Eraser vs Disk investigator... 0-1?

oldcoin

New Member
I've been using Eraser a couple of years now and I've been running it several times a month. Yesterday I downloaded this very small simplistic program called: Disk investigator (google it). In disk investigator I searched for words like "house sample, packs, porn" and guess what!?? My whole download history could be found by this program revealing ALL the file names I have downloaded in the last 10 years including .avi .rar .jpg etc. Sure they may not be recoverable but the file names are still there :S

Is this normal? + the better question is.. can this be removed also?! this is quite a bummer actually, making me doubt this whole eraser program


I'm using a windows pc with windows xp servicepack 2
 

DavidHB

Active Member
I have looked up Disk investigator as you suggested. I haven't downloaded and installed it, as the feature list seems to combine elements of Recuva and CCleaner, both from Piriform and both of which I already use.

You do not say which file system you are using (NTFS or FAT, though I'd guess the former), nor do you say whether you have System Restore and Shadow Copies enabled (though, as these are the defaults, I'd guess that you do). Nor do you say what kind of erasing you were doing, though at another guess we are talking about the free space erase. I'm going so start the answer by assuming that my guesses are correct.

Erasing free space does just that (by filling the space with files and then deleting them). The unused entries in the file table are then overwritten (this assumes that Eraser completes the task, which it usually does). What users often do not realise is that Windows places 'safety' copies of deleted files in restore points when shadow copies are enabled; these are in disk space not marked as free, so will not be touched by a free space erase, and will be recoverable by file recovery programs. There are other ways in which Windows may cache files that are deleted, but in my experience this is the most significant one. I have had experiences just like yours, and I agree that one's first instinct is that something has gone wrong with the erase; usually, that is not the case and the user has simply misunderstood the limitations of what he or she is doing.

The moral I draw from all this is that, whenever possible, files should be explicitly erased rather than deleted and then the free space wiped. Another problem comes when the disk is defragmented, as that leaves recoverable copies of file data lying around; you should always erase free space after defragmenting. So, although I may not have got to the bottom of your particular issue (I need more information for that), you can see that data security is more about a whole approach to hygiene than the capabilities of any one program. It may in fact be that CCleaner is more suited to your needs than Eraser (I use both and regard them as complementary), but I'd rather not jump to that conclusion until I know a little more about your system, what erasing you did and what the Eraser log said (if anything).

David
 

oldcoin

New Member
Ok, I will try to provide you with all the information needed.

windows xp service pack 2
250 gb western digital NFTS devided in 2 partitions (C&D)
system restore is disabled and I don't think that I have an option for shadow copies either

I do the 7 passes wipe free space the USD or something most of the time

I did not have defragmented my C partition and wiped free space after that yet, so I'm going to test that but I'm sure that won't solve my problem.


The problem is that Disk Investigator CAN actually find all the file names that has been on my computer ever since I got my pc, wich is 10 years by now. The thing is, if it can read all the file names, I'm sure can also leak information in documents as well.

Now, I have zero knowledge on the technical part but I just want a simple yet effective way to erase the file names so that Disk Investigator can't find them anymore nor another program.Otherwise... what use does eraser have.. :/
 

DavidHB

Active Member
Sorry I haven't come back sooner. I need to do a bit of research, and will get back to you when I can.

David
 

DavidHB

Active Member
I couldn't come back sooner, because my investigations required a fair amount of work.

In the end, I installed Disk Investigator (DI) on my reserve machine (Windows 7, but as it's the same NTFS file system, I don't think that's an issue).

Frankly, I can't make DI out. The widely varying run times and scan results I had from the same scan on the same drive make me very suspicious. I simply do not see how a search can get 4,600 'hits' on run 1, 3,200 on the next and over 11,000 when I stopped run 3, when I have simply not been doing enough writing to and deleting from the drive to make that kind of difference. Given that the program's author, one Kevin Solway, is using it to advertise his $25 erasing program when CCleaner is free, it does make one wonder if DI has been doctored in some way to function as scareware. As things stand, my results are not believable.

David
 

oldcoin

New Member
David, thanks for the time you spent on taking this issue.

However, I disagree on the fact you're saying that it's simply a promotion tool when it DOES find all the old files I deleted years ago. (the file names match exactly and if you click on "Locate" it links to the folders the files were in but were deleted years ago!). That can not be simple coincidence. I agree with the various/random amount of files it finds on a scan, but it centainly finds the files that should not be there in the first place!!

I googled my issue btw and it seems that I'm not the only one that has this same problem, also posts dated back to 2006. It seems that there's no real answer to this 'leak' as I call it.

Here's a topic debating this same issue
viewtopic.php?f=2&t=5481&start=0

All of these posts make sense but didn't gave a solution to the problem.

So what does this say about security?...

