Eraser can't erase traces even with 7 pass and 1 pass

Altair1572

New Member
I am very disappointed to note you that eraser cant wipe free space even after performing DOD 5220 7 pass and 1 pass psuedorandom.

Recovery softwares, Tuneup Undelete and File Scavenger found a deleted file in my drive even after running more than two "Free space erasing" using above said 1 pass and 7 pass.

This is the screenshot for Tuneup Undelete after running above 7 pass and 1 pass.



This is what i did from start:

You can see from the screenshot that i deleted some months ago a 2gb avi video file through shift+delete method from D:/ drive.

i installed Eraser to "Wipe Free Space" on D:/ and i ran it two times first by DOD 5220 7pass and then by pseudorandom 1 pass. Both passes had some common system access errors and i had to manually delete the big random name folder from each pass task.

The test that i did using DOD 5220 7 pass, i think, failed because my drive has no more space when the process has reached some 96% completion. It is shown 0 bytes free of 128 gb of D:/. My free space was 36.5 gb. So i deleted the random named folder in D:/ drive to get 36.5 gb back. Now i am not sure the whole task failed or not, after seeing the random named folder even the task failed at 96% because of no more disk space left. Is this enough or i have to run it 100% to achieve success from free space erasing?.

Then i searched *.avi on recovery soft 'tuneup undelete' as shown in above screenshot and found the the above mentioned 2 gb video file.

I dont know Why the video file is showing after 7 pass and 1 pass free space wiping?.

Also to mention that i ran Gutmann and NSA 7 pass in "Drive Wiper" of CCleaner on c:/, d:/, e:/, f:/ before trying Eraser and saw the tasks disappeared at some 11%. After some 11% i saw the same main drive wiper window to start those tests. i think it failed.

Note:- When searching *.avi through Tuneup Undelete, I noticed some hidden folders - that i cant see by no means in Windows Explorer-, named MFT ..... in c:/, d:/, e:/, f:/ drives( may be created from CCleaner tasks) and a random named folder in drives that ran Eraser. This is the screenshot of those hidden folders.





Please tell me how i can delete the above shown hidden MFT ..... folders(may be CCleaner created)(in c:/, d:/, e:/, f:/) and random named folders(in drives that ran Eraser) that i cant see by no means in Windows Explorer. These folders are still present in drives. They are hidden to hell in Explorer.

Can someone help me on the above doubts ...?..please :(

I am using Eraser 6.08.2273, Windows 7 SP1 32bit, Intel Core 2 Quad, 2gb ddr2.
Hard disk is Barracuda 500gb, in partitions C: 80GB, D: 128GB, E: 128GB, F:128GB.

Forgot to say I ran Eraser only on D:/ and E:/

Thanks in advance... :?
 

DavidHB

Active Member
It is a common misconception that the erasing method makes a difference in cases such as this. If something won't erase with one pass, it won't erase with 35.

Let's deal with the Explorer issue first. What you see will depend on your viewing settings (accessible in Control Panel). To see everything, you need to have both hidden file viewing and protected system file viewing enabled. Also, Explorer never shows deleted files and folders, but an undeleter obviously will do so, if it can identify them.

Thought I would really like to see all the files you found, I think that what your undeleter found was Eraser's erasing activity. Free space erase works by writing randomly named files with random content until the drive is full, then deleting (obviously, not erasing) those files. Smart undeleters (such as Recuva) normally have an option to detect and ignore such files. Likewise, when Eraser has cleared the free space, it also overwrites the empty entries in the Master File Table, and I believe that is what one of your screenshots is showing.

The situation is complicated by the fact that the erase failed; where erasing is concerned, 96% completion is of course 0% completion in terms of security. You dealt with the failure correctly. The failures are annoying, because they are somewhat unpredictable; different Windows installations vary in the point at which they will stop Eraser because disk space is getting low. I also suspect that disk fragmentation may have something to do with the issue. Indeed, the .avi file you mention may have been what triggered the failure.

Joel has done some further work on the problem, and using one of the development (beta standard) builds may help. These are available from the Eraser Downloads page; I am currently using build 2284 on Windows 7 x64.

