MFT Records and Free Space Wipe

Alfie

New Member
Hi,

Just wanted some clarification - reading some of the other posts on this topic has been confusing (mainly due to discussions about different versions).

When doing a free space wipe, do the unused MFT records (containing filenames, small files, etc of previously insecurely deleted data) get overwritten (wiped) as well, when using v5 of eraser?

Or is this only properly implemented in v6?

Also just a question, if I format a drive (say using windows) i.e. to erase the MFT and create a new one, does the new one actually overwrite the data on disk (in the MFT area), or can data still be recovered from MFT area (say if drive is not used after reformatting)?


Thanks.
 
Alfie said:
When doing a free space wipe, do the unused MFT records (containing filenames, small files, etc of previously insecurely deleted data) get overwritten (wiped) as well, when using v5 of eraser?
Yes, but I'm not certain as to how clean it is. It's as clean as I think possible, but some forensic tools may throw things up -- it's not 100% foolproof.
Alfie said:
Or is this only properly implemented in v6?
No.
Alfie said:
Also just a question, if I format a drive (say using windows) i.e. to erase the MFT and create a new one, does the new one actually overwrite the data on disk (in the MFT area), or can data still be recovered from MFT area (say if drive is not used after reformatting)?
Formatting may not overwrite the old MFT with data so your old data may still be stuck in the disk platters though it is not visible to the OS.
 
Thanks Joel,

Formatting may not overwrite the old MFT with data so your old data may still be stuck in the disk platters though it is not visible to the OS.

Given this is the case, if I subsequently run eraser, will the free space in the MFT Zone/Area be wiped then? I read somewhere that as you fill up a drive with data (say by using a free space wipe) the MFT Zone is automatically shrunk by windows to accommodate the extra data as free space runs out? Or is the MFT zone maintained at a minimum of 12.5%, and any hidden data, in the "free" space of the MFT Zone, permanently stuck - unless I do a low level wipe before formatting?
 
Alfie said:
Given this is the case, if I subsequently run eraser, will the free space in the MFT Zone/Area be wiped then?
MFT Zone and MFT area are two different things. The MFT area is a file hidden from view that contains the file records on disk. THe MFT Zone is reserved space for the MFT to grow. The latter is easily erased; Eraser attempts to erase the former but it doesn't seem to be as clean as most people hoped (e.g. clean with zeroes).

Alfie said:
I read somewhere that as you fill up a drive with data (say by using a free space wipe) the MFT Zone is automatically shrunk by windows to accommodate the extra data as free space runs out? Or is the MFT zone maintained at a minimum of 12.5%, and any hidden data, in the "free" space of the MFT Zone, permanently stuck - unless I do a low level wipe before formatting?
Yes, to some extent. THe MFT Zone is just disk space used only when there is no other choice. THe MFT however will remain constant and grow as needed, never shrinking.
 
Thanks Joel, things are much clearer now.

Another thing that I'm wondering about is what happens with the $logfile and the USN Journal?

If I delete the USN Journal (I presume this is ok?), stop the indexing service and other stuff that might recreate it, and do a free space wipe will it be cleaned out?

The $logfile I hear you can't delete? What sort of info is stored here, filenames etc? Is reformating the only way to wipe this?

Thanks again, sorry to be a bother.
 
Alfie said:
If I delete the USN Journal (I presume this is ok?), stop the indexing service and other stuff that might recreate it, and do a free space wipe will it be cleaned out?
Yes, but the USN journal does add a layer of reliability over NTFS. THe uSN journal isnt made by the indexing service, it's done by NTFS itself.

Alfie said:
The $logfile I hear you can't delete? What sort of info is stored here, filenames etc? Is reformating the only way to wipe this?
I'm still looking into it. I don't know a lot about it at the moment.
 
Back
Top