Recovered files after free space wipe

blazin88

New Member
Hi All, I've read through similar posts with the suggestions provided and I can't seem to figure out how to fix my problem, which is being able to recover files after a unused space wipe. I don't believe Eraser is able to access large portions of the unused space on my OS drive to erase.

Can you help?

Here is my setup:
- C: is my OS drive with Vista. It's a RAID0 setup called Array0. about 600GB
- Eraser 5.86.1, when run, I always "run as administrator"
- Eraser task is setup for "unused space on drive OS(C:)", Pseudorandom Data, 1 pass. Cluster tip Area and Alternate Data Streams both are checked.
- I use Active@ UNDELETE 7.0.047 to recover files. I set it to scan for JPG files using a low level scan.
- i've permanantly disabled the OS thumbnail cache using some tips from the web, and used eraser to delete the thumbcache files during that time.

Steps:
- run Eraser unused space task on C:
- run Active UNDELETE to scan for JPGs, normally around 50K files are found. Median file size is about 11Kb, and range from very small to 100MB (corrupted when they are that large). I'd estimate over 65% are corrupted and can't be viewed or atleast only partially. Many of the files found already exist and are intact in the users Pictures directory (duplicates that were regularly deleted at some point?). However, there are still about 100 files or so that do not exist on the file system in the used space (determined by scaning my whole C: drive with picassa looking for JPGs).
- run Eraser again, and Active UNDELETE, but this time not recovering the files, just looking at the file count, which is the same.
- create another partition using called H: of size 170GB on the same Array that C: resides. This leaves 132GB of free space on C:
- run Active UNDELETE on H: - about 25K JPGs are recovered. Many of them the same ones seen earlier.
- run Eraser unused space wipe on H: . Run Active UNDELETE on H: again. CLEAN! Nothing found.
- run Eraser unused space wipe on C: . About 30K files found.
- Test Eraser on an external drive. Works
- Backup Pictures directory to external drive. Use Eraser to erase contents of pictures directory.
- run Active UNDELETE on C: - about 30K JPGs are found.

I've actually done many more combinations of things than this to get it work. But those steps are the main ones.

Below is the log file from the most recent run of Eraser. Sorry for long cut and paste, the uploader to the forum wouldn't let me upload any files ("The extension txt is not allowed."

