Alternate data stream still intact

cameron715

New Member
Here is what I did in a nushell. I went to the command line and typed this:
Note I was doing this on a flash drive formatted in NTFS
E:\>echo this is a test > test.txt

Then I hid show text in a alternate data stream of that file

E:\>echo top secret info > test.txt:secret.txt

So after I did this I used a program called HxD (A drive hexadecimal forensic tool) and found my secret text on the disk. I then used eraser and on the file test.txt. Then tried looking to make sure the alternate data stream was destroyed too but it wasn't, test.txt was destroyed. But the text "top secret info" was still intact. When developing Eraser was Alternate Data Streams ADS taken into account?

More info on Alternate Data Streams can be found here:
http://www.irongeek.com/i.php?page=security/altds
 

DavidHB

Active Member
The issue is very probably that you were using a flash drive. Erasing individual files does not work on flash drives, because the wear levelling mechanism (which is inaccessible to the user) relocates the erasing data away from the sector housing the target file. Erasing free space does work, however, because that fills up the whole drive.

Please try your experiment on an ordinary hard disk.

David
 

Joel

Active Member
Yes, Eraser deals with ADSes, however on NTFS lots of metadata is kept about files, how they are modified etc. This is especially so with small files, they get scattered all over the MFT etc. Also, there are shadow copies which may have been made. These all contribute to the overall (lack of) effectiveness for Eraser.
 

DavidHB

Active Member
Joel said:
These all contribute to the overall (lack of) effectiveness for Eraser.
I think Joel is doing himself down here ... :)

For me, Eraser is an essential tool, but, as often discussed in these forums, it should be regarded as only part of good security practice. Much of that is about organising the system sensibly in the first place, including (in this particular case) recognising the limitations of solid state storage when it comes to secure erasing.

David
 

AwesomeMachine

New Member
I just read a report describing the effectiveness of the top 16 drive cleansing tools, on solid state storage devices. I'll upload it, if I'm given an ftp link or something. The results were pathetic. The best performing tool allowed recovery of 10% of the test data (100 MB out of 1.0 GB) Clearly, flash drive controllers create a situation in which flash-memory-based drives cannot be released from secure custody without prior physical destruction.
 

DavidHB

Active Member
Without knowing how the tests were conducted, it would be wise to reserve judgement. For a flash drive, and using Eraser, my test would be to do a quick format and then a free space erase, and then run, say, Recuva on the drive.

David
 

Joel

Active Member
Flash drives indeed pose a problem. For that matter, most modern drives share the same problem albeit to a smaller extent.

Flash drives have a few features which magnetic disks "do not": over provisioning (to compensate for reduced reliability), wear levelling (as memory cells have a limited number of read/write cycles). Both work against erasure as data can be locked in areas the controller deems faulty and that writes to the same location from the OS' point of view may result in a write in a separate physical location.

Magnetic disks are not free from this. It has been a while since drive manufacturers have over provisioned drives (but not to the extent of flash memory) and firmware remapping (to counter bad sectors.)
 

ForensicsGuy

New Member
AwesomeMachine said:
I just read a report describing the effectiveness of the top 16 drive cleansing tools, on solid state storage devices. I'll upload it, if I'm given an ftp link or something. The results were pathetic. The best performing tool allowed recovery of 10% of the test data (100 MB out of 1.0 GB) Clearly, flash drive controllers create a situation in which flash-memory-based drives cannot be released from secure custody without prior physical destruction.
Let's put this all in perspective...

The only 100% safe way to ensure data cannot be recovered is complete physical destruction of the media. However, in security, as in other areas of life, a 100% solution is not always required. Overwriting an entire hard drive with a single pass of random data is sufficient to stop all but the most motivated and well financed attackers. Encrypting the entire drive or partition is also an effective countermeasure, especially if followed by an overwrite when the drive is no longer required.

Erasing files is always difficult. There are multiple issues: Alternate streams, shadow copies, journals, swap files, etc. If you create a file, erase it, and immediately subject the system to forensic analysis it is very difficult to ensure that absolutely every trace of the data is gone. However, over time, the use of a solid erasure techniques results in far less residual information that would otherwise be present.

So if there is stuff on your hard drive that would ruin your life if someone else got hold of it, get out your electric drill, punch a few holes through the platters, and take a sledge hammer to the remains. If you need to keep people out of your stuff, use whole hard drive encryption. And if you want to improve your privacy in the long term, use software to overwrite files instead of just deleting them.
 
Top