Because of the way the NTFS file system works, it is normal, after a free space erase, to find recoverable deleted files on the target drive. What is important is that no file you have explicitly erased should be recoverable.With free space erasing, the situation is more complex, because of the presence of (particularly) shadow copies and the paging file. Ideally, before running a free space erase, you should delete all unwanted restore points (if the system is working, I keep only the most recent), clear the paging file and defragment the drive. That should both reduce the number of recoverable items and (hopefully) make the crashes on free space erase less likely.

David
 

Altair1572

New Member
Ya, David i am not a computer rookie. I have been using my system with both hidden files and system protected files shown for a long time.
I started using Eraser after defragmenting all drives.
I think you didnt understand. sorry for the mess.

Lets see this... I now 3 pass erased the free disk space on my E:\ drive successfully with only the common system volume information error.
Eraser automatically deleted the random named folder created by it to complete the task successfully.
I saw from E:\ that no random named folder is there after the task completed.

Now i opened below Tuneup Undelete to search for recoverable file on E:\. I am surprised to see Undelete searching the below shown random named folder (that we cant see in E:\) and it is taking good time to search in this random named folder.

This is that hidden folder in screenshot.



WE CANT SEE THIS FOLDER BY ANY MEANS (WITH HIDDEN FILES AND SYSTEM PROTECTED FILES VIEW ENABLED).

Why Eraser has left this hidden folder (we cant see) in drive even after completing the erasure of the random named folder (that we can see) successfully??.

If Eraser could delete this hidden folder too, the recovery softwares like Undelete and Recuva shouldnt have to take much time to search in this random named folder

Did you understand?. I am not talking of the random named folder created and deleted by Eraser when it is undergoing Free space wipe.

I am again saying this is the random named folder that we cant see in explorer with hidden file and system file view enabled.

Please come up with a way to get rid of this hidden folder. I think all Eraser users have this hidden random named folder after successfully completing Free space wipe(not the random named folder created by Eraser that we can see).

Also can you tell me how to clear the paging file?. Does other drives except C:\ have pagefile?..

Anyway thanks for responding David and i only want to see Eraser simple, best, error and bugproofy...
 

DavidHB

Active Member
The folder is not hidden; it's just deleted. Explorer (obviously) doesn't show deleted files, while undeleters (equally obviously) do show them.

You can't get rid of the folder, and there wouldn't be much point in doing so if you could. All it contains is files containing (by default; you can change it) random nonsense. At the end of a successful free space erase, all the free space on the drive is filled with the residue of the deleted Eraser files; that is how it has cleared the free space. If you run another free space Erase, the random data will just be replaced with other random data. And the space is of course free for use when needed.

Unless I have completely misunderstood you, you are worrying about a non-problem in this regard. Perhaps you think that the free space on a drive should be empty, but it never is. From the moment that it is low level formatted by the manufacturer, a drive is full of data; that data is not meaningful, but it exists.

To clear the page file, you have to change a Registry setting; details are here. Some tweaking programs will change this setting for you.

David
 

Altair1572

New Member
The folder is not hidden; it's just deleted. Explorer (obviously) doesn't show deleted files, while undeleters (equally obviously) do show them.

You can't get rid of the folder, and there wouldn't be much point in doing so if you could. All it contains is files containing (by default; you can change it) random nonsense. At the end of a successful free space erase, all the free space on the drive is filled with the residue of the deleted Eraser files; that is how it has cleared the free space. If you run another free space Erase, the random data will just be replaced with other random data. And the space is of course free for use when needed.
Oh..that is disappointing. Before using Eraser or before Eraser created this hidden random named folder in drive, it was very quick for any recovery softs like Recuva or Tuneup Undelete to search for a particular extension. But after Eraser created this folder these recovery softs are taking a long time to search in this hidden random named folder. If this folder was not there, Recuva or Undelete will complete the search quickly. Now it is taking much time to search only in this hidden folder.