10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6001.18096_none_1f41d00b00caf426\PerfCounters.h.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6001.22208_none_202ebe9c199dc84c\PerfCounters.h.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6002.18005_none_218896a6fda92bef\PerfCounters.h.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6000.16708_none_9e7d8c92dbaad42f\Workflow.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6000.20864_none_9ec248adf4fcb643\Workflow.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6001.18000_none_a05bc702d8d89d41\Workflow.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6001.18096_none_a0007972d91c30c4\Workflow.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6001.22208_none_a0ed6803f1ef04ea\Workflow.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6002.18005_none_a247400ed5fa688d\Workflow.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6000.16386_none_c37d79947764f189\Workflow.VisualBasic.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6000.16708_none_c3d601207722394b\Workflow.VisualBasic.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6000.20864_none_c41abd3b90741b5f\Workflow.VisualBasic.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6001.18096_none_c558ee00749395e0\Workflow.VisualBasic.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6001.22208_none_c645dc918d666a06\Workflow.VisualBasic.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-cwevbtargets_i_31bf3856ad364e35_6.0.6002.18005_none_c79fb49c7171cda9\Workflow.VisualBasic.Targets.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6000.16386_none_718da32dfe6647eb\PerfCounters.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6000.16386_none_718da32dfe6647eb\PerfCounters_D.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6000.16708_none_71e62ab9fe238fad\PerfCounters.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6000.16708_none_71e62ab9fe238fad\PerfCounters_D.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6000.20864_none_722ae6d5177571c1\PerfCounters.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6000.20864_none_722ae6d5177571c1\PerfCounters_D.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6001.18096_none_73691799fb94ec42\PerfCounters.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6001.18096_none_73691799fb94ec42\PerfCounters_D.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6001.22208_none_7456062b1467c068\PerfCounters.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6001.22208_none_7456062b1467c068\PerfCounters_D.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6002.18005_none_75afde35f873240b\PerfCounters.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-perfcnt_ini_31bf3856ad364e35_6.0.6002.18005_none_75afde35f873240b\PerfCounters_D.ini.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.activities_31bf3856ad364e35_6.0.6000.16708_none_3087b8727ad0e447\System.Workflow.Activities.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.activities_31bf3856ad364e35_6.0.6000.20864_none_30cc748d9422c65b\System.Workflow.Activities.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.activities_31bf3856ad364e35_6.0.6001.18000_none_3265f2e277fead59\System.Workflow.Activities.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.activities_31bf3856ad364e35_6.0.6001.18096_none_320aa552784240dc\System.Workflow.Activities.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.activities_31bf3856ad364e35_6.0.6001.22208_none_32f793e391151502\System.Workflow.Activities.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.activities_31bf3856ad364e35_6.0.6002.18005_none_34516bee752078a5\System.Workflow.Activities.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.componentmodel_31bf3856ad364e35_6.0.6000.16708_none_8a05df0910e7dfb8\System.Workflow.ComponentModel.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.componentmodel_31bf3856ad364e35_6.0.6000.20864_none_8a4a9b242a39c1cc\System.Workflow.ComponentModel.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.componentmodel_31bf3856ad364e35_6.0.6001.18000_none_8be419790e15a8ca\System.Workflow.ComponentModel.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.componentmodel_31bf3856ad364e35_6.0.6001.18096_none_8b88cbe90e593c4d\System.Workflow.ComponentModel.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.componentmodel_31bf3856ad364e35_6.0.6001.22208_none_8c75ba7a272c1073\System.Workflow.ComponentModel.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.componentmodel_31bf3856ad364e35_6.0.6002.18005_none_8dcf92850b377416\System.Workflow.ComponentModel.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.runtime_31bf3856ad364e35_6.0.6000.16708_none_633ca329a2d930cc\System.Workflow.Runtime.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.runtime_31bf3856ad364e35_6.0.6000.20864_none_63815f44bc2b12e0\System.Workflow.Runtime.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.runtime_31bf3856ad364e35_6.0.6001.18000_none_651add99a006f9de\System.Workflow.Runtime.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.runtime_31bf3856ad364e35_6.0.6001.18096_none_64bf9009a04a8d61\System.Workflow.Runtime.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.runtime_31bf3856ad364e35_6.0.6001.22208_none_65ac7e9ab91d6187\System.Workflow.Runtime.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_wwf-system.workflow.runtime_31bf3856ad364e35_6.0.6002.18005_none_670656a59d28c52a\System.Workflow.Runtime.dll.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_xcbda.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_f2d24a7aaa8d9f5d\xcbda.inf_loc.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_xnacc.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8ce9e18831d1944e\xnacc.inf_loc.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_xnacc.inf_31bf3856ad364e35_6.0.6001.18000_none_b3ab89be7386e838\xnacc.inf.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_xnacc.inf_31bf3856ad364e35_6.0.6001.18000_none_b3ab89be7386e838\xnacc.sys.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_xrxscan.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_ed393488b2a7196c\xrwcscci.dll.mui.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_xrxscan.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_ed393488b2a7196c\xrwcscd.dll.mui.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_xrxscan.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_ed393488b2a7196c\xrwcscu.dll.mui.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_xrxscan.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_ed393488b2a7196c\xrwcstr.dll.mui.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_xrxscan.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_ed393488b2a7196c\xrwctmgt.dll.mui.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\winsxs\x86_xrxscan.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_ed393488b2a7196c\xrxscan.inf_loc.
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\WMSysPr9.prx (Protected File).
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\Windows\_default.pif (Protected File).
10/21/2009 8:22:36 PM: Failed to erase unused space on C:\~ERAFSWD.TMP\SWZW0154.FYX.
10/21/2009 9:10:45 PM: Scheduler quitting.
10/22/2009 12:20:22 PM: Scheduler (5.86.1) starting.
 

