NOT "Secure Data Removal"

jopa66

New Member
WinXP Pro SP2
Eraser 5.82
Ontrack EasyRecovery 6.04

Just d/l version 5.82 and decided to give it a test. My backup drive is an old 10 GB Quantum Fireball AS 10.2 where I store my nightly backups consisting of the zipped contents of "MY Documents". This drive is also the home of the "Temporary Internet Files" for Internet Explorer and 1.5 GB static pagefile. At any given time, this drive is probably 60% - 70% full.

I've recently been testing/experimenting with various defrag utilities and have defragged this drive at least a dozen times over the last 2 weeks. I thought that there would be many file pieces scattered around the drive and decided to use eraser to clean free space as well as cluster tips.

After using the one pass Pseudorandom method, I then tried to recover files using Ontrack "Easy Recovery Pro" in Raw data mode. I was quite surprised to find over 12,000 files in perfect recoverable condition. I then set Eraser to clean Free Space and cluster tips using the 35 pass Gutmann method. Upon returning to the computer again after work, I again used the Raw Data mode of "Easy Recovery Pro" only to find an almost equal number of recoverable files.

Many of the files were now corrupted; especially the zips and MOV files but, I could still extract many of the docs within the zips. Most of the jpegs, bitmaps and gifs could still be opened easily. These were mostly the remnants of files deleted from the Internet Explorer cache. Other recovered files included AVI, WAV, BMP, PDF, CAB, EXE and many others that I didn't even try...

Be advised that the recovered files do not have the original filename but, rather are given generic, sequential names like FIL0.jpg, FIL1.jpg, FIL2.jpg... etc. The contents of the files however are fully recovered.

So, to sum this up...I must conclude that Eraser is not a program that securely wipes data from magnetic hard drives. And there are much more powerful tools than Ontrack's "Easy Recovery". Please be aware that Eraser cannot be relied upon to permanently delete sensitive information from your disks and in my opinion, it is wrong to advertise that it does.

I am not trying to criticise Eraser or the programmers. I know this is a FREE app and I personally do not know of any other app, free or paid, that will securely delete data from a powerful recovery utility. I'm sure Eraser has its place but, I'm just surprised and disappointed that so many users may have a false sense of security about using this program.
 

garrett01

Administrator
Staff member
mmm There is something wrong there!

First did you empty the recycle bin before doing a free space wipe?
Have you ran chkdsk /f on the drive? Perhaps there was corruption in the MFT.?
Are you certain the eraser you are using is from this site?

Are you running any undelete software in the background, that might be storing deleted files elsewhere?

If you have deleted the files and run a freespace erase eraser will fill all freespace with random data. If it has failed to do this there is some reason as to why these files are still marked as active.

A simple test would be to create a large file and keep copying this to the drive until it is full. Then delete the files you copied. Now can you still recover original data? If you can there is something storing deleted files on the drive that allows them to be recovered.

Garrett
 

Peter Tees

New Member
Hi. I'm not trying to hi-jack this post, but are there tools out there which will allow me to identify which files were Erased and when? And by which user in the case of multiple profiles on one PC?

For forensic reasons, I need to know what has been erased, and when. It would be great if I could recover files as well but I'm not holding my breath. Eraser's log doesn't seem to have the ability to store this kind of information.

Also, is there any data retained about an installation/uninstallation history? The Uninstall DAT file's date seems a reasonable starting place, but that only shows the last time Eraser was installed, not all instances.

Finally (for now anyway), can anyone explain the schedlog.txt file? I'm investigating a number of computers, the first 62 entries for schedlog.txt all PCs are all dated July and August 2003, then there's a big jump to 2007. I installed Eraser on my PC today and the log starts at today's date.

Can anyone help? Please?

Thanks
 

Robbie

Member
jopa66 said:
WinXP Pro SP2
Eraser 5.82
Ontrack EasyRecovery 6.04

Just d/l version 5.82 and decided to give it a test. My backup drive is an old 10 GB Quantum Fireball AS 10.2 where I store my nightly backups consisting of the zipped contents of "MY Documents". This drive is also the home of the "Temporary Internet Files" for Internet Explorer and 1.5 GB static pagefile. At any given time, this drive is probably 60% - 70% full.

I've recently been testing/experimenting with various defrag utilities and have defragged this drive at least a dozen times over the last 2 weeks. I thought that there would be many file pieces scattered around the drive and decided to use eraser to clean free space as well as cluster tips.

After using the one pass Pseudorandom method, I then tried to recover files using Ontrack "Easy Recovery Pro" in Raw data mode. I was quite surprised to find over 12,000 files in perfect recoverable condition. I then set Eraser to clean Free Space and cluster tips using the 35 pass Gutmann method. Upon returning to the computer again after work, I again used the Raw Data mode of "Easy Recovery Pro" only to find an almost equal number of recoverable files.

Many of the files were now corrupted; especially the zips and MOV files but, I could still extract many of the docs within the zips. Most of the jpegs, bitmaps and gifs could still be opened easily. These were mostly the remnants of files deleted from the Internet Explorer cache. Other recovered files included AVI, WAV, BMP, PDF, CAB, EXE and many others that I didn't even try...

