ERASER NTFS FIle names

General discussion about data forensics.

Moderators: Eraser DevTeam, Eraser Moderators

ERASER NTFS FIle names

Postby willk » Wed Feb 10, 2010 6:54 pm

Does anyone know if the nonsensical files names Eraser 5.8 writes to an NTFS directory is standard? That is; are there other programs that write similar file names? This would be important for auditing; if there are other programs that use the same file naming convention one would not know that eraser was used. On the other hand it would be pretty easy to know that eraser was used on a computer if eraser is the only program that writes that type of file name.So from a forensic stand point it would be easy to tell if someone used Eraser???? I would assume it is a standard naming convention though but not sure. If anyone has the answer it would be helpful.
willk
 
Posts: 1
Joined: Wed Feb 10, 2010 6:45 pm

Re: ERASER NTFS FIle names

Postby Joel » Thu Feb 11, 2010 6:48 am

Your answer's implicit in http://bbs.heidi.ie/viewtopic.php?f=35&t=5300 and http://bbs.heidi.ie/viewtopic.php?f=35&t=6014. Eraser v5 has a standard name; v6 drops that in favour of random filenames through and through.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: ERASER NTFS FIle names

Postby eraseruser0 » Mon Apr 12, 2010 1:52 am

Right, but that doesn't quite address the question he had, which is does Eraser leave a distinctive trail in the filenames it uses?

I know, from using CCleaner and Eraser and another third party tool whose name eludes me that each leaves a distinctive "trail" in the NTFS file names. CCleaner's "random" names are composed of Zs and periods. Erasers are random, but longer than CCleaner. The third party program used a particular name that I can't remember (EVREM or something).
eraseruser0
 
Posts: 7
Joined: Fri Apr 09, 2010 8:00 pm

Re: ERASER NTFS FIle names

Postby Joel » Mon Apr 12, 2010 1:55 am

I think "distinctive" is very subjective. To me it is distinctive (because I know the algorithm, I wrote it) but in spite of it being distinctive I can still plausibly deny: the filenames are random and anything could have generated that.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: ERASER NTFS FIle names

Postby eraseruser0 » Sun May 02, 2010 5:14 am

Well just saying, his original comment was that each tool leaves its own trail. Eraser does not attempt to hide its own trail. Whether that's a big deal is beyond me. I'm not particularly worried about that point, he was.
eraseruser0
 
Posts: 7
Joined: Fri Apr 09, 2010 8:00 pm

Re: ERASER NTFS FIle names

Postby DavidHB » Sun May 02, 2010 3:57 pm

eraseruser0 wrote:Well just saying, his original comment was that each tool leaves its own trail. Eraser does not attempt to hide its own trail. Whether that's a big deal is beyond me. I'm not particularly worried about that point, he was.

I think that there are two things going on here.

The first is the distinction between random and pseudorandom. 'Random' implies that there is no pattern or logic that connects a member of a set to any of the other members of the set. As computers work by executing sets of instructions, and each set of instructions contains logic, computers cannot generate random data; if you know how the data is generated, the data is not random; this, I think, is Joel's point. 'Pseudorandom' implies that, while there is a connection between the members of the set, it is difficult or impossible to discern this connection from the data in the set alone; in this sense, Eraser generates pseudorandom file and folder names. This makes it difficult to know (and certainly to prove) what the original file names were; this is even more the case with a free space wipe, as the data Eraser writes bears no relation with the data that is overwritten.

The second point is that, as file and folder names are typically anything but random, the very fact that Eraser's names are pseudorandom makes them distinctive. If, for example, you use a file recovery utility to test a free space wipe, it is pretty easy to see which are Eraser's 'rubbish' files, used for overwriting and which are not. The only information that gives someone else is that Eraser (or a similar program, if there is one) has been used on the drive; in most circumstances, that will not compromise user privacy and security. In circumstances where the fact that Eraser has been used is an issue, the only truly secure course of action is to physically destroy the drive after wiping it and then put the pieces somewhere where they will not be found.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: ERASER NTFS FIle names

Postby Joel » Sun May 02, 2010 10:05 pm

DavidHB wrote:The second point is that, as file and folder names are typically anything but random, the very fact that Eraser's names are pseudorandom makes them distinctive. If, for example, you use a file recovery utility to test a free space wipe, it is pretty easy to see which are Eraser's 'rubbish' files, used for overwriting and which are not. The only information that gives someone else is that Eraser (or a similar program, if there is one) has been used on the drive; in most circumstances, that will not compromise user privacy and security. In circumstances where the fact that Eraser has been used is an issue, the only truly secure course of action is to physically destroy the drive after wiping it and then put the pieces somewhere where they will not be found.

David
Spot on. However, there's still a "back door" to the problem, since random file names and data can be said to be indistinguishable from noise (i.e., randomly found on the disk) it is possible to plausibly deny, I think.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: ERASER NTFS FIle names

Postby DavidHB » Mon May 03, 2010 3:29 pm

Joel wrote:However, there's still a "back door" to the problem, since random file names and data can be said to be indistinguishable from noise (i.e., randomly found on the disk) it is possible to plausibly deny, I think.

Denial would only be plausible if running recovery on a drive on which Eraser had not been used turned up a bunch of similar file names. I haven't tested this, but I don't think that it's likely. Either way, this is not an argument I'd like to rely on in court ...

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK

Re: ERASER NTFS FIle names

Postby Joel » Mon May 03, 2010 10:39 pm

The idea is that what was found was as good as noise, i.e., the evidence collected is useless in proving anything. That's the usual argument I see being used... but tbh, I've not tested it either.
Be sure to read the FAQ before posting. If you found this application useful, please contribute to Eraser's development.

I develop Eraser but I am not an employee of Heidi Computers Ltd. My views do not represent those of Heidi Computers Ltd.
Don't PM or Email me questions: they won't be answered any faster than on the forum and knowledge won't be accessible by all.
User avatar
Joel
Eraser DevTeam
 
Posts: 3688
Joined: Sat Aug 19, 2006 12:16 am
Location: Singapore

Re: ERASER NTFS FIle names

Postby DavidHB » Tue May 04, 2010 11:42 am

The trouble with that argument is that, if the files are identifiable for what they are precisely because the names are 'noisy', then those names are not noise, but signal. Not that the information conveyed is useful in most cases, but I'd guess that it is rather weak in terms of plausible deniability.

David
I am not an Eraser programmer, but a long-time user; my views may not be the same as those of the Eraser programming team.
Before posting, please read the top 4 topics in the Eraser FAQ, which already provide many of the answers users need.
DavidHB
Eraser Wizard
 
Posts: 2166
Joined: Sat Jan 23, 2010 8:10 pm
Location: Isle of Wight, UK


Return to Data Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

cron