Joel

Active Member
I'm guessing it's the data being stored somewhere in the MFT/Directory entries. I don't know whether directory entries can store files, or whether the USN journal is tracking file changes or how the recovery process is, but NTFS is a very complex filesystem (and to top it all off, it is mostly undocumented) so it's very hard to eliminate all data. We try, but unlike FAT where the filesystem is documented for NTFS we cannot open the disk for raw access and erase structures ourselves.

There's a thread http://bbs.heidi.ie/viewtopic.php?f=2&t=5481 whih I'll be investigating with even greater detail in a period of time so I think i'll merge these two thread together as I believe they are related.

Thanks for your report!
Joel
 

blazin88

New Member
Thanks Joel. Any workarounds to wipe out that unused space?

I tried filling up the unused space by copying and pasting a large video capture file many times. But I found that did not help, or atleast might have made a very small dent in the problem. Could it be that explorer is reporting less unused space than there really is and the undelete program is finding it all?
 

Joel

Active Member
I'm thinking more along the lines that the space where the files are found are indeed allocated which makes it nearly impossible to erase. Jeroen thinks it is in the $Logfile but I've got no evidence to support or disprove that.
 

blazin88

New Member
Would there be a way to triangulate this. Meaning, can the undelete program find a file, report to me the location on the disk of that file, and then we use the location to narrow down what structure/directory/journal/whatever this thing is a part of?

Not sure how to actually do the last part. Is there some table that would say address 0000000 to 00001234 is allocated to the BlahBlah structure, and the file address would reside in that range. That way we know what structure is reponsible. I know that is way oversimplifying it. But something along those lines?
 

Joel

Active Member
Yes, you'll need to note the logical cluster number of the file and see which file occupies those clusters. I believe most recovery programs can do that, otherwise a disk offset will also be useful. Divide the disk offset by the cluster size in bytes to get the logical cluster numbers.
 

blazin88

New Member
Darn it, Active@ UNDELETE identifies the files, but doesn't let me open them in the hex editor to determine the offset. It doesn't say the cluster number or offset of each file anywhere else.

Winhex requires a license to do this. Recuva doesn't even find these files.

Any other options you know of?
 

Joel

Active Member
FTK. It's a pretty hefty install and it's pretty hard to use, but yeah it should work. If only I had the resources to purchase these applications and test it out myself.
 

blazin88

New Member
Just an update for the record.

I wanted to see if system restore was responsible for holding all those JPG files that were being recovered from "unused" space. Yes, I know there was a recommendation to turn off system restore earlier, but I couldn't afford to change that at that time. So I downloaded windirstat to see how much "unknown" space there was on the OS drive. Turns out there was about 75GB! I read that the unknown space is generally related to the system restore data.

Next, I decided to reduce the max size available for system restore data. Example on how to do this here. I set mine to 30 GB
http://www.howtogeek.com/howto/windows- ... -in-vista/

After setting it to max 30GB, the "unknown" space in windirstat went to 5.8GB, surprizingly. I seemed to have lost all of my restore points. I ran Active@ UNDELETE and found that the number of JPGs went down from 50K or so to 20K. So big improvement, but not totally solved. Interestingly, I then turned off system restore which is supposed to delete all restore points. I noticed that the windirstat "unknown" size stayed the same. In fact over the course of 24 hrs and using the computer I found that it increased slightly to 6.2GB. System restore remains off, so I don't know what is causing this. I read something about a rootkit reader that could figure out what this unknown space is, I tried Rootkit Reveal (by sysinternals) and it had some serious GUI problems. Maybe I'll try another one later. I do have AVG anti-virus free installed, which I do believe weeds out rootkit threats, though what I might have is not a threat. Nonetheless, a working rootkit reader might tell me what is in that Unknown space if I can match up the file sizes right.