Problem is Recuva or Undelete shows no other hidden folder that i or windows deleted ago, only this particular Eraser created random named folder it is showing and taking time to search in this hidden folder. There are also other folders hidden that are deleted naturally by shift+delete, why recuva or undelete is not showing them or not searching big time in those naturally deleted folders unlike this Eraser created folder. Will this hidden folder remain there until formatted or free space wiped by other programs like File shredder or CCleaner.
Do you know anything about File shredder or CCleaner making this type of hidden folders after free space wiping?. Or is this hidden folder only a gift of Eraser?.
Can Eraser team find any other way in future versions to clear this?. Also please try to give in future the folders created by Eraser a nice name like Recycle bin or Trash or Junk, than this ugly random name..My mind doesnot like seeing this name.. :lol:

Also can you advice me how to wipe free disk space by CCleaner. 2 days ago i ran 7 pass on all drives using its Drive Wiper. But it is quitting or showing its start window after 12%. Is this normal?. But i am seeing a hidden "MFT 17452" folder in drives it ran. Is it failed or completed?. After this i ran Eraser.

To clear the page file, you have to change a Registry setting; details are here. Some tweaking programs will change this setting for you.
Why Eraser is touching pagefile if it is not deleted?. It should only check the job of deleted files.
It should skip it saying system protected file.


Can i ask you is it safe to touch my page file in C:\?. Because it is about 3.41 GB.
What are we doing/changing in this page file when we clear it?.
Will i lose or gain something by clearing this file?. I have set virtual memory with initial size 3500 and final, 5000 on C:\.
 

DavidHB

Active Member
Taking your first point, Recuva has an option to 'show securely overwritten files'. If this option is disabled (which, in my opinion, it should be, and is the default), those files do not show up in Recuva.

In my experience, doing a deep scan, which always takes a couple of hours in Recuva (and presumably other undeleters as well) is something one only needs to do occasionally; the normal scan (which takes at most a couple of minutes per drive on my machines) seems to identify most if not all of what is even notionally recoverable. If you are prepared to do lengthy scans, a search with a sector editor such as HxD can be more easily targeted on files you may be particularly concerned about, and looks at the whole disk surface, not just the free space.

Eraser has used the same method of erasing free space since it was first released more than a decade ago; indeed, there is no other method that I can think of. What may well be causing your problem is the failure of the free space erase mentioned in your first post. Essentially, during the free space erase, Eraser first clears the cluster tips (if that option is set), then erases the free space as previously described, and then clears the unused entries in the MFT (which are quite large and may contain the whole of a small file). If the free space erase fails, the MFT entries are not cleared. Your undeleters may be picking up those entries and looking for the associated files. I know that Joel was at one time changing the sequence, and putting the clearance of MFT entries before the free space erasing; in that case, after an erasing failure, there would still be no usable MFT entries to access.

To take other points, the default pseudorandom data is not the only erasing data you can use. You can use your own data pattern or even a nominated set of files as the erasing data (but such files would of course present themselves to Recuva as recoverable); these options are clearly explained in the Eraser manual. You could, if you were so minded, produce a set of files in a folder all named in a less 'ugly' way to act as the erasing files. Leaving aside the aesthetics, the advantage of the pseudorandom data is that it makes the erased area look encrypted, and as such is a deterrent to an attacker.

I don't think I can comment about the failure of CCleaner, which has its own forum. I'd guess that it works in much the same way as Eraser and my well have the same issues with Windows. One thing it does do is erase the MFT entries first. I would also say that, if you are getting failures on a particular drive with both programs, it makes sense to run a another disk check and defragment the drive before trying again. Also, it is always a good idea to disconnect the machine from the internet and disable your security program while running any free space erase; the security program will try to scan all the files you access (including the erasing files) during the erase, and that slows things down. The 2GB of RAM you have is not all that much for your processor and Windows 7; you might see a significant difference if you were able to upgrade to 4GB.

Finally, Eraser does not touch the page file, which is of necessity protected by Windows. You can clear it as previously described, but it is of the size I would expect, given the amount of memory you have. With 2GB of RAM, I would expect the page file to be in extensive use.

David
 

Altair1572

New Member
What may well be causing your problem is the failure of the free space erase mentioned in your first post. Essentially, during the free space erase, Eraser first clears the cluster tips (if that option is set), then erases the free space as previously described, and then clears the unused entries in the MFT (which are quite large and may contain the whole of a small file). If the free space erase fails, the MFT entries are not cleared. Your undeleters may be picking up those entries and looking for the associated files. I know that Joel was at one time changing the sequence, and putting the clearance of MFT entries before the free space erasing; in that case, after an erasing failure, there would still be no usable MFT entries to access.
Ya David, it failed once when i used Eraser for the first time with 7 pass and drive filled at some 94% with no more space for Eraser to complete the operation. But after when i used pseudorandom it completed successfully with Eraser automatically deleting the random named folder created by it. So the previous MFT entries should also be cleard. Those MFT entries are still remaining on all drives after completing successful "Wipe Free Space". Why they are remaining there if the task completed successfully?.

