removing last access, last change data

palancar

New Member
I am very fond of your program. I have been reading and using several of your releases. This question is likely to be slightly outside of the "eraser arena" but its so closely related it might be nice to incorporate it. I use forensic software to examine how thoroughly Eraser does its job. Even something generic like Recuva reports great things after I finish using the latest eraser release!!

Being a security/privacy fanatic I have been trying to determine if its possible for eraser, or any other product you are aware of, to change or wipe out the last access times (meta data in general) for the fat32 filesystem on removable media.

Let me give an example for where this would be practical in my world. I insert a USB with a Truecrypt virtual volume and open that volume. I only work inside the encrypted volume via the TC control panel. However; the flash itself is a fat32 filesystem based drive, which holds the volume I am using. My dilemma is that I don't know how to verify/observe what traces of usage are being left outside of the volume on the flash drive. For this example nothing is touched or accessed on the fat32 filesystem except for any "silent marks" being placed there by my OS as the drive is inserted and removed when I am finished using it.

Although unrelated, I don't want want to device encrypt my flash as I do use the space outside of the volume on occasion.

I love the wipe free space features of eraser but I know they don't really address the question this post asks. I have been reading my a@@ of here and elsewhere. I know fat32 doesn't technically journal, but it does store times and such so hence the question this thread asks.

Any light on this? Would eraser be able to handle this if it were tweaked a bit? Just curious how eraser and/or I can get my concerns addressed.

Thanks
 

Joel

Active Member
palancar said:
I am very fond of your program. I have been reading and using several of your releases. This question is likely to be slightly outside of the "eraser arena" but its so closely related it might be nice to incorporate it. I use forensic software to examine how thoroughly Eraser does its job. Even something generic like Recuva reports great things after I finish using the latest eraser release!!
Thank you for verifying the effectiveness of Eraser.

palancar said:
Being a security/privacy fanatic I have been trying to determine if its possible for eraser, or any other product you are aware of, to change or wipe out the last access times (meta data in general) for the fat32 filesystem on removable media.
As a general rule, all file times are erased together with the file. In the specific case of FAT32, the directory entries containing old entries are also erased and compacted as part of the free space erase process.

palancar said:
Let me give an example for where this would be practical in my world. I insert a USB with a Truecrypt virtual volume and open that volume. I only work inside the encrypted volume via the TC control panel. However; the flash itself is a fat32 filesystem based drive, which holds the volume I am using. My dilemma is that I don't know how to verify/observe what traces of usage are being left outside of the volume on the flash drive. For this example nothing is touched or accessed on the fat32 filesystem except for any "silent marks" being placed there by my OS as the drive is inserted and removed when I am finished using it.
Just do an unused space erase, it should work for you.

palancar said:
Any light on this? Would eraser be able to handle this if it were tweaked a bit? Just curious how eraser and/or I can get my concerns addressed.
I think Eraser already addresses this, in my opinion.
 

Joel

Active Member
I'm assuming you delete/erase the temp files outside the encrypted container when you're done, otherwise the Free Space erase will leave the metadata alone.
 

palancar

New Member
Joel I can't see any temp files on the USB drive outside of the encrypted and dismounted volume. The flash I am experimenting with for this thread is a 4G with only 40 meg of free space. The majority of the drive space is being used by the TC encrypted volume. The flash contains three directories/folders. Those are the volume itself, the TC traveler mode folder, and the third is the backup volume header (128k) in case the one on the volume gets damaged. I have made sure that the folder view options show all hidden files while in explorer, but I see no "hidden files" and certainly no temp files when the volume is dismounted.

What I am attempting to verify is how I could use a program to leave forensic analysis useless regarding the last time this usb flash was used. I am ONLY concerned about outside of the encrypted volume and not at all about tracks on the machine being used. My USB's are mobile and it is very unlikely that the machine being used and USB would be together in my area of concern.

When I erase/wipe free space with eraser and then use Recuva I notice that the erased dates for last modified show as unknown and that is nice!! Is there any way to do that with the metadata on fat32?

I would even consider using a pre-boot RAM approach like TRK or similar if there is a file/script to destroy fat32 metadata on a USB, and of course still leave the flash being useable.

What simple forensic tools are available for the purpose of examining the fat32 metadata on a USB filesystem? I have access to an older Encase (version 4ish) so I may give that a go.

Thanks for giving me some advice. I love the eraser product and I trust what it does.
 

Joel

Active Member
In the case of FAT Eraser takes things one step further, while in NTFS the file names are garbled and times are reset to zero, in FAT, the directory entries themselves are wiped. In other words, analysing with Recuva will show results as if no file has been there before.
 

mastermind

New Member
While working with Eraser 6.0.10, found a pattern 0x21 00 21 00 00 00 00 00 21 00 00 00 00 00 00 00 in the directory entry of the deleted file. This is for a FAT file system on a pendrive <=128 MB.

For a forensic investigator, this pattern will clearly indicate Eraser tool being used.

Is there a way to avoid this?
 

Joel

Active Member
AFAIK, no, short of rewriting all the directory structures.

I think Garrett is right (thought I can't remember specifics) but I do recall there was some marker indicating that a FAT entry is deleted. I'm not sure if it's 0x21, but it could well be. At the same time, I don't recall leaving it as 0x21, it should be all zeroed. I'll check.
 

Joel

Active Member
I've looked at the 6.2 FAT erasure code and I don't see the constant 0x21 being used. Which version did you try this out on?
 

bountyhunter

New Member
Joel said:
I've looked at the 6.2 FAT erasure code and I don't see the constant 0x21 being used. Which version did you try this out on?
Hi and sorry to butt in - was interested in your conversation.
I believe he said "while working with Eraser 6.0.10"
Where do I get 6.2 by the way?
 
Top