Next, I used paragon partition manager to reduce the c: partition to about 5 GB of free space, keeping it near the beginning of the arrayed drive (RAID0 drives). Then I allocated the remaining space (end of the array), used Eraser on that and found it was truely wiped. C: still had 20K jpg files recoverable. I took a look at a portion of them to see what was there. Then I moved the C: to the end of the drive after deleting the new partition. Since the end of the drive was wiped, I wanted to see what would happen to move C: right on top of that. There was some overlap (I wiped 170GB, and move c: which was 212GB). I then ran Active Undelete on C: (after moving it to the end) and found I had 17K jpg files.

In these 17K files, I noticed i was looking at the same JPGs from before the move. Also, I did notice that some of my "inprivate" browsing in IE (before the move) had added some files in there I didn't notice before. Then again, I didn't run Ccleaner, but goes to show that "inprivate" does write to the hard disk even if it's temporary files. I'll see if recuva picks those files up and if ccleaner eliminates them.

I'll do one more experiment to eliminate that overlap (move C: from one location on the disk to a wiped location). But I think the conclusion is going to be that that system restore is only part of the problem here. I also think I'm notice
 

blazin88

New Member
Joey, per the idea to find the cluster number or offet of one of these "recoverable files" that shouldn't be recoverable after wiping unused space, I did it.

I found many HTML files that were recoverable after a wipe ( in addition to the many jpgs). I recovered one of them and selected a unique line of text to search for, which I could use in Winhex. I searched for that unique piece of text and found it show up twice. Once in the program files directory (for a program called AviSynth 2.5) - this is an intact file, not deleted. The other place it showed up was in "System Volume Information", in a 5.2GB file with a long filename (only visible from within Winhex). See attachment.

Casual googling says that this is a system restore point, but I ran a "vssadmin list shadows" and found that the Shadow Copy IDs didn't match those filenames in system volume information. This is what I got:
Contents of shadow copy set ID: {9e453131-527c-4211-b093-1de82d3b9fa5}
Contained 1 shadow copies at creation time: 10/22/2009 11:51:08 AM
Shadow Copy ID: {f2a4d590-cf84-4d00-97c2-d717e6200f52}
Original Volume: (C:)\\?\Volume{7a1a2fb5-c02c-11de-acac-806e6f6e6963}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Originating Machine: XPS-PC
Service Machine: XPS-PC
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessibleWriters
Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

Contents of shadow copy set ID: {05270139-b3d8-44c1-bf01-91d7fdf07c2f}
Contained 1 shadow copies at creation time: 10/22/2009 8:23:52 PM
Shadow Copy ID: {e67084ce-49af-40c4-9df4-09db49a58951}
Original Volume: (C:)\\?\Volume{7a1a2fb5-c02c-11de-acac-806e6f6e6963}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
Originating Machine: XPS-PC
Service Machine: XPS-PC
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessibleWriters
Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

I'm suprised I even have shadow copies, since system restore is off. I rebooted and repartitioned things a few times, etc.

So the question is, how do I figure out what kinda file Winhex identified as having that html file within it? Are these the directory entries you mentioned that may contain files?

This may not be Eraser's problem I understand, but would probably help others in further support by identifying the source of the problem.

Thanks for the help.
 

Attachments

blazin88

New Member
Answered my own question as to what those files were in the "system volume information" folder. They were remnants of system restore points. I followed these directions to make them go away:
http://indrajitc.wordpress.com/2008/03/ ... formation/

I'm down to 8500 jpgs. Using Winhex I found one instance of a jpg that was recoverable, but according to winhex it spaned over multiple files in the "temporary internet files" dir. One of those files winhex reported as supposedly deleted. Very strange stuff.

I'm also suspecting that Active Undelete is finding files that are also intact and exist normally in the file system.
 

Joel

Active Member
Thanks for all the analysis, it's certainly good to hear that removing system restore eliminates the majority of data remnants.
 
Top