Erasing MFT/FAT entries

A

Anonymous

Guest
It is written in the FAQ that Eraser will not clean the MFT/FAT entries.

Does this means that the data are erased but that it is still possible to find the Files names in the FAT ?

If yes, how can I erase also the files names, as my goal is to completely remove the data of the files as well as the files name.

Thanks very much,
N.
 

Gralfus

Member
The answer is in the main FAQ: http://www.heidi.ie/eraser/faq.php

I did a Freespace erase and yet I can see see the file names. What's going on?
If you erase a whole drive, Eraser will not clean the MFT/FAT. To do that you need to format the drive - think this is what BCwipe does. Formatting is the only way to safely remove the ghost entries from the MFT/FAT. So after erasing a drive you need to finally format it. Equally you will be able to recover 'data' from these files but only the erased information and not the original data.
In addition to never defragmenting your drive before erasing you should run chkdsk/scandisk to recover any lost clusters and erase those first.
If you try to erase files in use it will fail. Attempts to erase working programs/files in use will fail as the Eraser program cannot lock the file to erase it.
Finally, if you want to guarantee the erasing of a file the only way is to nuke the whole machine. This is because potentially, data may have leaked into the pagefile, the registery, documents and databases. For example, if you delete some document 'supersecret.doc' and a few minutes later your database expands its files and the clusters used by the document are used but the database now contains the document. While the database knows those blocks are free, a text search of the database will reveal all.
 
A

Anonymous

Guest
Gralfus said:
The answer is in the main FAQ: http://www.heidi.ie/eraser/faq.php

I did a Freespace erase and yet I can see see the file names. What's going on?
If you erase a whole drive, Eraser will not clean the MFT/FAT. To do that you need to format the drive - think this is what BCwipe does. Formatting is the only way to safely remove the ghost entries from the MFT/FAT.
Finally, if you want to guarantee the erasing of a file the only way is to nuke the whole machine. This is because potentially, data may have leaked into the pagefile, the registery, documents and databases. For example, if you delete some document 'supersecret.doc' and a few minutes later your database expands its files and the clusters used by the document are used but the database now contains the document. While the database knows those blocks are free, a text search of the database will reveal all.
Negative. There is a program, with source code available, that securely wipes the MFT. The program is located at: http://www.sysinternals.com/ntw2k/source/sdelete.shtml. While the program is not under the GPL, the source code is readily available for download and the authors of Eraser can review that to determine its algorithm and implement something similar in Eraser. With respect to the paging file, the best that can probably be done is to encrypt it using something like CryptoSwap Guerilla - which can be found by googling the filename. Regarding databases and other documents (e.g. Word temp files, etc) the best thing you can do is have an encrypted drive/virtual drive container and set directories in the respective programs to save temps on the ones on in the encrypted container. As to the registry, probably the best idea is to use a windows tune-up program that searches the registry for dead references and eliminates them. Someone also mentioned a method for rebuilding the registry in another post. Once that's done a freespace wipe would need to be done.

Needless to say, you would still have a security concern in the hibernation file because anything that's in RAM is saved to that. I don't know if you can target the hibernation file after you wake the machine or if it gets automatically deleted and you would need to do a freespace wipe.
 
A

Anonymous

Guest
It is written in the FAQ that Eraser will not clean the MFT/FAT entries.
OK, I have to ask; since when? As far as I know, Eraser will clean the erased FAT/MFT entries when erasing free disk space.
 
A

Anonymous

Guest
I'm running Windows NT4. I've surfed around a bit and deleted via IE6 control panel a few hundred TIF. Downloaded Directory Snoop, scanned C drive, filtered the results (Files and Directories, Deleted) and listed in the MFT in Red were all the deleted entries with their file names and attributes intact. Closed Directory Snoop. I logged back online surfed around a bit , collected some more internet junk(TIF), logged offline only this time I shredded the contents of the TIF folder using Eraser v5.6 (3 Pass pseudorandom data). Scanned the C drive with Directory Snoop a second time with the same filter configuration and the MFT results in Red were a mix of previously deleted entries (via IE control panel) and entries with pseudorandom names and 1980 dates (Eraser). Using Eraser I then wiped the unused disk space (1 pass pseudorandom data) with the following options checked; Free Disk Space and Master File Table Records = Checked. Directory Entries = Checked. Scanned the C drive with Directory Snoop a third time with the same filter configuration and the results were all of the deleted MFT entries in Red were zero-ized with a size of 0kb. Eraser v5.6 has in my experiment cleaned (Zero-ized) the MFT records on an NT4 machine.

Pete
 
Top