Trouble with freespace wipe

W

writerranger

New Member
I am using the latest version of Eraser by Garrett and I have used the last version by Sami (5.3?). Running Windows XP.

I am having problems with wiping the filenames when writing the freespace in 35-pass Gutmann mode. Using simple tools like Norton UnDelete it doesnt show anything, however, using Directory Snoop or LC Technologys FileRecovery I find many things including everything from the Windows/recent directory and many others. File Recovery by LC is an excellent recovery tool to see what exactly was erased - and more importantly what is left. The demo of File Recovery wont recover files but DOES show whats there - its the best I have ever used for this purpose - demo is at:
http://www.lc-tech.com/Filerecovery.htm

FYI, hoping someone can help, Im perplexed and I have a pretty good understanding of thee things. First of all, mind you, ERASER does NOT leave these erased files recoverable, but the filenames are still there. And not on everything - it seems to be hit and miss. Keep in mind, I am talking about a full 35-pass FREESPACE wipe.

Here is my protocol:

1. I always defrag before and after erasure.
2. I close all applications, shut down as many running processes as I can.
3. I then right click on "c" drive, select 35-pass and let ERASER do its job.
4. As I said, I defrag after and then reboot.
5. I then run DirSnoop and the last few months I have been using the FileRecovery Demo, which again, is excellent with a very simple interface and runs a very quick sweep of the drive.

It is here where I should see clean freespace. I am seeing filenames, directory names, etc.

Any ideas would be appreciated from Garrett or anybody else.
I also would recommend grabbing that demo of FileRecovery and running it on your drive. It is a simple executable - requires no installation. Its been a rude wake-up call so far.
 
>>Running Windows XP.
First get 5.6 as it works on XP

>>LC Technologys FileRecovery I find many things including >>everything from the Windows/recent directory and many others.
I reckon here the files were never deleted. Just put in the trash. If you delete a file then erase the trash bin and wipe freespace it is gone. Erasing the file will do all this for that file in one pass.
A file erased by eraser is gone QED.

The only way it could be still there is if you are running some sort of mirroring software that replicated the file back after deletion.

Filenames are not erased:
The name is erased (5.6) but its entry in the MFT remains as a garbled entry of size 0. This is not recoverable.


>>1. I always defrag before and after erasure.
Erase first defrag later. Defrag moves the data around so a file erased later will have left its bits all over the drive.

>>I then right click on "c" drive, select 35-pass and let ERASER do >>s job.
With modern drives 35 passes is an overkill the MOD setting should be enough.

>>is here where I should see clean freespace. I am seeing >> >>filelenames, directory names, etc.
Just to test this. You are using XP NTFS? or FAT32. Create a file then erase it and see if you can find it. I think what you are looking at is the remains of directory entries moved by the defrag in your defrag pass 1. Remember eraser freespacewipe cannot wipe out the mft/fat entries that were freed up by ordinary delete commands.


Garrett
 
Thanks for the response, Garrett!

I am using Windows XP FAT32 - in fact, I run as little software as possible. No mirroring software - no RAID array - nothing like that at all.

Actually, with the defrag, I do it sometimes, sometimes I dont. Im glad for you to tell me this. Most tell you to get all the data together with a defrag - and then wipe. Always different things from different people in computing. However, what you said makes perfect sense.

"With modern drives 35 passes is an overkill the MOD setting should be enough."

I agree! Gutmann said it himself:

In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all type of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you dont understand that statement, re-read the paper). If youre using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any moderm PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.

However, if I want to use the Gutmann METHOD - I have no option in the default ERASER setup other than 35-pass. Isnt that correct? And if so, why not offer the Gutmann METHOD as an option but with a smaller number of passes?

Just to test this. You are using XP NTFS? or FAT32. Create a file then erase it and see if you can find it. I think what you are looking at is the remains of directory entries moved by the defrag in your defrag pass 1.

I tested this with simple text files - no defragmenting , nothing. I created three text files test1DOD3, test2DOD7, test3GUT. I then used the options in Eraser on the appropriate file. Yes, using FILE RECOVERY - I found the files and it listed the filenames. Same after reboot. They were not recoverable, but the filenames were still there. ????

One question Garrett, that I am confused about that maybe you can clear up:


"Remember eraser freespacewipe cannot wipe out the mft/fat entries that were freed up by ordinary delete commands."

Do you mean that if a file is simply "deleted" (and not wiped) that a freespace wipe will not remove the filename? This is very new to me and maybe I misinterpreted.

Do I have a stubborn drive? [:)]

All the best,

Bill Klaussen
 
quote:Originally posted by writerranger
why not offer the Gutmann METHOD as an option but with a smaller number of passes?
And which passes would they be? If you want to use an overwriting method with fewer passes, your best bet is to overwrite with random data.

quote:Yes, using FILE RECOVERY - I found the files and it listed the filenames. Same after reboot. They were not recoverable, but the filenames were still there.
Did you get any error messages when erasing these files?

quote:Do you mean that if a file is simply "deleted" (and not wiped) that a freespace wipe will not remove the filename?
If everything goes as planned, the freespace wipe should remove the names of all deleted files. If not, you should be able to remove remaining filenames by running defrag after erasing.
 
writerranger...

I think it makes more sense to wipe free space before and after defragmenting your drive(s), rather than the other way around. Here is an explanation as to why:

http://www.fortunecity.com/skyscraper/t ... edders.htm

As for the file and directory names you are seeing, I think what you want to do after every free space wipe is to run CHKDSK in non-read-only mode. For example, open a Run dialog and enter "chkdsk /f c:", then accept the offer to run CHKDSK after the next reboot. This will clean up the invalid file and directory references.
 
You must log in or register to reply here.
Back
Top