Look this. I have got something. That hidden random named folder i told about has today changed to a "MFT 46" entry in E:\. I noticed some other MFT entries that has folders named "C:\MFT 499\SoftwareDistribution" and "E:\MFT 46\Graphics". I had successfully completed free space wiping on E:\. But those MFT entries are still there. I had run disk defragmenter and disc check on all drives before seeing this "MFT 46" and "SoftwareDistribution" and "Graphics" and this is it....







I yesterday did a pseudorandom on F:/. It completed successfully with no errors. But those hidden random named folder is present in it.
Can you install Tuneup Undelete and try the above?. You should see "MFT" or "hidden random named folder" entries in Tuneup Undelete on drives you did "Free space wipe".

Also i found too much time taking for searching or recovery softs to search in Eraser "wiped" drives even if the drive has only less data. But no problem with drives that didnt use Eraser. Do you know it?.

I have now a fear of hard disk failing. Hours ago i ran Tuneup Disk Doctor for checking errors. I opted for thorough scan. I found it is taking huge time to process Eraser used drives. I only used Eraser's free space wipe on d:\, e:\ and f:\ drives. So for scanning these drives it takes long, but no problem in scanning C:\, in which i dont use Eraser's free space wipe. It is quick. I think in future Eraser will address this.

Also, it is always a good idea to disconnect the machine from the internet and disable your security program while running any free space erase; the security program will try to scan all the files you access (including the erasing files) during the erase, and that slows things down. The 2GB of RAM you have is not all that much for your processor and Windows 7; you might see a significant difference if you were able to upgrade to 4GB.

Finally, Eraser does not touch the page file, which is of necessity protected by Windows. You can clear it as previously described, but it is of the size I would expect, given the amount of memory you have. With 2GB of RAM, I would expect the page file to be in extensive use.
Well, thanks for the info. Why you are saying to clear the page file?. I dont understand it. How clearing the page file is related to Eraser?. If i dont clear pagefile or when Eraser dont touches it, whats the problem?.
 

DavidHB

Active Member
I do not wish to be discourteous, but I owe it to other forum users to make it clear that, in my considered opinion, you are worrying about a complete non-problem. I do not need to install your undeleter, because its behaviour is very similar to others I have used.

It is important to recognise that 'erasing' is actually something of a misnomer (though it is the term in general use). 'Erasing' normally implies that something is removed, leaving an empty space. That is not what happens with disk erasing, where one thing (which may be confidential or sensitive) is replaced by another (which typically has no meaning at all, and so presents no security concern). The replacement item remains in place, and is recoverable, though recovering it would serve no useful purpose. This applies both to the erasing files/folders and the MFT entries to which you refer. In other words, what you are seeing indicates that, at least in respect of the items you mention, Eraser has done its job.

If, after running Eraser, you have reason to believe that files you know you deleted are still recoverable, we want to know about it. Otherwise, there is no need for concern.

I mention the page file precisely because Eraser cannot touch it. Nevertheless, it potentially contains sensitive data, and a coherent security policy should take account of this. The same applies, probably with even more force, to Restore Points containing shadow copies of deleted files. Eraser is much less useful on its own than as part of a systematic security routine, which will probably require the use of several different utilities. I use CCleaner alongside Eraser, and I also clear the page file from time to time.

David
 

Altair1572

New Member
i wanted to show you about the MFT entries that are not deleted after successfully completing free space wipe. Here in forum i read from you i think that those MFT entries are deleted by Eraser at end of free space wipe. But when i came to see the MFT entries not deleted(via Tuneup Undelete) i doubted that Eraser had done its job or not?. That is i am asking you from the first post.

Also somewhere in this forum you or joel said about adding "MFT clearing or deleting" at the start of task rather than at the end of task.

This is what you said above..