:(
 

DavidHB

Active Member
I'm sorry this is taking so long. My investigations require about 4 hours of running per experiment, and I've been away from home two days this week.

I still have some reservations about Disk Investigator, but am now satisfied that the essence of the problem is as you describe it, with one important caveat. This discussion is not about the efficacy of file erasing or free space erasing, because the traces you have identified do not, I believe reside in anything that has been deleted (or erased). My experiments have all been on a non-system drive, where there is no UserData folder or paging file, so those are excluded. We are, I believe, looking at one or more of the many complex components of the NTFS journalling file system. It is quite difficult to find coherent data on NTFS, which Microsoft has never fully documented, so it is a matter of clearing some element of the system, erasing free space then doing a sector editor search for data that should have been removed. A slow process, but useful if I ever find the offending NTFS component ...

David
 

DavidHB

Active Member
Well, the investigations are not complete, and perhaps they never will be. But here is a set of rather varied conclusions reached so far.

Use of disk editors to test disk security and erasing
While I am fully prepared to admit that I may have maligned Disk Investigator, I remain uncomfortable with the search results it produces. I am now using HxD for this work. I particularly like the way it presents its search results in the disk display; it is easy to make a note of a sector number and return to it after an erase to check whether the data has indeed been overwritten. Once one has done this a few times, it becomes really satisfying to see how well Eraser works, to the point that the standard erasing methods do a good job of looking like file encryption.

The really hard work with disk editors is trying to identify the actual file(s) in which problem data, once found on the disk surface, actually resides. A fair amount of knowledge of Windows and particular applications is needed to narrow down the possibilities. Sometimes the target files are protected, and can only be cleared using a special utility, followed (of course) by a free space erase. The effectiveness of the process then has to be tested with a disk editor search, which typically takes as long as the free space erase. So this exercise is not for the faint hearted, and you would not want to tie up a production machine for the time it takes. I am fortunate enough to have a reserve machine I can use.

Another point is that, to test an erase, you should know at least a representative sample of the disk sectors to be erased. There is no point in blaming Eraser for not erasing something you haven't actually specified. This comes back to the point, which I have often made on this forum, that the real security/privacy challenge for users is the difficulty of finding the data that needs to be erased (even if they know that the data exists) rather than the process of erasing it once it is found.

The biggest security holes
After much reading on the NTFS file system and experiments with clearing logs etc., I have concluded that the principal security culprits are the ones we suspected all along, namely shadow copies and the page file. Routinely deleting old restore points and clearing the page file on shut down, combined with a free space erase, reduces risk significantly. Clearing the DNS cache from time to time is also a good idea.

So is clearing Internet clutter and application logs. Using an application such as CCleaner regularly, with its secure deletion option (if it has one) set, is always a good idea, but this should not be relied on as a complete solution; I found, for example, that CCleaner failed to erase my Firefox cookies file. It is definitely a good idea to set up an Eraser task to clear the data from the browser you use most often. (If this is IE, my advice is to switch to Firefox or Chrome.)

For me, a new and unwelcome discovery was just how much activity is logged by my security program (Kaspersky), even for functions I have disabled. These logs can be cleared, but again a free space erase is needed to remove the data from the disk surface. Tracing problem data I found on the disk back to these logs took a lot of work; they represent a potentially large security hole of which the great majority of users will be blissfully unaware. And I cannot believe that Kaspersky is the only security program to behave in this way.

The need for proper 'hygiene'
I have long argued on this forum that Eraser should be seen as only one of a number of tools and measures that need to be used for regular maintenance of computer security. We have to acknowledge that we are working against a computer industry that believes that security is synonymous with the preservation of data, whereas every Eraser user knows that the converse is very often the case.

Also, the Windows file system is a disorganised mess (compared with, say, the way Linux works); it makes every sense for users to separate data from programs and the OS, and store as much user data as possible on a separate drive or partition. While Windows makes a complete separation of programs and data almost impossible, having a separate data drive was a major factor in my ability to identify and deal with problem areas.

Once programs and data have been separated, most users could I believe get by with something between a weekly and monthly clear out of clutter (the frequency will depend on how often the machine is used), coupled with routine erasing rather than deletion of any sensitive data and an occasional free space erase.The page file should be cleared regularly (this has to be done on shut down, and it lengthens the process considerably), and all but the most recent Restore Points should be routinely deleted. It's quite a significant list of tasks.

Is 100% security achievable?
In a word, no. No user can protect their privacy completely against an opponent who can image the disk and use forensic investigation tools (which are disk editors on steroids) on that image. But ordinary users using their machines lawfully are unlikely to face that kind of threat. The measures I have described should defeat casual attack, even by people with some computer knowledge. I know that my test machine is, at least for now, clear of the kind of problems identified in the opening post of this thread.

