dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
61998
share rss forum feed

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to jansson_mark

Re: Hold on a second...lets clarify!

said by jansson_mark:

1) The quote clearly says, that Eraser does not wipe the file names from MFT in FAT.
That's sort of weird, given that FAT doesn't use the word 'MFT' for its structures, it uses 'File Allocation Table' for the storage allocation mechanism. In FAT, the name of a file lives in its parent directory, and nowhere else - right? So there is nothing like the MFT anyway.


spy1
Welcome to Amerika
Premium
join:2002-06-24
Charlotte, NC

1 edit

1 recommendation

reply to jansson_mark
 
Seems to me that Eraser says quite specifically that it does erase the Master File Table records (see screenshot) - this from the Eraser "Help Topics":

"What Does It Do: When Erasing Unused Disk Space

But what is it that Eraser does to clear unused space on your disk? And where this unused space can be found?

If you have not disabled the option to erase cluster tip area (generally, there is no reason why you should disable this option unless the drive uses FAT file system and is compressed; see Overwriting Properly), Eraser will start by clearing this unused space from each file on the selected drive.

When a file is loaded in memory by some application or by the operating system (or opened without file sharing), its cluster tip area cannot be overwritten and you will receive an error because of this. To reduce the amount of locked files into a minimum, you should close as many applications as possible before erasing unused disk space and even then the files locked by the operating system cannot be accessed.

After taking care of the cluster tips, it is time to overwrite the free space on the drive. If your drive is equipped with a file system that supports quota and the space available to you is limited (i.e. the space available to you is smaller than the free space on the drive), you cannot erase unused space on that drive and should ask the administrator to do it instead.

To overwrite the free space, Eraser creates a temporary directory, which it fills with files (these are deleted after the erasing is finished). Multiple files are used because it is faster than creating one huge file. Data will be written until there is no more space available on the drive. This procedure may take a long time if the free area is large and it may slow down your computer substantially; especially if the paging file (swap) is located on the selected drive. This is another reason why you should close all applications before erasing unused space.

If you are running Windows NT or 2000 and the file system on the drive is NTFS, Eraser will next overwrite the free space on the Master File Table (MFT). The reason why this is done is that on NTFS file system, clusters are not necessarily allocated for files smaller than the size of a MFT record, but the file is stored completely in the MFT (the file is then said to be resident). If you have insecurely deleted such a small file, the free space on the MFT still may contain the file body and therefore, it must be erased as well. Windows 9x does not support NTFS file system so this step will be skipped.

Finally, the names of all previously deleted (or erased) files will be overwritten. On FAT{12,16,32} partitions this is done by going through all directory entries and overwriting deleted file entries. On NTFS partitions (Windows NT and 2000 only), Eraser creates maximum length files until the unused entries in the Master File Table are overwritten."

In addition to erasing unused disk space, you can also set the paging (swap) file to be overwritten on Windows NT and 2000. Using the General Preferences window you can enable this Windows NT security feature that overwrites all unused portions of the paging file when shutting down."

I've never found anything recoverable in the outputs of programs like Recuva, FileRecovery, Restoration, etc. BUT none of those programs is telling me in a clearly understandable manner whether the file namesof the files that've been deleted in the MFT have been over-written or not.

Eraser, Clean Disk Security, etc. ALL come up with a list of files that couldn't be erased due to having been locked by the operating system at the time of the run - are the previously deleted files' filenames there? Only God (and perhaps M$ ) knows.

That's my entire point - if we had a piece of software that would - IN PLAIN ENGLISH - produce ALL the file names to be found in any given computers' NTFS MFT, then we could simply run it, then go through our regular erasing routine (whatever that might be) and then run that software AGAIN to see if the NAMES of those files are still there in the MFT.

I really can't believe that this is SO hard to understand -OR that the reason it would be so useful is so hard to understand.

If nothing else, it would let everyone know (a) what file names ARE in any given MFT and (b) if someone's "erasing" program IS actually doing what it claims to be doing in relation to the MFT information.

