ERASER NTFS FIle names

[willk]

Does anyone know if the nonsensical files names Eraser 5.8 writes to an NTFS directory is standard? That is; are there other programs that write similar file names? This would be important for auditing; if there are other programs that use the same file naming convention one would not know that eraser was used. On the other hand it would be pretty easy to know that eraser was used on a computer if eraser is the only program that writes that type of file name.So from a forensic stand point it would be easy to tell if someone used Eraser???? I would assume it is a standard naming convention though but not sure. If anyone has the answer it would be helpful.

 

[Joel]

Your answer's implicit in http://bbs.heidi.ie/viewtopic.php?f=35&t=5300 and http://bbs.heidi.ie/viewtopic.php?f=35&t=6014. Eraser v5 has a standard name; v6 drops that in favour of random filenames through and through.

 

[eraseruser0]

Right, but that doesn't quite address the question he had, which is does Eraser leave a distinctive trail in the filenames it uses?

I know, from using CCleaner and Eraser and another third party tool whose name eludes me that each leaves a distinctive "trail" in the NTFS file names. CCleaner's "random" names are composed of Zs and periods. Erasers are random, but longer than CCleaner. The third party program used a particular name that I can't remember (EVREM or something).

 

[Joel]

I think "distinctive" is very subjective. To me it is distinctive (because I know the algorithm, I wrote it) but in spite of it being distinctive I can still plausibly deny: the filenames are random and anything could have generated that.

 

[eraseruser0]

Well just saying, his original comment was that each tool leaves its own trail. Eraser does not attempt to hide its own trail. Whether that's a big deal is beyond me. I'm not particularly worried about that point, he was.

 

[DavidHB]

Well just saying, his original comment was that each tool leaves its own trail. Eraser does not attempt to hide its own trail. Whether that's a big deal is beyond me. I'm not particularly worried about that point, he was.

I think that there are two things going on here.

The first is the distinction between random and pseudorandom. 'Random' implies that there is no pattern or logic that connects a member of a set to any of the other members of the set. As computers work by executing sets of instructions, and each set of instructions contains logic, computers cannot generate random data; if you know how the data is generated, the data is not random; this, I think, is Joel's point. 'Pseudorandom' implies that, while there is a connection between the members of the set, it is difficult or impossible to discern this connection from the data in the set alone; in this sense, Eraser generates pseudorandom file and folder names. This makes it difficult to know (and certainly to prove) what the original file names were; this is even more the case with a free space wipe, as the data Eraser writes bears no relation with the data that is overwritten.

The second point is that, as file and folder names are typically anything but random, the very fact that Eraser's names are pseudorandom makes them distinctive. If, for example, you use a file recovery utility to test a free space wipe, it is pretty easy to see which are Eraser's 'rubbish' files, used for overwriting and which are not. The only information that gives someone else is that Eraser (or a similar program, if there is one) has been used on the drive; in most circumstances, that will not compromise user privacy and security. In circumstances where the fact that Eraser has been used is an issue, the only truly secure course of action is to physically destroy the drive after wiping it and then put the pieces somewhere where they will not be found.

David

 

[Joel]

The second point is that, as file and folder names are typically anything but random, the very fact that Eraser's names are pseudorandom makes them distinctive. If, for example, you use a file recovery utility to test a free space wipe, it is pretty easy to see which are Eraser's 'rubbish' files, used for overwriting and which are not. The only information that gives someone else is that Eraser (or a similar program, if there is one) has been used on the drive; in most circumstances, that will not compromise user privacy and security. In circumstances where the fact that Eraser has been used is an issue, the only truly secure course of action is to physically destroy the drive after wiping it and then put the pieces somewhere where they will not be found.

David

Spot on. However, there's still a "back door" to the problem, since random file names and data can be said to be indistinguishable from noise (i.e., randomly found on the disk) it is possible to plausibly deny, I think.

 

[DavidHB]

However, there's still a "back door" to the problem, since random file names and data can be said to be indistinguishable from noise (i.e., randomly found on the disk) it is possible to plausibly deny, I think.

Denial would only be plausible if running recovery on a drive on which Eraser had not been used turned up a bunch of similar file names. I haven't tested this, but I don't think that it's likely. Either way, this is not an argument I'd like to rely on in court ...

David

 

[Joel]

The idea is that what was found was as good as noise, i.e., the evidence collected is useless in proving anything. That's the usual argument I see being used... but tbh, I've not tested it either.

 

[DavidHB]

The trouble with that argument is that, if the files are identifiable for what they are precisely because the names are 'noisy', then those names are not noise, but signal. Not that the information conveyed is useful in most cases, but I'd guess that it is rather weak in terms of plausible deniability.

David