Be advised that the recovered files do not have the original filename but, rather are given generic, sequential names like FIL0.jpg, FIL1.jpg, FIL2.jpg... etc. The contents of the files however are fully recovered.

So, to sum this up...I must conclude that Eraser is not a program that securely wipes data from magnetic hard drives. And there are much more powerful tools than Ontrack's "Easy Recovery". Please be aware that Eraser cannot be relied upon to permanently delete sensitive information from your disks and in my opinion, it is wrong to advertise that it does.

I am not trying to criticise Eraser or the programmers. I know this is a FREE app and I personally do not know of any other app, free or paid, that will securely delete data from a powerful recovery utility. I'm sure Eraser has its place but, I'm just surprised and disappointed that so many users may have a false sense of security about using this program.
I just tried the same as yourself - and the files had been removed and weren't recoverable.

Are you sure you had the search only for deleted files and not all files?

I can only see 0 byte files for eraser, there's no files with any data in them. I used the same search as you, the raw data file search.

If any one wishes to try, there's a free (trial) version of Easy Recovery Pro, it won't actually allow you to recover files but it will do everything else - and I found nothing.

Are you sure you haven't found active files? Or files in another partition - it allows you to do that, with that program.
 

jopa66

New Member
My apologies

Been away from these forums for awhile, sorry. I will try to answer some of the questions posted re: my oringinal test.

First did you empty the recycle bin before doing a free space wipe? YES
Have you ran chkdsk /f on the drive? Perhaps there was corruption in the MFT.? YES
Are you certain the eraser you are using is from this site? YES

Are you running any undelete software in the background, that might be storing deleted files elsewhere? NO

If you have deleted the files and run a freespace erase eraser will fill all freespace with random data. If it has failed to do this there is some reason as to why these files are still marked as active. Ummm...Ok?

A simple test would be to create a large file and keep copying this to the drive until it is full. Then delete the files you copied. Now can you still recover original data? If you can there is something storing deleted files on the drive that allows them to be recovered.

Tried your experiment and I now realize what is happening. In RAW Data recovery mode, "Easy Recovery Pro" is actually doing a sector by sector analysis of the entire HDD, listing everything it finds. It is showing me what is still there, NOT the files which were deleted.

AARGH!! I feel like such a newbie. I sincerley aplolgize for my deductive error in the previous post. And I thank those of you who attempted to set me straight.
 

JoeSchmoe

New Member
Re: My apologies

So what the hell does this mean "sector by sector analysis"? How does that deter the person trying to extract data from your hard-drive which is apparently "formated to department of defense standard"?
jopa66 said:
Tried your experiment and I now realize what is happening. In RAW Data recovery mode, "Easy Recovery Pro" is actually doing a sector by sector analysis of the entire HDD, listing everything it finds. It is showing me what is still there, NOT the files which were deleted.

AARGH!! I feel like such a newbie. I sincerley aplolgize for my deductive error in the previous post. And I thank those of you who attempted to set me straight.
 

jopa66

New Member
"sector by sector analysis" The RawRecovery tool should be used as a last resort in recovering data from severely corrupted partitions. This tool will read all sectors on the disk sequentially (sector-by-sector) looking for specific file header signatures. This tool will help you recover files from a partition with damaged directory structures.

(c) 2002 - 2003 Ontrack Data Recovery, Inc.

Previously, I used this tool to retrieve a lot of important data from another drive whose partition table crapped out. As I stated above, this time I misinterpreted the results I got when analyising this drive after using Eraser. What I was seeing here was not the files which were erased but, the files which were still there on the drive.
 

JoeSchmoe

New Member
Ok because I did a psuedorandom and dod (3pass) format on an empty drive (hooked up via usb enclosure) and I'm able to recover certain dll files using Photorec.
Am I doing something wrong? Albeit they are system files and not personal files, but shouldn't these files also be obliterated? "Unused diskspace" should be the entire drive right? I mean I don't have anything on this drive right now.

jopa66 said:
"sector by sector analysis" The RawRecovery tool should be used as a last resort in recovering data from severely corrupted partitions. This tool will read all sectors on the disk sequentially (sector-by-sector) looking for specific file header signatures. This tool will help you recover files from a partition with damaged directory structures.

(c) 2002 - 2003 Ontrack Data Recovery, Inc.

Previously, I used this tool to retrieve a lot of important data from another drive whose partition table crapped out. As I stated above, this time I misinterpreted the results I got when analyising this drive after using Eraser. What I was seeing here was not the files which were erased but, the files which were still there on the drive.
 

garrett01

Administrator
Staff member
Are these dll's actualy valid? or has photorec not just recovered garbage from a filename in the MFT?
 

JoeSchmoe

New Member
admin said:
Are these dll's actualy valid? or has photorec not just recovered garbage from a filename in the MFT?
They are valid as I can check the version and they are various Printspooler files and such. How would I remove garbage from MFT?
 
Top