Forensic Analysis?

General discussion about data forensics.

Moderators: Eraser DevTeam, Eraser Moderators

Re: Forensic Analysis?

Postby Joel » Fri Aug 17, 2012 2:33 pm

You can see the test - System Restore can be on, but if there are no images, it's as good as off, isn't it?
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: Forensic Analysis?

Postby ZCode » Fri Aug 17, 2012 5:35 pm

Joel wrote:You can see the test - System Restore can be on, but if there are no images, it's as good as off, isn't it?


Where is the test?

I actually just tested this myself. When eraser erases the unused space, Windows does not delete ALL the restore points all the time. Sometimes it left one, sometimes it left two. Sure enough the older restore points are erased, but the fact that there might be one or two left still poses a security threat.
ZCode
 
Posts: 8
Joined: Sat Aug 04, 2012 5:07 pm

Re: Forensic Analysis?

Postby DavidHB » Fri Aug 17, 2012 7:08 pm

Did Joel mean 'text', I wonder?

The warning appears in the task log, if Eraser detects that System Restore is or has been enabled.

And I repeat: Eraser does not remove extant restore points.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: Forensic Analysis?

Postby Joel » Sat Aug 18, 2012 10:37 am

In the source code file you pointed out. I meant test - the test which will determine if Eraser thinks Shadow Copies are "enabled" (currently we're only equating existance of shadow copies with it being enabled). I don't think there's a way to determine if it's just enabled for the drive if there are no shadow copies currently enabled.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Previous

Return to Data Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

cron