In the meantime, I've spent more-than-enough time talking about this - NOR am I the ONLY one interested in such a piece of software, as indicated by several other peoples' posts.

I'm just going to kick back and see if anyone who can program such a piece of software is interested (hope springs eternal, etc., etc.). Later, guys. Pete

*Added screenshot of CDS doing its' thing on the MFT - bye now!


Sentinel
Premium
join:2001-02-07
Florida
kudos:1
reply to dave

Re: Removing names of deleted files from MFT

said by dave:

said by fatness:

Nice topic shift, from wanting to clean leftover MFT entries, to personal behavior.
I didn't bring up the subject of 'privacy' in this thread, I was merely responding to it. But the only reason for worrying about names in deleted MFT records is the desire to make them irretrievable by disk scavenging.

It's no more unusual or suspicious or wrong to want to clean old entries from the MFT than it is to clear your internet cache.
That's simply incorrect on a technical basis. Leftover files in the internet cache may conceivably have some impact on performance and/or correctness. The fact that the former name is still visible in a 'free' MFT entry has no effect in either of those dimensions. This is not a question of deleting unused garbage that takes up space; the space is taken up regardless of whether the old name is visible or it isn't.

In short, if you want to do this, I think either you must be worried about 3rd-party recovery of the names, or you must be wrongly informed about the operation of the file system.

BTW, in order to even see this stuff, you need to access the disk below the level of the file system.
dave,
Thanks for that answer.
Also with regards to fatness' comments ... far be it from me to speak for fatness but ... what I think he meant had nothing to do wiht performance but I think he was just saying that from a security perspective it is no different for someone to want to get rid of this stuff than any other stuff.


Sentinel
Premium
join:2001-02-07
Florida
kudos:1

1 edit
reply to spy1

Re: Hold on a second...lets clarify!

spy1,
If you don't mind ... what version of Eraser is that you are running in the above screen shots?


spy1
Welcome to Amerika
Premium
join:2002-06-24
Charlotte, NC

1 recommendation

It's Eraser v.5.84

Jrb2
Premium
join:2001-08-31
kudos:3
Hi Pete,

The latest version of Eraser is 5.86
See:
»[Free] Eraser Latest Version Eraser 5.86

(I don't have Eraser)

This surely is an interesting topic.
Although I don't have much time to participate in this thread, I have been asking myself whether some other tools (not yet mentioned here) might do the job.

- WinHex has already be mentioned. Will it do the job?

»www.winhex.com/cgi-bin/discus/sh···/12.html

»www.x-ways.net/winhex/allfeatures.html

quote:
Wiping unused space and slack space
...either to close security leaks, to securely destroy previously existing classified files that have been deleted in the traditional way only, or to minimize the size of your disk backups (like WinHex backups or Norton Ghost backups), since initialized space can be compressed 99%. On NTFS drives, WinHex will even offer to wipe all currently unused $Mft (Master File Table) file records, as they may still contain names and fragments of files previously stored in them. File slack can be found in the unused end of the last cluster allocated to a file, which usually contains traces of previously existing files. Slack space - like everything else - is processed by WinHex very fast. Also see X-Ways Security.

- Ace Utilities. Will it do the job?

»www.acelogix.com/aceutils.html

From the Helpfile :

quote:
Free space wipe settings

Free disk space and (MFT records)
As deletion is not secure enough, anyone can recover almost any file you have ever deleted. To ensure your files are deleted completely from your system, you should wipe the free space of your hard disk. Use this option to securely wipe the free space in your hard disk.

Cluster tip area
Selecting this option will erase the cluster tip areas of all the files, excluding the protected Windows system files.

Directory entries
The file system records the names and attributes of files to a special area called 'directory entries' for FAT and MFT for NTFS. When a file is deleted the corresponding directory entry is modified by the file system which makes it invisible to the Windows user. Unfortunately, most of the information would still exist and the name/attributes can be restored using 'any' recovery utility.

Checking this option will wipe off such entries from your Windows file system records.

- XPT / E3 from Radsoft. Will it do the job?

