Wiping NTFS (journaling) filesystem

s7r

New Member
Greetings everyone,

New to this forum. Recently I have received a task to wipe the HDD of some computers which are to be donated to other organizations.
The problem is like this - the computers have 200 GB HDD each, with Windows XP installed on them. The files who were company's secrets have already been deleted (in windows with DELETE command) long time ago - what I need now is to wipe the entire free space of the HDD - I mean everything which was on the HDD previously and was deleted not to be recoverable in any way at all.

Simple to say - hard to do. I have asked many persons relating this issue and I was directed to Eraser. I was happy to see a forum is available too. I have made some documentation on the internet and I found out that NTFS file systems can not be wiped. Even with a 35-pass, the data will not be totally destroyed.

Is this for real? Is it true that if I wipe the free space of a NTFS partition I am just wasting my time because files will still be recoverable ? Please explain how this works exactly and why is it believed to be so.

Also tell me what algorithm should I use to wipe permanently - non-recoverable even to intelligence agencies- my data? What is the fastest and best algorithm which you would use for such purpose?

many thanks.
 

DavidHB

Active Member
Welcome to the forum. This is very much a core question for Eraser users.

I don't think that there is any way of being sure that confidential information is removed without possibility of recovery from a Windows system drive; there are just too many areas of the drive not marked as free to be sure that confidential information has not crept into one or another of them. What you can do is wipe free space with Eraser (the default single pass erase method is fine for this purpose), then use a good file recovery program to check what can be recovered. Recuva, which I use, has an option to wipe deleted files that it finds, which is useful. You may find that you need to repeat the process, which is time-consuming.

If that approach doesn't satisfy you (and I have my doubts about it), the best thing is to remove the drives, and put them in a caddy or dock connected to another machine, (quick) format them, then erase the free (= all the) space. Then anything the file system can access will be erased. The only risk you run is then that confidential data has crept into sectors marked as bad, and which are therefore inaccessible to the file system. But only a particularly determined, capable and lucky opponent would be capable of exploiting that situation; for most of us, a clean file system is the same thing as a clean drive.

I discuss the issues associated with wiping a system drive, and leaving Windows in place (or restoring it) in this thread.

Hope this helps

David
 

s7r

New Member
David I did not understand your point.

What do you think is it safe or not to wipe the disk with windows installed on it ? if the partition filesystem is journaling (ntfs) will this erase the data?

as i understood data can not be wiped no matter how many times you overwrite on journaling filesystems. i think all eraser users should know if this is possible or not.
 

DavidHB

Active Member
That word 'safe' has all sorts of implications; in particular, there is no such thing (in this context or any other) as absolute safety. I prefer to think in terms of risk, which is a function of four things:
  • the likelihood that known undesired outcomes will occur, or desired outcomes will not occur;
  • the possibility that unexpected and unwanted outcomes ('unknown unknowns') will occur, bearing in mind that such outcomes have occurred in the past;
  • the degree of comfort (or lack of it) one has with these possibilities;
  • the measures taken to prevent such outcomes and/or mitigate the damage caused, with consequent effect on the acceptability or otherwise of the residual degree of risk.
Eraser, obviously, relates to the last of these points, but its usefulness in the real world also depends on users' assessments of the other 3. That is why, although I can answer your technical question, I cannot say what degree of safety that answer provides for you.

I can say with certainty that data can be securely erased (that is, erased without practical possibility of recovery) from journalling file systems on magnetic media (flash drives and SSDs present other problems), and that Eraser does do this on the NTFS file system. Erasing (not deleting) the partition also erases the data.

The risk of unwanted recovery lies in three areas:
  • the possibility that the user does not know that sensitive data is present on the drive, or does not know how to find it;
  • the system making the data in some way difficult to access or remove;
  • the cost, typically in terms of time and convenience, associated with the measures to remove the less accessible data, and the consequent user reluctance to use such measures.
In my experience, these factors present a significantly greater degree of risk that recoverable sensitive data will remain on a system drive, even when sensitive files and the free space have been erased, than on a non-system drive. The risk is also greater with more complex file systems such as NTFS than with simpler ones such as FAT.

In my own judgement, and thinking about ordinary users (not high risk environments such as government security agencies and finance houses), risk can be reduced to an acceptable degree by always
  • erasing rather than deleting sensitive files;
  • keeping program and internet clutter to a minimum (e.g. by using CCleaner with the wipe option set);
  • switching off the Shadow Copies feature of Windows/NTFS, disabling System Restore on non-system drives, and erasing all but the most recent valid System Restore points (again, CCleaner can do this);
  • occasionally wiping the free space on the drive.
But this assessment only remains valid while the machine remains in the user's possession. Once a storage device is out of the user's control, those 'unknown unknown' factors come into play, and the only way to reduce risk to a minimum is to erase the whole drive securely and, if necessary or desired, reinstall the operating system on a system drive. For this latter task, the factory restore feature available on nearly all laptops and some branded desktops can be very useful.

I hope that this explains things.

David
 

s7r

New Member
Yes it helps, many thanks for your reply.
I understand now exactly what you mean. Erasing the free space will make all previously deleted files to be unrecoverable in proportion of 99,9% but something can remain so it's rather better if you have the possibility to erase the entire HDD.

I will do some tests - put some files on my HDD, delete the normally (with delete command in windows) and after that wipe the free space with eraser (some US Air Force 7-pass) or something very strong. after that i will run some file recovery software to see if previously deleted files are detected.
 

DavidHB

Active Member
s7r said:
Erasing the free space will make all previously deleted files to be unrecoverable in proportion of 99,9% but something can remain so it's rather better if you have the possibility to erase the entire HDD.
All the studies I am aware of suggest that, on modern drives, overwriting even once is sufficient to make any overwritten data effectively non-recoverable. I am not aware of any disagreement with this conclusion based on experimental evidence.

So the issue is not whether or not we have effective overwriting; the issue is whether we can find and access the data that needs to be overwritten. I am certain that the great majority of users, including myself, cannot do this with the degree of effectiveness that is needed. Applications like CCleaner are a great help (but also, without significant user intervention, something of a blunt instrument), though they do not provide a 100% solution

s7r said:
I will do some tests - put some files on my HDD, delete the normally (with delete command in windows) and after that wipe the free space with eraser (some US Air Force 7-pass) or something very strong. after that i will run some file recovery software to see if previously deleted files are detected.
For the reason I gave above, I suggest that you test using the default single pass free space erase, as it is much quicker. You could also try a test using direct erasing; the results should be the same. If your recovery software has a deep scan facility (as does, for example, Recuva), I suggest you use that for the test. Remember that you are not looking for the recovery software to find no deleted files (that would be quite surprising), but for any files you have deleted or erased and which should not be recoverable.

David
 
Top