Essentially, during the free space erase, Eraser first clears the cluster tips (if that option is set), then erases the free space as previously described, and then clears the unused entries in the MFT (which are quite large and may contain the whole of a small file). If the free space erase fails, the MFT entries are not cleared. Your undeleters may be picking up those entries and looking for the associated files. I know that Joel was at one time changing the sequence, and putting the clearance of MFT entries before the free space erasing; in that case, after an erasing failure, there would still be no usable MFT entries to access.
You said the above scenario during failure of free space wipe, but when the task completes successfully and MFT entries are cleared which MFT entries are am i seeing in screenshots, the deleted MFT entries?.

I got some other from your forum..

(1)Upon completion, there's one final phase which is to erase the old MFT/FAT directory entries,
From: viewtopic.php?f=2&t=7869&p=23188&hilit=MFT+entries#p23188

(2)If your drive is at 98% completion, it is clearing the MFT/FAT directories.
From: viewtopic.php?f=2&t=7892&p=23248&hilit=MFT+entries#p23248

(3)Your particular problem is that Eraser only clears the unused MFT entries when it has overwritten the free space.
From: viewtopic.php?f=2&t=8072&p=23654&hilit=MFT+entries#p23654

(4)Free entries in the MFT (or FAT) are only cleared once erasing is complete
From: viewtopic.php?f=2&t=8144&p=24005&hilit=MFT+entries#p24005
Which MFT entries are you referring?. If MFT entries are deleted or cleared by Eraser at finish of task, why those MFT's are showing in screenshots i posted?.

Which MFT entries are deleted by Eraser when it completes free space wipe?, the one i showed you (via Undelete) or ...?????.

Am i seeing the MFT entries that are deleted by Eraser in screenshots or ????....

Anyway the Eraser users are receiving great support from you and joel......keep it up...

You forgot to reply me about this...

Also i found too much time taking for searching or recovery softs to search in Eraser "wiped" drives even if the drive has only less data. But no problem with drives that didnt use Eraser. Do you know it?.

I have now a fear of hard disk failing. Hours ago i ran Tuneup Disk Doctor for checking errors. I opted for thorough scan. I found it is taking huge time to process Eraser used drives. I only used Eraser's free space wipe on d:\, e:\ and f:\ drives. So for scanning these drives it takes long, but no problem in scanning C:\, in which i dont use Eraser's free space wipe. It is quick. I think in future Eraser will address this.
 

DavidHB

Active Member
Thanks for your kind words. However, I'm not sure what more I can do to help.

I have looked again carefully at all your screenshots. I can see nothing in them that indicates that Eraser is not doing its job, which is to make sensitive data unrecoverable. Beyond that, I really do not understand how or why you would expect Eraser (or any other erasing program) to behave differently. You do seem to have a belief that, once a file or folder is erased, there should be, as it were, nothing there. But, as I have repeatedly said, nothing could be further from the reality.

This is also the point I would make about the MFT entries. Eraser overwrites them (with other, dummy, entries); as with the space on the drive, it cannot remove or 'empty' them. What you should see (and, from your screenshots, are seeing) is the entries Eraser has placed there. I cannot say why Tune Up Utilities is choking on these entries, if that is what it is doing.

I didn't respond to your earlier point on Tune Up utilities, because I have no detailed knowledge of it, and so cannot comment on the way it behaves. As other programs I use do not have any problem scanning drives on which Eraser has been used, I have no reason to believe that the issue you describe is associated with Eraser rather than with Tune Up utilities. What Eraser actually writes (which is just data) is no more likely to promote drive failure than any other data. But free space erasing does involve writing a lot of data, and so can stress the drive. If use of Eraser were to hasten the failure of a hard drive (which the authors of Eraser have acknowledged is not impossible, if the drive is already failing), I would expect that failure to come during the erasing process rather than subsequently. And it is most unusual to have 3 drives on the same machine fail at the same time.

David
 

DavidHB

Active Member
@Altair1572

I'm really sorry. I wrote a reply to your last post, but somehow the reply replaced the text of your post rather than appearing separately, and I had to delete it (as it was both wrongly attributed and meaningless). If you wish to repeat your most recent questions, I shall be happy to answer them.