»www.radsoft.net/products/xpt.html

- TuneUp Utilities. Will it do the job?

»www.tune-up.com/

- FileVac / IEClean / NSClean. Will it do the job?

These programs are discontinued since Comodore acquired PSC.


spy1
Welcome to Amerika
Premium
join:2002-06-24
Charlotte, NC

1 edit

1 recommendation

Wow - Is this a can of worms, or what? lol! Jan, my friend, your post should provide me with absolutely HOURS of enjoyment.

Also found this from the link that OZO posted earlier - sounds bizarre enough to work - but how to CHECK? *I STILL need a program that I can understand to check before and AFTER the wipe! If you'll excuse me, I have to go out and howl at the moon now.

»www.myplanetsoft.com/free/wipehelp.php#mft Pete

astirusty
Premium
join:2000-12-23
Henderson, NV
reply to OZO

Re: Removing names of deleted files from MFT

said by OZO:

If file is deleted the name of the file and its data still reside in the HD. The only change is - it's now marked as available for next allocation. So cells with deleted file names may be allocated next time you created a new file (and therefore be overwritten with new info) or may sit here for a long long while (or until you format the disk).
Instead of trying to use disk cleaning tools to wipe the MFT cells; would it be possible to use the OS to overwrite the old file names in the cells marked available for allocation by creating tens-of-thousands** of new files with say a simple program that created sequentially numbered named files?

** If so: Would the numbered of new files needed be proportional to the number of files you have just deleted for security purposes?
--
Do yourself a favor, just say no to anything Windows.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
Yeah, you should be able to create 'enough' new names. I expect they have to be big-enough names (overwriting 'Top Secret Info' with 'Foo' may result in 'Foo Secret Info' on the actual disk).

The question 'how many' is more difficult, you need to know the file system's slot reuse algorithm for that. If, for example, it uses lowest-free-slot first, then the number of names you need is equal to the number of free slots with numbers less than the highest-numbered file you deleted.

astirusty
Premium
join:2000-12-23
Henderson, NV
said by dave:

The question 'how many' is more difficult,
Looks like information at the link posted by spy1 See Profile would give you the number to create.
Method i.) The exact data can be found at: Disk Defragmenter / Analyze / View Report (screenshot). For example, after you use this windows tool you may get:

* MFT record count = 84 686 (that is used and unused, let us call it MFTTotal)
* Percent MFT in use = 94 (that is used in %, let us call it MFTUsed%)

Then count1 = ((100 - 94) * 84 686) / 100 = 5081 files.

That is MFTUnused = (100 - MFTUsed%) * MFTTotal / 100
The difference being instead of just trying to clobber the cells of the files you just deleted, you clobber every cell that is not currently active. Would take longer, but then it is more thorough.
--
Do yourself a favor, just say no to anything Windows.

OZO
Premium
join:2003-01-17
kudos:2
There are some reasons why I'm reluctant to use this program:
1) utility should do necessary calculations inside, at the real time while it's running. My calculations based on a third party utility will be obsolete (at the time I run 'wipe') and inaccurate (it's based on %%, while it should use precise numbers of files and free space in MFT). Not to mention that I do not want to make any calculations by myself that may result in my mistakes for such important action as writing into MFT.
2) there is potential side effect of miscalculation or dynamic change of number of allocated files at the time I run utility and it is - MFT may grow in size.
Bottom line 'wipe' is not a utility that I'd like to run on a regular basis. I may run it only for a debugging or investigation purposes, but that's not the point here.
--
Keep it simple, it'll become complex by itself...


fatness
subtle
Premium,ex-mod 01-13
join:2000-11-17
fishing
kudos:14

2 recommendations

reply to Sentinel
said by Sentinel:

Also with regards to fatness' comments ... far be it from me to speak for fatness but ... what I think he meant had nothing to do wiht performance but I think he was just saying that from a security perspective it is no different for someone to want to get rid of this stuff than any other stuff.
Yes, that's correct. I don't think degree of technical difficulty sheds any light on the motives of the person wanting to perform the task.

