Eraser - Possibly Insecure?

I've did some research and it seems as though the Change Journal doesn't store any file data information (see http://technet.microsoft.com/en-us/library/bb742450.aspx). Furthermore, the MFT Mirror doesn't store all MFT entries, only the first four:
http://technet.microsoft.com/en-us/library/cc781134%28WS.10%29.aspx said:
The $MftMirr is a duplicate image of either the first four records of the $Mft or the first cluster of the $Mft

So I'm stumped.

Joel
 
A few findings:
-Saving a text file with such a small string causes 2 copies to be written to disk; one is in the MFT record (because it's small) and the other is stuck at an arbitrary location, possibly as a cluster tip. EDIT:I'm starting to believe that the other location is actually a directory entry.
-Erasing a file causes the data written to be inserted before the actual data; the original MFT entry is destroyed but the new one contains a combination of both the overwritten data and the original contents

Joel
 
A code change (made to v6) now completely sanitises the MFT resident files as it creates resident files grows them while the disk is full. This removes one of the 3 copies found on disk.
 
Back
Top