shut-down/re-start).

I could illustrate what I mean with screenshots, if you wish - suffice it to say that numerous files that had supposedly been "over-written" (multiple times, at that) using the four programs mentioned above were all alive, well (supposedly recoverable), and easily identifiable as having been on the computer after running a tool such as your program (which would kind of shoot any kind of "deniability" - not to mention your credibility - down in flames were one to claim not to ever have had said files on one's computer to start with).

Running Eraser, OTOH, certainly seemed to - at the very least - "erase" the individual file names (replacing them with all zeroes) - but due to articles such as this:
http://www.forensics-intl.com/def11.html
and this:
http://www.pcguide.com/ref/hdd/file/ntfs/archMFT-c.html ,

I really have to wonder if there is any way to truly "erase" all vestiges of any file you have or d/l onto your computer (to a certainty of every single trace of it being "gone" or "un-recoverable" by any means) - especially when you get into all that geeky-sounding stuff about non-resident attributes; additional MFT records; extents that lie outside the MFT; MFT "slack"; file slack; RAM slack, etc., etc, etc.

So, my question to you is what the thread title was - Does Eraser totally defeat your file recovery program if Eraser is set to over-write

(a) Free Disk Space (and Master File Table Records)

(b) Cluster Tip Area

(c) Directory Entries

- or not?

Referenced programs:

Eraser Version 5.7 - http://www.heidi.ie/eraser/

CleanCache v3.2 - http://www.buttuglysoftware.com/

CCleaner v.1.28.277 - http://www.ccleaner.com/

SBS&D v.1.4 - http://www.spybot******/en/index.html

NTREGOPT v.1.1j - http://www.larshederer.homepage.t-online.de/erunt/

PageDefrag v.2.20 - http://www.sysinternals.com/Utilities/PageDefrag.html

[GDH]

Cleaning a drive of unwanted data is quite a complicated task because Windows has many places where it keeps records of user activity (registry, file slack, MRU lists, swap file, dump file, etc, etc).

There are a wide number of tools available, some better than others. When evaluating these products I always suggest that you run Recover My Files (www.recovermyfiles.com) afterwards to see what comes back. However, having said this, Recover My Files is a data recovery tool and is not necessarily concerned about checking for such things a left over file names in run lists. The only true way to determine how well the program works its to use Computer Forensics software to do a thorough review of what information is left.

Personally, I use Secure Clean, from www.wipemyfiles.com.

Its much easier to wipe an entire drive, as this is the simpler process of writing 0's from begining to end. A program to do this is Wipe Drive from www.wipemyfiles.com.

[spy1]

Okay, then perhaps you can answer a specific question:

After running RMF subsequent to running Eraser, why do the results say that the "Recovery" possibilities are "Very Good" when all the file names found are all zeroes, and all the file sizes are listed as zero?

If everything truly is all zeroes, how does it get recovered? Do the number of erasing passes made make a difference? (I only ran one pass with Eraser).

What am I missing there?

[GDH]

Hi,

I have not used Eraser and it is not one of our products so I dont know much about it.

The file and folder names are held within a table at the start of the disk called the MFT (Master File Table). In order to totally wipe the file names it is necessary for a wiping program to scan throught the MFT, find all the deleted files and erase the MFT record for each file.

The erasing program also must then go out to the data area of the disk and erase the actual data.

It sounds like the program you are using has not erased the MFT records properly. It probably has erased the file data, so it is likely that the onlything you would get back is the name of the file but when it is recovered it would be empty.

[spy1]

Quote:

Originally Posted by GDH

The file and folder names are held within a table at the start of the disk called the MFT (Master File Table). In order to totally wipe the file names it is necessary for a wiping program to scan throught the MFT, find all the deleted files and erase the MFT record for each file.

Okay, so your program (SecureClean) - it goes through the MFT, finds all the deleted files and erases the MFT record for each file - un-equivocally? Erases it with how many passes? It's not simply "deleting" the info, right?

Quote:

Originally Posted by GDH

The erasing program also must then go out to the data area of the disk and erase the actual data.

That sounds a little backwards from the way I'm doing it here - I "erase" all the disk-data first (by using the clean-up programs previously mentioned except Eraser), then when I run Eraser, it knows that everything previously "erased" by the other programs is now available free-space to be erased by it during the free-space wipe, thus clearly delineating which MFT record entries should be erased.

Quote:

Originally Posted by GDH

It sounds like the program you are using has not erased the MFT records properly. It probably has erased the file data, so it is likely that the only thing you would get back is the name of the file but when it is recovered it would be empty.

Isn't what my screenshot's showing the MFT record? Or was that registry - or simply disk - info? That may be where I'm getting confused. How can I tell? (The two named files in that screenshot were only there because I forgot to shut FireFox down when I ran the scan - that hadn't been previously "erased" by any of the programs involved, IOW).

Thank you for answering my questions, BTW - I find this kind of stuff pretty fascinating, now that my eyes have been opened to it. Pete

*Did we forget about the "why does RMF mark the zeroed-out files as having a "Very Good" chance for "Recovery"?" question?

[GDH]

The "rating" for Recover My Files is a measure of whether the file you are trying to recover has been overwritten with other data. Only one file can occupy a storage cluster at any one time.

If a file is partly overwritten it is corrupted and may or may not open depending on what parts and how much of the file has been overwritten and destroyed. If a file is totally overwritten by other data then it is lost for good.

When Recover My Files looks at an MFT record for a deleted file, the MFT record tells Recover My Files in what clusters the file data resides. Recover My Files then checks all the other MFT records for active files to see if the clusters used by the deleted file are also used by an active file. If the answer is yes, then the deleted file has been overwritten. It is possible to work out how much of the file has been overwritten, which is how the rating scale is determined (eg. overwritten means that all the clusters used by the deleted file are now used by an active file and thus it can no longer be recovered.)

[spy1]

That's about what I thought - parts of those records are still there, then.

Okay, the other thing I've been wondering about is something I can't link you to (because I've forgotten where I read it) about the fact that the MFT doesn't get destroyed even in a complete low-level hard-drive format?

Is that correct, or myth?

And - how much data do the BIOS and the printer memory retain? Pete

[GDH]

A low level format will destroy everything on the drive. However, its not exactly a straight forward exercise, which is why there is a market for programs like WipeDrive, www.wipemydrive.com.

There is a lot of information on the web availalbe about low level format for different types of drive, eg:

http://www.seagate.com/support/kb/di...lfmt_what.html

I dont think there is a anyting of relevance in the BIOS.

It is possible with some printers to get the last printed documents out of the buffer.