File table name obfuscation

DoctorM

New Member
I wanted to ask how the bogus naming thing works.
I see that I have the ability to add file names and folders to a list, but what happens after that?

1) Does a folder selected only get used to overwrite names of folders or does names of the files contained in that folder get used?
2) Is there an intelligent use of naming? I mean is a .jpg used if the file being overwritten is 1gb? That's almost as obvious as if you didn't rename it.
3) Wouldn't just renaming it to some pseudorandom collection of characters (or Erased.del) make life easier than maybe 40 copies of "Me and My Dog.jpg".

I know it would leave tell-tale signs behind, but I'm more concerned with destroying the name than hiding that fact I erased something. Since Eraser should make the data is unrecoverable, people can ponder all they want about what has been removed.

4) Can the same thing be accomplished by me renaming a file before erasing or does NTFS store the old name as well? (Or is this exactly how this feature works?)
 

Joel

Active Member
1. Portions of the files are used when you enable plausible deniability. It merely allows you to specify which files should be used for the purpose.
2. Only the first few kb or mb are copied, if memory serves
3. The file being erased will have the file name replaced with random characters, yes. It is only the file data which will be replaced with the files in the list of decoys.
4. No you cannot, since NTFS does store the time the file properties were changed. Eraser circumvents this using a low(er) level API call. In any case, the file names are obscured so you shouldn't need to do this.

Hope that helps.
 

DavidHB

Active Member
You can erase any file (on a conventional hard drive), but you cannot really hide the fact that Eraser has been used. That said, why would you wish to? Unless you uninstall it after every use, the installation is there for anyone with access to your machine to see.

David
 

DoctorM

New Member
I'm still unclear on the selection of files.
If you choose a folder for the list (rather than individual files), are all the files in the folder used, or just the properties of the folder?

I guess I'm asking if I need to go into a folder and select all the files there for use, or can I just select the folder that they are contained in.
 

JoeDoe5

New Member
Sometimes erasing something can violate the law as "destroying evidence", so in order to make it look like a blank part of the HDD, instead of an erased file, you need to destroy proof that Eraser (or any similar software) was ever used. Does Eraser have such a "full stealth" mode, that can cause it to erase traces of the erasure and also to wipe itself off the harddrive using 7pass DoD approved erasure algorithm (a sort of "self destruct"), instead of the conventional Windows Uninstall procedure?

Yeah I know I sound paranoid, but every day I hear stories about the US govt becoming more and more invasive and ignoring people's rights.
 

Joel

Active Member
OP: Files in the folder selected are used.
JoeDoe: It's nearly impossible to hide the fact that a bunch of executable code was run on a machine. Windows caches everything that goes on and that cache information does seem to keep evolving with every iteration of Windows.
 

DoctorM

New Member
Thanks.

I'm not that paranoid yet that I need to hide the fact that I hid something, I just want all of it destroyed, the name with the data. I love that this feature was added.
 

DavidHB

Active Member
DoctorM said:
I'm not that paranoid yet that I need to hide the fact that I hid something, I just want all of it destroyed, the name with the data. I love that this feature was added.
I think the request is: does the file name have to be with random characters? For example, cannot an MFT entry be cleared with all zeroes (which is presumably its state before it is used)? IMO, erasing with zeroes is the best way to make finding what has been erased difficult.

David
 

Joel

Active Member
Arguably, no, because the MFT in it's original state would have been a small contiguous file. With new files it grows and fragments, with gaps in betwee.

No one's MFT is compacted and cleaned and with zeroes... unless you wipe it. Then again, the whole thing about using a Cryptographically Secure Pseudorandom Number Generator is that the random data is indistinguishable from noise, so you could argue that it's just files deleted over the years. It's obvious that you've deliberately wiped it when you've got straight zeroes.
 

DavidHB

Active Member
Joel said:
the whole thing about using a Cryptographically Secure Pseudorandom Number Generator is that the random data is indistinguishable from noise, so you could argue that it's just files deleted over the years.
The trouble is that, in the real world, nothing is ever quite that random. That is, I believe, why it is so easy to spot pseudorandom data in a file list or memory dump. Zeroes do at least beg the question: has this entry ever been used?

Another approach is to use file names (user selected?) that might have been used. If you have a Canon camera, for instance (as both Joel and I do), using file names of the form IMG_nnnn.cr2 would camouflage them quite nicely.

David
 

Joel

Active Member
Yes, while nothing in the world is quite that random, zeroes are never found in an MFT, either. Given these two options, I think random noise is a bit safer...

There is the possibility of using user-provided file names (extending the concept of plausible deniability using decoys) but previous feedback was that different drives would require different treatment in that respect.
 

DavidHB

Active Member
Joel said:
There is the possibility of using user-provided file names (extending the concept of plausible deniability using decoys) but previous feedback was that different drives would require different treatment in that respect.
I'm not sure I understand the logic here. How were the drives differentiated in this regard, and could issues be resolved by user selection?

My concept was that the user would provide one or more file name templates, and that Eraser would use these to generate file names (perhaps just differentiating with a numeric sequence, as that is often done in normal use). Admittedly, the templates would be visible in user preferences, but if they were reasonably skilfully chosen the deniability would be more plausible than it is with entirely random names.

David
 

Joel

Active Member
Sometimes users decided to add a Program Files folder to the list. If they only erased the C: drive, that would be fine. We could still use those file names.

But what happens if he erases a USB key? He wouldn't be expecting program file names there, right? This isn't the only particular case I'm concerned with, but just as a demonstration of my point.

I think we could actually save the user the trouble and instead just take the file names from the list of decoy files he's already specified, since it's really the same feature. Then it would just be skilfully picking a proper set of files for decoys.
 

DavidHB

Active Member
Yes that's probably a good approach; in fact we are thinking on rather similar lines. Do the dummy names have to be unique in any given folder (bearing in mind that they are in unused file table entries)?

David
 

Joel

Active Member
Pretty much, only when they are being erased. But files are deleted after erasure and files are (currently) only deleted one at a time.
 
Top