Eraser shows errors w/ file erasure, file's gone, though

07SS

New Member
I just did a search and read the rules, and I didn't find anything answering this question.

I just ran Eraser on a folder I had, using the "Files from Folder:" option. It ran, then came back w/ errors about how each file was compressed, sparse or encrypted. I did some research and found out that this happens sometimes for windows XP... So I went back to try and fix the error somehow, and I noticed the folder itself was nowhere to be found. So it's "erased", but not in the sense that I want it to be. How can I:
a. restore this folder so I can properly erase it
or
b. Ensure that they are in fact erased properly?

Thanks in advance
 

DavidHB

Active Member
Without more information (which you may no longer have) about the sequence of events and the error messages you received, I cannot advise on the exact nature of your problem. It is, however worth saying that Eraser does not work on drives that are set (in Windows/NTFS) to be compressed. If you have such a drive, the erasure should not have happened.

Normally, the best way to check a file/folder erasure is to run a good file recovery program (for example, Recuva) on the drive in question, and check what is recoverable. The fact that Explorer no longer sees a file/folder is no indication that it has been permanently erased.

David
 

07SS

New Member
The only error message I got was: (from memory)

The erasure of this file was not complete due to the file being compressed, encrypted or sparse.

I was advised on another forum to erase the free space on my drive, because this will overwrite all the data that I have not permanently erased. I did this, and although a LOT of files/folders showed up that were erased, the one specific folder I want gone did not show up. Thoughts?

Also, as for using Recuva: I don't remember the file names, just the folder name... Will this still work?
 

DavidHB

Active Member
07SS said:
The erasure of this file was not complete due to the file being compressed, encrypted or sparse.
That is a normal error message. Eraser cannot handle these files. However, this only refers to files given one or more of these characteristics by the NTFS file system; files compressed or encrypted by software can be erased normally.

07SS said:
I was advised on another forum to erase the free space on my drive, because this will overwrite all the data that I have not permanently erased. I did this, and although a LOT of files/folders showed up that were erased, the one specific folder I want gone did not show up. Thoughts?
The advice on the other forum was correct but not complete. Erasing free space does not necessarily remove all traces of previously deleted files; as, particularly if the NTFS Shadow Copies feature is enabled, partial or complete copies of deleted files can still reside in space not marked as free. What might have happened in your case was that Eraser found the deleted file entry and saw that it related to files it cannot touch, but erased the file entry in any case. That might or might not mean that the files themselves are recoverable, which is why I advised you to check

07SS said:
Also, as for using Recuva: I don't remember the file names, just the folder name... Will this still work?
Yes, almost certainly. Recuva, like most programs of its type, scans the drive, and gives a list of files it thinks it can recover. Particularly on a system drive, this list is often surprisingly long, but most entries either prove to be non-recoverable files or are of no interest. What you are looking for is files that are, and should not be, recoverable. Recuva has a useful capability to overwrite recoverable files. If the overwriting does not work (e.g. because the file is wholly contained within the MFT entry), running Eraser free space erase again may well finally remove the recoverable file. Indeed while I cannot recommend running this erase every day, doing it several times in succession (if you can spare the time) does seem to be more effective than just running it once.

David
 

07SS

New Member
DavidHB said:
The advice on the other forum was correct but not complete. Erasing free space does not necessarily remove all traces of previously deleted files; as, particularly if the NTFS Shadow Copies feature is enabled, partial or complete copies of deleted files can still reside in space not marked as free. What might have happened in your case was that Eraser found the deleted file entry and saw that it related to files it cannot touch, but erased the file entry in any case. That might or might not mean that the files themselves are recoverable, which is why I advised you to check


David
Is there any reason that the folder I'm looking for would be in these categories (NTFS Shadow Copies) if it was just a general folder with regular files (.txt and .jpg)? Nothing executable or anything, mostly just word docs and some .jpg's.
 

DavidHB

Active Member
The commonest reason is that the drive has been set to be compressed. Also, if files were ever copied from compressed drives, they can retain the compressed status. I've never used NTFS file compression, but have still occasionally found the odd folder or file to be marked as compressed, and have had no idea why. It's less likely, I think, that encrypted or sparse files will turn up seemingly at random, but, where the (undocumented) NTFS file system is concerned, I long ago gave up being surprised.

David
 

07SS

New Member
I use Disk Cleanup and Disk Defragmenter, and one of the options for Disk cleanup is to compress old files. I haven't run this since I "deleted" the folder, so do you think it could still be compressed this way?

Also, I get this error message for multiple areas of the C drive:

Session: Thursday, March 17, 2011 4:49:39 PM
Thursday, March 17, 2011 4:49:39 PM Error C:\ did not have its cluster tips erased because of the following error: The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)

How can I fix this?

One more question (haha): what files should I use to replace to allow "plausible deniability"?

And thank for the help so quickly
 

DavidHB

Active Member
07SS said:
I use Disk Cleanup and Disk Defragmenter, and one of the options for Disk cleanup is to compress old files. I haven't run this since I "deleted" the folder, so do you think it could still be compressed this way?
Yes, that is a possibility. These days, any form of disk compression is often not worth the hassle it causes; it's usually better to just get another hard drive ...

07SS said:
Also, I get this error message for multiple areas of the C drive:

Session: Thursday, March 17, 2011 4:49:39 PM
Thursday, March 17, 2011 4:49:39 PM Error C:\ did not have its cluster tips erased because of the following error: The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)

How can I fix this?
It all depends what is locking the C: drive root folder. Sometimes just logging out and back in (or rebooting) solves the problem. If it doesn't, rather than spend time looking for the problem, just uncheck the option to have cluster tips erased in the Eraser task entry. That will most likely not create any significant additional security hazard.

07SS said:
One more question (haha): what files should I use to replace to allow "plausible deniability"?
Any set of files you might plausibly edit frequently. What the feature is supposed to do is hide the fact that Eraser has been used at a particular time. Obviously, if Eraser is installed on the machine, it is likely that it will have been used, but if 'real' files are used for erasing, the remnants of Eraser files with particular time stamps will not be present. Only you can decide whether in your circumstances the feature adds to your security. I don't use it myself.

David
 

07SS

New Member
Wonderful.
The only reason I was choosing to erase cluster tips is because I thought that files were stored in them.

I really appreciate the help, David. I'll report back with some results.
 

DavidHB

Active Member
07SS said:
The only reason I was choosing to erase cluster tips is because I thought that files were stored in them.
Cluster tips are the unused bit at the end of the space allocated to a file (that is a file that is not deleted). They present a security concern, because anything that was previously contained in them will not be overwritten when the new file using the space is created. However (1) what is present in the cluster tip is likely to be only part of the previous file, and (2) cluster tips are not accessible via normal file system activity. This means that, while they are a security concern, they are (in my opinion) much less of a concern than other aspects of file system and Windows behaviour, of which adversaries are therefore more likely to take advantage.

David
 

Joel

Active Member
Yes, cluster tips can be remnants of a previous file, but more likely it contains remnants of system memory (hence the privacy concern). The details are rather complex, let me know if you want an explanation.
 
Top