After 35 pass i'm still able to recover my file!

binolandia

New Member
Hi all, i'm testing eraser for deleting all traces from my pc.
After run a 35 pass (gutmann) task i'm still able to recover a lot of files . The product that i use to recover is WinHex (XWay Forensic).

Have you any suggest to deny WinHex to recover my files??
Thank's
 

Overwriter

Active Member
When you say “recover a lot of files” are these actually your files or the ones Eraser uses to overwrite your free space ?

Also you will be very well protected by simply using a single pseudorandom pass rather than the “over the top” gutmann method. Much quicker too ! :)
 

binolandia

New Member
recover a lot of files mean recover my personal confidentialy file: *.doc or *.pdf etc..
The goal of my test is :

- delete all trace from my disk (With Winhex file are recovered and name of files seem to be the cluster position but file is readble and editable)
example: file organization.doc is recovered as 4215.doc Content of file is the same before wyping

- after wyping if you analyze my disk you must not find cluster marked as wyped (actually eraser do it)
 

Overwriter

Active Member
I am amazed by this.

What OS do you have and what version of Eraser ?

Are you certain you are refreshing the drive view in winhex after the wipe.

Are you certain the file you are finding is not in your recycle bin ?

Can you perform this test please ?

Make a new word document called “This is an Eraser test”.

Write 100 or so lines (copy and paste) “Eraser Test Text” in the document.

Save it.

Right click it and Erase it.

Try to find it with winhex whilst making sure you take a new snapshot of the drive.

Let me know what happens.

Thanks.
 

binolandia

New Member
eraser version is 5.86.1 installed on Windows XP Professionale SP3

I create 10 new word document with different content and filename and then use your step by step guide fo erase. Take a new snapshot...and i'm still able to recover 2 document (full document readable), 8 was unrecoverable.
 

Overwriter

Active Member
Hi

Thank you for coming back.

By coincidence I have exactly the same set up as you (I even use WinHex) and I am unable to reproduce the error.

All I can think of is that you may have a damaged Hard Drive. Could you possibly perform the same test on a floppy disk and see if you are able to recover anything ?

Also could you initialise the free space and MFT with WinHex on your Hard Drive and fill it with zero’s. This will give you a clean start with which to test Eraser.

Do you use any type of automatic backup programs ?

Thanks.
 

binolandia

New Member
Hi overwriter,
i'm doing my test on 3 different notebook, i think it's not possible that they have damaged HD!

I will test floppy asap


"Also could you initialise the free space and MFT with WinHex on your Hard Drive and fill it with zero’s. This will give you a clean start with which to test Eraser."
Inizitialiazion of MFT was made with 3 pass: first two with pseudorandom data and last with zero

Thank's again
 

Overwriter

Active Member
Hi binolandia

Wow, ok so you are using 3 laptops all with XP SP3 on and Eraser V5.86.1.

You are making some word documents, right clicking and erasing them. Then you are able to recover these documents with WinHex.

I am stuck, I have tested this on 2 base units here today both with XP SP3 on and I am not able to recover anything.

Could you please try and use an older version of Eraser on at least one laptop to see if this is a recently introduced bug please ?

Many people have tested Eraser and no one has found a fault such as the one you are reporting now. This must be a recently introduced one.

Just to save you time the multiple overwrites are not necessary for this test, a single pass will do until we find out why you are having problems.
 

binolandia

New Member
My test are very important, we need to delete sensitive data from several notebook og my company. (al notebook are same version of O.S, service pack, etc)
I have tried the most famous erasing software as r-wipe, stellar wipe, and eraser, but in all case Winhex is able to recover some data.

maybe that i'm not using the right procedure to erase..
Step by step :
take notebook and install eraser. Notebook have only one partition (C:)
Install eraser, and then create a task to delete unused space data with multiple pass (DOD, Gutmann)
Open Winhex. take a new snapshot, then run File recovery by type
Choose as type Microsoft Office Document (doc,xls,ppt,etc)
Choose were put recovered files then start process and wait ...
All recovered files go to the output folder, and i can open it

Today i will test an earlier version of eraser as you suggest, thank'again overwriter
 

Overwriter

Active Member
I have tried the most famous erasing software as r-wipe, stellar wipe, and eraser, but in all case Winhex is able to recover some data.
I am wondering if all these other eraser type programs are failing your tests that there must be some sort of backup program running or something.

You do not need to make a task in Eraser to wipe the free space or overwrite a file. You can simply right click the drive letter in windows explorer and select Erase Unused Space.

In the settings of Eraser have you the following set.

Open Eraser.

Edit / Preferences / Erasing

Cluster Tip Area (should be ticked).

Alternate Data Stream (should be ticked)

In the unused disk space tab.

Free Disk Space (and Master File Table Records) (should be ticked)

Cluster Tip Area (should be ticked)

Directory Entries (should be ticked)


As I said before while you are testing a single pseudorandom pass will be enough to see if things have worked and it is much quicker than the other methods.

