Eraser tested on Samsung SP1604N / Maxtor 2B020H1

A

Anonymous

Guest
Recently, there were rumours that Eraser does not completely erase files
(http://www.cipherserver.com/phpBB2/viewtopic.php?t=653&sid=cfd809ceff5c130acdbc2a585efec7fa).

To clearify on this topic, I performed a test on 2 hard disks:
1. a 149 GB Samsung SpinPoint 1604N
2. a 19 GB Maxtor 2B020H1

On both hard disks (at the physical end of the disk) I created a 110 MB NTFS primary partition, 512 Byte Cluster size. "Write Caching" was disabled within Windows XP SP 1 for both hard disks before that.
PartitionMagic and other Disk Diagnosing tools did not show any Bad Clusters on the hard drives.
After formatting both partitions, I rebooted and started DBAN.
I wiped both target partitions with 40xPRNG, Verify All Passes.

I then used Encase/FileScavenger/Restoration/Ontrack Easy Recovery Professional/DirectorySnoop to find any files on these partitions.
No program found any user specific files, except MFT, bad cluster etc files. Those files are created when you create the partition or format it. Or are maintained by the disk itself.
I hence assumed that the 40 times PRNG wipe with DBAN sufficiently cleared both volumes.
I then copied about 20 files on both volumes. Files differed in size and file type. SWAP file was disabled and no other process did write any other file on the volumes.

The next day, I erased all files (visible and hidden) with Eraser 1 pass PRNG. I did not do any free space clearing.
Then I put a write lock on both partitions.

After that, I used Encase et al. to examine the 2 volumes.
The results were the same for both volumes:
i) Encase showed me that there were about 20 files I created, but the file names were scrambled and the files only 0 KB files. When I extracted those 0 KB files, a HexEditor (xvi32) did show nothing.
ii) FileScavenger, Restoration, Ontrack ERProf-RawRecovery/DS brought the same results as Encase.

After this process, I removed the write lock and did a Free Space 1pass PRNG overwrite with Eraser (the single files were then effectively erased 2 times).
Then I used Encase et al. again:
i) Encase: Encase did not show the ~20 files in the normal place (d:\, g:\ resp.) but they were in an newly created folder (created by Eraser). file names were scrambled and files were 0 KB. HexEditor did reveal nothing.
ii) FileScavenger still showed me the files, but the before scrambled file names were now 00000000000000. files had 0 KB as well and could not be recovered.
iii)Restoration showed the 0 KB files in a folder
iv) raw recovery only showd a big 73,23 MB file (= sum of all files I created)
v) DS did show the files, but the file names were scrambled and I only recovered 0 KB files.

Then, I did a 40xPRNG wipe with DBAN, formatted both and copied the same files on the 2 volumes.

Waited for 1/2 a day.
This time I did a 1 pass PRNG with DBAN.

Results: all recovery tools (Encase, FS, Rest., Ontrack ERProf, DS) did show nothing else than the system files (MFT file etc).
I could not find or even recover the files I created and then wiped with DBAN.

Conclusion:
-Files that were overwritten 1 time with PRNG data with Eraser could not be recovered with any of the above mentioned software tools.
-However, though the file names itself were scrambled, I could see that there were files that had been erased. This was also true after the Free Space and MFT erase process.
-after a 1xPRNG wipe with DBAN, I could not even find any deleted files and hence not recover them.


These results were obtained on NTFS partitions (512 Byte Cluster size) with disabled write cache on a 149 GB Samsung and a 19 GB Maxtor drive.

Comment:
Eraser is secure for the average user.
However, I'd be worried that one can see that there were files and that those have been deleted.
Therefore, I'd recommed to use DBAN if you want to be sure or if you want to give your hard drive away.
Beware that sophisticated attackers still can recover data that have been overwritten 20 times and maybe more.
30-pass random scrubbing DBAN seems to be secure for a High security level.
All paranoids are advised to smelt/pulverize their platters.


greets, Anonymous

PS: Maybe I'll do the same test but with more passes PRNG.
 
Good.

Thanks for testing, dude. Helps me feel that Eraser is working now.

But very interesting that 1 pass of Eraser stopped EnCase software from retreiving files, that's surprising, considering it's the standard recovery tool used by Law Enforcement agencies.
 
Yes,the first post seems most reassuring-if hard work! Thanx anyway.
I have only ever tried a demo copy of Encase and an earlier version of Directory Snoop,but (some while ago) found no indication that Eraser was failing in its role-but then my requiremnts are more for privacy rather than high level security.I tried BCWipe also,but cannot come to terms with the alleged ability to wipe the paging(swap) file with a Windows application.Maybe my limited knowledge is missing something here,of course.
 
Yes,the first post seems most reassuring-if hard work! Thanx anyway.
I have only ever tried a demo copy of Encase and an earlier version of Directory Snoop,but (some while ago) found no indication that Eraser was failing in its role-but then my requiremnts are more for privacy rather than high level security.I tried BCWipe also,but cannot come to terms with the alleged ability to wipe the paging(swap) file with a Windows application.Maybe my limited knowledge is missing something here,of course.
 
Anonymous0 is my kind of analysis coordinator. There we have it group in whatever color you choose to read the review! We appreciate the time & effort, this must been some of us lucky day to have this poster drop in with those results.
 
Thanks for the validation test. Excellent work.

A comment on your test:

Eraser will wipe the drive from 'within' your OS and thus cannot purge the MFT as the OS itself controls this.

DBAN is wiping from 'outside' the OS and thus has total control of the process.

For total HD wiping use DBAN.

Garrett
 
I should have added that, thx for the info Garrett.
It is clear that a total disk erasure is not within Eraser's scope.
In my opinion Eraser does an excellent job considering what can be done from within OS boundaries.

Thx to the DEV(s) for maintaining and further developing Eraser :D

Much appreciated!

greets, Anonymous
 
Back
Top