Wipe free space doesn't work correctly (I can recover files)

smartins

New Member
I tested the following on both a VMware Windows XP SP2 image and on a real installation (again Windows XP SP2) both drives formatted as NTFS.

Running either Recover My Files or Recover My Photos (file recovery software), I'm able to find a lot of files using the program's Complete Search and selecting the Physical drive (instead of the partition).
Run Eraser to wipe the unused space, I can still see all the files Recovery My Files previously found. And no, I have no backups and no compression turn on.

My guess this happens because the disk is accessed directly bypassing the windows file system but it's just a guess. I also tried a few other free space wipe programs and all have this problem.

If I select the partition instead of the physical drive then no files are found after wiping the free space.

Any idea on how to prevent all these files from being found?
 
Are you actually able to recover the files? Are there only filenames or does the file content remain intact?

Joel
 
Hello -

I can CONFIRM that files are NOT being overwritten and this is VERY concerning to me.

I am using XP SP3, no compressed or Encrypted files.

I have the scheduler set to run every night at 2am and wipe all free space 1 pass random.

Today I used an advanced recovery utility which actually scans the surface and uses signatures to identify file types. There is no question that the MFT entries, etc. are overwritten/erased.

The scan found all kinds of files deleted weeks/months ago. Movies, pictures, documents, etc. Most of them weren't even corrupt. The scheduler has been running for over 80 days straight (every night) and these files are still there. I even tried a manual wipe free space, same thing.

Your basic recovery utility isn't going to find them, but a sector/sector scan of the drive shows nothing was physically overwritten.

:evil: MAJOR CONCERN :evil: here - I figured I had been safe seeing as I wiped every night.

Any ideas???

Using 5.86.1 - The names/info/attributes of the files are gone, but the actual data is 100% intact, could watch an entire 21minute family guy episode I had deleted 3 weeks ago.
 
Are you using NTFS for your disk file system?

NTFS has something called a journal which tracks everything that is done to the disk for reverting later on in the case of a system failure. All data that goes to your disk will go through the journal and the journal cannot be accessed by any Windows program. This is probably what the recovery tool is finding.

You may want to disable the Journal. Click Start > Run (or Winkey+R), type in cmd. Press enter. At the command prompt, type in
Code:
fsutil usn deletejournal /D C:
, replacing C: with the drive you are concerned about. Re-run the erase pass and see if the problem is resolved. Do note that this increases the possibility of drive corruption during a system failure.

Joel
 
The USN chnage journal has long been disabled on my system;

fsutil
Error: The volume change journal is not active.

I don't believe a 428mb avi of family guy from a month ago was sitting in the USN journal anyway. Even if this is the case, shouldn't there be an option to wipe USN or a warning that your data were still there?

Either way, however, the USN journal is not the issue here. The data is not being written over outside of the MFT during a wipe free space.
 
Another thing that slipped my mind was the System Restore journals, are those enabled?

To your question, the USN journal can't be wiped; it's an integral part of the file system (like the MFT)

Joel
 
System Restore is DISABLED on ALL drives.

Scheduler still runs WIPE ALL FREE SPACE every night, and I can still recover all the files.

People are blindly depending on this function to work as expected. The free space is simply NOT being actually wiped. This needs to be looked into asap.
 
Hi smartins

I am sorry to hear you are having trouble with Eraser.

There have been threads discussing your issue before here on the forums and I wonder if you wouldn’t mind reading the two links below and trying the suggestions there so we don’t keep repeating things here on this thread.

viewtopic.php?f=2&t=5378&st=0&sk=t&sd=a

viewtopic.php?f=2&t=5363&st=0&sk=t&sd=a

I tested the following on both a VMware Windows XP SP2 image and on a real installation (again Windows XP SP2) both drives formatted as NTFS.

Just for the purposes of testing could you only test on the “real” image please ? This eliminates other issues.

As a simple first test could you place some files onto a floppy disk, erase them with Eraser and then use your recovery programs to see if you can recover them from the floppy.

Oh almost forgot the most recent version of Eraser V5 is here.

Thanks.
 
V6 will correct a lot of problems but V5 should not be having the problems smartins and ee-theman are experiencing.

Are you experiencing the same as them ?
 
I'll (and Garrett will) need more information before any steps can be taken.

  • How new is the drive?
  • How fragmented is the drive? When was it last defragmented?
  • Do you mount the drive in non-Windows OSes (NTFS-3G, for example)
  • What recovery program are you using?

To resolve anything we'll need to replicate an issue: this happens always in software. If we can't replicate it we won't be able to fix anything.

Joel
 
Overwriter said:
V6 will correct a lot of problems but V5 should not be having the problems smartins and ee-theman are experiencing.

Are you experiencing the same as them ?

Thanks for the explanation.

I have not tested this issue on my computer so cannot determine if it is a problem.
 
Understood - I am committed to trying to get the info to get this resolved, however aside from the time already put in, this week is going to be really busy leading up to the holidays. I will try to get some time for testing/info in. Ultimately I want to try on a clean/blank small drive dedicated to testing and work back from there.

The drives are relatively new, SATA
De-Fragged every Sunday night.
Windows NTFS formatted using XP SP2.

I am doing all testing on physical hardware.

This was also replicated on Windows Server 2003 R2 SP2, btw.
 
Hmm, okay sure. Perhaps you could share with us what software runs on your computer? Files that may be locked, files that may be archived eg backup files, stuff like True Image, TrueCrypt (or BitLocker, for those who use Vista Enterprise/Ultimate).

There currently seems to be no difference with the test machines we use otherwise...

Joel
 
Re: Wipe free space (Power Data Recvry finds Eraser-ed files)

I have been following this thread as I have played with Eraser and can also recover files from an NTFS "portable hardrive" on a Win XP sp3 system after free space erasure. The files were initially just Windows deleted and emptied from the recycle bin. The drive has had many passes over the year with Eraser to overwrite free space including cluster tips, etc, just as you have noted in the posts. I have not been able to recover files originally wiped by Eraser, in any type of pass.

I have recovered windows media files, zip files as well as an Outlook pst with Power Data Recovery. The files have no names, but the info is very clear.

I do not have backup software on the drive, hae halted the System restore and do not encrypt or NTFS compress. I'd be happy to play as the drive can be nuked if need be.

river
 
How do you do your free space erase? Through the explorer shell extension or using the Eraser application?

Joel
 
I erase from the eraser program. I have never recovered a file that I actually erase de novo with eraser.

I just note that random files that I have deleted in the past through reg Windows delete and recycle can be recovered, despite multiple Eraser free space passes. I have used random and 3 pass, with cluster tips, free space and alt data streams checked. I have never seen the verify option work on my copy (5.86)

The Power Data rec tool actually previews mp3, wav txt and otehr files. Some of the files are original mp3's that came with the machine and I deleted long ago. Ohters are my movies. Many zip files. I can save tehm from the tool and open then up with the normal software. Sorry for the dyslexic typing!

river
 
Are you using Eraser on a Domain-connected computer where quotas are enforced?

Joel
 
Joel,

I am using a single PC, Win xp Pro SP3 versoion 2002

I would be happy to answer a check list of any questions re: setup of the computer, etc. There is nothing special that I am aware of. I am the adminstrator (2 users, one adm another not); all Eraser use is done from the adm user. I can finsd files on each of two internal drives and two external drives.

I have a directory on an internal drive that I Erased all the files. I use Hexedit, find the drive and much of the info is there.

river
 
When running the free space erasures are they done using a schedule? If so, what does the scheduler log read? What does the log read if it was not through the scheduler?

Joel
 
Back
Top