David
 

Altair1572

New Member
David, lightning took off my modem and lan card last week. So i was not able to come here until i purchased a new D-link modem and i have only no other option to connect net than to use USB in modem.

Thanks for reply, leave the overwritten stuff you replaced. Lets talk new..

I yesterday free space erased c:\ drive with 1 pass sucessfully. But when i ran Recuva after, i am getting "excellent green" files including index.dat, temporary files that got deleted. But Recuva shows the modified time of these green files similar to the time when eraser ended its operation successfully, not before eraser start(May be they got deleted after eraser finished job).
i selected all those green files and did "secure overwrite". Some said "Not Overwritten - File is resident in the MFT". Then i scanned again c:\ with Recuva and for my surprise there is a big list of "excellent green" files with the "latest modified time". I selected and "securely overwritted" all. A majority of green files that i selected to overwrite said "Not Overwritten - File is resident in the MFT"

What is meant by a deleted file residing in MFT?.

These are the ordered screenshots by 'Excellent to Unrecoverable' after running free space erase.





 

Joel

Active Member
Altair, I think David is currently away so I'll try to answer to the best I can (which admittedly is not as good as David can explain.)

I think there's a misconception that "erasing" the MFT would mean the file is gone forever. Not quite -- deleting a file simply means marking the file as such, the MFT does not have one record less (the MFT cannot shrink without rewriting the whole MFT.) The reason you are seeing so many of such files is that Eraser merely prevents the old information from remaining in the MFT and that it happens to be in a particular configuration that TuneUp trips on (large folder with many files)

Altair1572 said:
What is meant by a deleted file residing in MFT?.
The MFT stores information about files in entries 1kb long. If the file has contents less than 1kb, the data may be stored within the MFT -- a resident file. These files do not occupy a whole cluster on disk and shares its information with other file records in the same cluster.
 

Altair1572

New Member
Joel, welcome to thread.

i selected all those green files and did "secure overwrite". Some said "Not Overwritten - File is resident in the MFT". Then i scanned again c:\ with Recuva and for my surprise there is a big list of "excellent green" files with the "latest modified time". I selected and "securely overwritted" all. A majority of green files that i selected to overwrite said "Not Overwritten - File is resident in the MFT"
You didn't say about why Recuva shows "Not Overwritten - File is resident in the MFT" when i choose "Securely Overwrite" in Recuva for the green files. Why they dont get overwritted in Recuva if they are deleted and are residing in MFT?. When those deleted green files will be erased or overwritten from/in MFT?.
 

Joel

Active Member
That's a limitation of Recuva and you'll have to ask Recuva's developers.
 

Altair1572

New Member
ok, joel, can you tell me why i cant wipe free space using more than single pass pseudorandom?. I can only use single pass. when overwriting free space with any other passes from 2-35, my drives are getting full at some 90%-95% and Eraser fails to complete the process successfully.

Ca we use only single pass for wiping free space?. Why using other passes fills drive early and fails the process?.
 

Joel

Active Member
The drive filling up is expected and is normal. Letting Eraser complete the erasure will allow Eraser to discard those files properly. If Eraser is erroring out, please copy and paste the task log here.

As of now, current sentiments are that on a modern hard drive, one pass is sufficient.
 

Altair1572

New Member
No, i said this. When the Eraser process reaches some 90%, the drive fills completely with only some 800KB left and Eraser stops there telling it couldnt access/write to a folder with random name like E:\ytHm1uelvw5bhes7yh75o in the log. Then eraser leaves the random named folder on disk to let us delete it manually. This tells Eraser failed to complete the wipe.

So no other option than single pass!!.
 

Joel

Active Member
Altair, I think you are doing no one a service by complaining and ignoring advice. I have said logs from the failed erase attempt are needed before any form of diagnosis can be made.
 

Altair1572

New Member
Sorry for the misunderstandings, joel. I said i got this log entry when the process failed because of full disk.

"When the process fails,
Eraser stops, telling it in the log that it couldnt access/write to a folder with random name like E:\ytHm1uelvw5bhes7yh75o. Then eraser leaves the random named folder on disk to let us delete it manually
"

This is the usual Eraser error when it fillouts drive before writing random data fully to drive when we use more than single pass.

Is it correct?..
 
Top