David
 

davekleiman

New Member
oldcoin said:
My whole download history could be found by this program revealing ALL the file names I have downloaded in the last 10 years including .avi .rar .jpg etc. Sure they may not be recoverable but the file names are still there
They are stored in the .DAT or .sqlite files for your particular browser or software that you used download them, as well as they may appear in the registry. That is why you are most likely seeing them, not because they are still on your hard drive, unless of course you did not erase properly.


DavidHB said:
It is quite difficult to find coherent data on NTFS, which Microsoft has never fully documented, so it is a matter of clearing some element of the system, erasing free space then doing a sector editor search for data that should have been removed. A slow process, but useful if I ever find the offending NTFS component
You should try reading file system forensics.


Respectfully - Dave Kleiman
 

DavidHB

Active Member
davekleiman said:
That is why you are most likely seeing them, not because they are still on your hard drive, unless of course you did not erase properly.
Yes, exactly my point. But the range of file types is wider than those you mention; I'd certainly add text and log files in as possible candidates. And that's not to mention add in all those Flash cookie files ...

davekleiman said:
You should try reading file system forensics.
Well I did, and that prompted further investigation, which led to the conclusion (recorded in my subsequent post) that shadow copies, the page file and application logs and clutter are the source of most user problems. NTFS journalling is bound to be in the mix somewhere, though it does not seem to the source of much wrongly retained data. It would be good to know whether there are other views on this.

David
 

neverneverland

New Member
This is fascinating and slightly scary stuff, and it reminds me that a while ago I posted here asking about something Id heard that Windows does automatically - make and keep copies of everything. I was told in the reply to my post that no, this doesnt happen.

Now I see that II was right, even though the way I had expressed my questions was a bit off: shadow copies are exactly what I meant (although I didnt know it at the time).
So, if shadow copies are created by "journalling" is it possible to turn this feature off on XP?
 

DavidHB

Active Member
Strictly speaking, shadow copies are not created by journalling, but as part of the System Restore function of Windows, working with the NTFS (journalling) file system. That's a distinction without a difference in relation to your points. What Windows does and does not track is actually a convoluted subject, of which most users are regrettably unaware. And that is certainly scary.

The only way to stop Windows making shadow copies is to turn off System Restore (the method for XP is here) for the drive in question. If it is your system drive, turning off System Restore denies you the opportunity to restore the machine to an earlier state if something (e.g. a virus) breaks it. Having within the last day used System Restore to recover a friend's machine (her son fell prey to a social engineering virus), I hesitate to recommend disabling the function completely.

My own approach is
  • to try, so far as possible (though Windows makes it difficult), to separate the system and application programs from data (I have a separate data drive);
  • to leave System Restore turned on for the system drive, but not for the data drive;
  • to use regularly the useful tool in CCleaner which deletes old Restore Points (CCleaner also has an option to overwrite what it deletes).

David
 

neverneverland

New Member
This is a really helpful and easy to understand answer.
Whilst not wanting to reveal exactly how paranoid I am :) Id like to try and understand one point a bit better.
I have sensitive data stored on drive 2, not the OS drive (1).
I access 2 via 1 - right? - cos it the OS and the programs installed therein that allows that access: so I leave on 1 traces of that access, (date/time etc) and the location, name and type of the data I access: that info stays on 1 until i CClean it. Right?
Instead of disabling Restore (it does have its uses as you rightly explain) punctual removal of any Restore Points will do the trick?

Thanks a lot.
 

DavidHB

Active Member
neverneverland said:
Instead of disabling Restore (it does have its uses as you rightly explain) punctual removal of any Restore Points will do the trick?
If you disable System Restore on a non-system drive, there will be no shadow copies of files on that drive; System Restore (and with it shadow copying) works on a 'per drive' basis, and shadow copies of files on a drive will be stored on that drive.

This explains my approach. If something messes up the Registry or some Windows file, there is a reasonable chance (if I catch it quickly enough) that I can undo that damage with System Restore. But shadow copying, in my view, only does what a sensible backup routine does better. Unfortunately (and perhaps understandably), you cannot switch off shadow copying of user files if System Restore is on. So keeping potentially problematic files (the Documents library and the Mozilla profiles, for example) on a separate data drive with System Restore disabled is an obvious aid to privacy, as well as allowing you to reinstall the system if needed without destroying the separately stored data.

That said, I agree that routinely clearing out old Restore Points is a good idea. They create privacy/security concerns, they take up space (about 2GB per Restore point in my case), and (in my view) their effective shelf life is usually quite short. You can set System Restore to use a limited amount of drive space (the minimum is 1%), and I do this, but, if you don't clear out the Restore Points manually, Windows will delete rather than erase them, and the files will be recoverable unless you do a free space erase (which is a time-consuming process).

David
 
Top