How did the test with the floppy drive go ?
 

binolandia

New Member
Again here...i think you hate me :)


test with floppy was unsucessfull:
i'have create 5 .doc and then copy to floppy.
I open the file to make some changes.
I delete all files on floppy
Run Erase Unusued Disk Space (7 pass)
At the end of the process use winhex to recover file by type (doc)
Found 1 doc of 5

If today i have no IT emergency will make test with earlier version of eraser
bye
 

Overwriter

Active Member
Hi binolandia

I am not doubting what you are finding but I am unable to replicate your results. I have tested hard drives and floppy disks but I am unable to recover anything.

Instead of performing multiple wipes can you just use the single pass pseudorandom pass as that is what I use. This way we can see if it is the wipe method at fault.
 

Overwriter

Active Member
Hi binolandia

Was there ever a conclusion to this ?
 

binolandia

New Member
For each notebook we perform 3 task

1° Unusues Disk Space - Local Hard Drive - 35 pass Guttmann
2° Unusues Disk Space - Local Hard Drive - 7 pass DOD
3° Unusues Disk Space - Local Hard Drive - 1 pass wih all zero (custom)

Sorry for the delay

Bye
 

Overwriter

Active Member
Hi binolandia

Thank you for coming back !! After 2 weeks I thought we had lost you !

I simply cannot explain what is happening for you. Do you have anything that could be making backups automatically ? Do you have windows restore running ?

I see you are still using multiple overwrites while testing, there really is no need and you could save yourself a lot of time by using the single pass. This will be more than enough to defeat a hex editor under normal circumstances.

As far as I am aware you are the only person able to do recover things after an Eraser pass. I think it best if I ask Joel to look at this thread and see if he can come up with anything.

Please keep checking back binolandia, Joel is currently working hard on V6 and is very busy but I think he needs to see this thread.
 

Joel

Active Member
A few things may be helpful:
  • File system: what file system are the notebooks running on?
  • Compression: Is NTFS compression enabled?
  • Encryption: Is the drive "encrypted" using NTFS encryption?
Eraser cannot handle NTFS transparent compression and encryption, because the filters interfere with the data written to disk. Are you using any of the above?

Joel
 

Overwriter

Active Member
Oops, I think I have just experienced an epic “fail” ! :oops:



I completely forgot about the compression and encryption thing. Stupid really as I remember another thread on here with the same problem. Sorry. :roll:

Well done Joel, what took you minutes to solve has had me puzzled for days !
 

binolandia

New Member
hi overwriter,joel
file system is ntfs but compression or encryption is not enabled

i don't know whi i'm able to recover file after multiple pass.
notebook tested was different acer travelmate with ide or sata HD.

I have not checked if windows restore was running...sorry.

By the way i'm satisfied by multiple pass, is more difficult to recover file !
thank again for your time and your support
 

Joel

Active Member
binolandia said:
eraser version is 5.86.1 installed on Windows XP Professionale SP3

I create 10 new word document with different content and filename and then use your step by step guide fo erase. Take a new snapshot...and i'm still able to recover 2 document (full document readable), 8 was unrecoverable.
One thing about that approach is that Word leaves temp files (AutoRecovery, shortcuts, what have you) all over the disk. You may have the same file in two places, even after deleting the source. That is potentially where one duplicate came from.

binolandia said:
Again here...i think you hate me :)


test with floppy was unsucessfull:
i'have create 5 .doc and then copy to floppy.
I open the file to make some changes.
I delete all files on floppy
Run Erase Unusued Disk Space (7 pass)
At the end of the process use winhex to recover file by type (doc)
Found 1 doc of 5

If today i have no IT emergency will make test with earlier version of eraser
bye
Floppy drives exclude the possibility of NTFS compression, yes, I forgot about it. Then there's also the Word/Excel/PowerPoint temporary file in the same folder, it's hidden from view, but I've never checked out what those do. How big are your sample documents?

Joel
 

Overwriter

Active Member
Hi

Hey come on, nobody found the doggy picture funny ??? :shock:

binolandia said:
By the way i'm satisfied by multiple pass, is more difficult to recover file !
Yes I understand your idea in principle but just while you are testing with software recovery programs it would speed things up for you to just perform a single pass. A single pass has the same effect on software recovery tools as a multiple pass does.

Multiple passes are really a protection against very expensive and unlikely microscopic attacks on old hardware. A single pass will defeat all software based recovery programs.

Could you please test something else for us. Instead of making test Word.docs that create temporary files could you please make notepad tests in the same way, thanks.


@Joel I do not wish to add confusion to this thread but I have pretty much the same configuration as binolandia and I have tested in the same way and not been able to reproduce the same results.

Even though Word.docs do create temporary files ( as long as the word.doc is closed ) a full free space wipe should remove all traces surely ? I understand NTFS can store small files in unusual places as in the MFT but a full pass with Eraser should handle that unless binolandia has disabled that feature.

However on a positive note to this thread, it appears I didn’t suffer a major “fail” after all !!! :lol:
 
Top