It's easy to clear your Temporary Internet Files. Many people do it.
It's a bit harder to see and clear index.dat files. Yet some people do it.
It's harder yet to clear old file names from MFT records. Some people want to do it.

To me, the argument that "it's difficult to access, so your motives are suspect" makes as much sense as impugning the motives of someone asking for advice replacing the hardest part to reach in an automobile engine. Nobody bought that OS with the idea that part of it was owned by police investigators and divorce lawyers, and off-limits to the person who bought the OS.
--
Sure, that'll work..

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 edit
said by fatness:

Yes, that's correct. I don't think degree of technical difficulty sheds any light on the motives of the person wanting to perform the task.
The only point where I correlated 'difficulty' and 'motive' was in a sentence like 'it's hard for me to see why you want to do this'.

--

This to me has the flavour of one of those interminable questions that show up in the Microsoft help forum, from people who anxiously run all sorts of "maintenance" programs that are entirely unnecessary; the "defrag every day" crowd. I'd ask someone there why they felt it was necessary to do this stuff, and I'm asking someone here why they feel it is necessary to erase the names from MFT entries.

dantz

join:2005-05-09
Honolulu, HI
reply to OZO
I suggest storing your data on a separate partition in order to simplify the process of cleaning that partition's MFT the next time you feel it to be necessary. Whole drive encryption and/or data encryption wouldn't hurt either. And by the way, a TrueCrypt container has a fully encrypted MFT (or FAT if formatted as FAT32).


KachiWachi

join:2004-02-12
Bucks Co, PA
I just found a great program for viewing (and editing) the MFT.

Unfortunately, it is no longer avilable.

»www.omnixray.com/disk_utilities.html

»www.omnixray.com/disk_utilities_···ecovery/

Thanks.


L_L_L

@bigpond.net.au
reply to OZO
Hmm
Interesting thread here.
Very interesting
As to the 'omnixray' links I see one Spy1 has posted in their forums.

From Spy1:
"Dave, look - I want my computer squeaky-clean at all times.
Useless, in-accurate or out-of-date information anywhere on my computer is junk - pure-and-simple. I want it all gone, all of the time (there are a lot of us "clean" fanatics out there, in case you hadn't noticed)."

Is there further update on your trials with the previously mentioned tools Pete ??
Thx


spy1
Welcome to Amerika
Premium
join:2002-06-24
Charlotte, NC
I emailed the author of OmniXRay to see what was up.

As far as your other question goes, I ran Restoration's wipe (both phases) and let it go at that.

I still have no idea whether the old file names in the MFT are gone or not. Pete


Caution

@verizon.net
reply to OZO


OmniXRay: regarding: got this message:

This product is no longer available.

We regret to inform you that the developer of this software past away earlier this year.

Consequently with his passing there will be no future updates or revisions.

To our customers we will continue to provide whatever support we can until the close of the year (12/ 2007).

* I am not able to verify *



Caution

@verizon.net
reply to OZO
This program "looks' a little like 'omniray".....there is a Demo. At $69 there better be a demo....you guys on on your own with this one...AT YOUR OWN RISK !!
_________________

Runtime's DiskExplorer for NTFS 1.00

" This sophisticated disk editor enables you to investigate your NTFS drive and conduct your own data recovery, using the following features:
Navigate through your NTFS drive by jumping to the partition table, boot record, Master file table or the root directory.
Choose between views as hex, text, index allocation, MFT, boot record, partition table.
Inspect the file entry details, NT attributes etc., search your drive for text, partition tables, boot records, MFT entries, index buffers.
View files, save files or whole directories from anywhere on the drive.
Identify the file a certain cluster belongs to, create a virtual volume when the boot record is lost or corrupt.
Edit your drive by using the direct read/write mode (not recommended) or the virtual write mode. "

»www.freedownloadscenter.com/Util···TFS.html



KachiWachi

join:2004-02-12
Bucks Co, PA
What I liked about the Omnixray program is that it can be run from DOS...which is what I'm looking to do at the moment.

I e-mailed the "author" myself to see if copies are still available in an unsupported form.