A
Anonymous
Guest
Recently, there were rumours that Eraser does not completely erase files
(http://www.cipherserver.com/phpBB2/viewtopic.php?t=653&sid=cfd809ceff5c130acdbc2a585efec7fa).
To clearify on this topic, I performed a test on 2 hard disks:
1. a 149 GB Samsung SpinPoint 1604N
2. a 19 GB Maxtor 2B020H1
On both hard disks (at the physical end of the disk) I created a 110 MB NTFS primary partition, 512 Byte Cluster size. "Write Caching" was disabled within Windows XP SP 1 for both hard disks before that.
PartitionMagic and other Disk Diagnosing tools did not show any Bad Clusters on the hard drives.
After formatting both partitions, I rebooted and started DBAN.
I wiped both target partitions with 40xPRNG, Verify All Passes.
I then used Encase/FileScavenger/Restoration/Ontrack Easy Recovery Professional/DirectorySnoop to find any files on these partitions.
No program found any user specific files, except MFT, bad cluster etc files. Those files are created when you create the partition or format it. Or are maintained by the disk itself.
I hence assumed that the 40 times PRNG wipe with DBAN sufficiently cleared both volumes.
I then copied about 20 files on both volumes. Files differed in size and file type. SWAP file was disabled and no other process did write any other file on the volumes.
The next day, I erased all files (visible and hidden) with Eraser 1 pass PRNG. I did not do any free space clearing.
Then I put a write lock on both partitions.
After that, I used Encase et al. to examine the 2 volumes.
The results were the same for both volumes:
i) Encase showed me that there were about 20 files I created, but the file names were scrambled and the files only 0 KB files. When I extracted those 0 KB files, a HexEditor (xvi32) did show nothing.
ii) FileScavenger, Restoration, Ontrack ERProf-RawRecovery/DS brought the same results as Encase.
After this process, I removed the write lock and did a Free Space 1pass PRNG overwrite with Eraser (the single files were then effectively erased 2 times).
Then I used Encase et al. again:
i) Encase: Encase did not show the ~20 files in the normal place (d:\, g:\ resp.) but they were in an newly created folder (created by Eraser). file names were scrambled and files were 0 KB. HexEditor did reveal nothing.
ii) FileScavenger still showed me the files, but the before scrambled file names were now 00000000000000. files had 0 KB as well and could not be recovered.
iii)Restoration showed the 0 KB files in a folder
iv) raw recovery only showd a big 73,23 MB file (= sum of all files I created)
v) DS did show the files, but the file names were scrambled and I only recovered 0 KB files.
Then, I did a 40xPRNG wipe with DBAN, formatted both and copied the same files on the 2 volumes.
Waited for 1/2 a day.
This time I did a 1 pass PRNG with DBAN.
Results: all recovery tools (Encase, FS, Rest., Ontrack ERProf, DS) did show nothing else than the system files (MFT file etc).
I could not find or even recover the files I created and then wiped with DBAN.
Conclusion:
-Files that were overwritten 1 time with PRNG data with Eraser could not be recovered with any of the above mentioned software tools.
-However, though the file names itself were scrambled, I could see that there were files that had been erased. This was also true after the Free Space and MFT erase process.
-after a 1xPRNG wipe with DBAN, I could not even find any deleted files and hence not recover them.
These results were obtained on NTFS partitions (512 Byte Cluster size) with disabled write cache on a 149 GB Samsung and a 19 GB Maxtor drive.
Comment:
Eraser is secure for the average user.
However, I'd be worried that one can see that there were files and that those have been deleted.
Therefore, I'd recommed to use DBAN if you want to be sure or if you want to give your hard drive away.
Beware that sophisticated attackers still can recover data that have been overwritten 20 times and maybe more.
30-pass random scrubbing DBAN seems to be secure for a High security level.
All paranoids are advised to smelt/pulverize their platters.
greets, Anonymous
PS: Maybe I'll do the same test but with more passes PRNG.
(http://www.cipherserver.com/phpBB2/viewtopic.php?t=653&sid=cfd809ceff5c130acdbc2a585efec7fa).
To clearify on this topic, I performed a test on 2 hard disks:
1. a 149 GB Samsung SpinPoint 1604N
2. a 19 GB Maxtor 2B020H1
On both hard disks (at the physical end of the disk) I created a 110 MB NTFS primary partition, 512 Byte Cluster size. "Write Caching" was disabled within Windows XP SP 1 for both hard disks before that.
PartitionMagic and other Disk Diagnosing tools did not show any Bad Clusters on the hard drives.
After formatting both partitions, I rebooted and started DBAN.
I wiped both target partitions with 40xPRNG, Verify All Passes.
I then used Encase/FileScavenger/Restoration/Ontrack Easy Recovery Professional/DirectorySnoop to find any files on these partitions.
No program found any user specific files, except MFT, bad cluster etc files. Those files are created when you create the partition or format it. Or are maintained by the disk itself.
I hence assumed that the 40 times PRNG wipe with DBAN sufficiently cleared both volumes.
I then copied about 20 files on both volumes. Files differed in size and file type. SWAP file was disabled and no other process did write any other file on the volumes.
The next day, I erased all files (visible and hidden) with Eraser 1 pass PRNG. I did not do any free space clearing.
Then I put a write lock on both partitions.
After that, I used Encase et al. to examine the 2 volumes.
The results were the same for both volumes:
i) Encase showed me that there were about 20 files I created, but the file names were scrambled and the files only 0 KB files. When I extracted those 0 KB files, a HexEditor (xvi32) did show nothing.
ii) FileScavenger, Restoration, Ontrack ERProf-RawRecovery/DS brought the same results as Encase.
After this process, I removed the write lock and did a Free Space 1pass PRNG overwrite with Eraser (the single files were then effectively erased 2 times).
Then I used Encase et al. again:
i) Encase: Encase did not show the ~20 files in the normal place (d:\, g:\ resp.) but they were in an newly created folder (created by Eraser). file names were scrambled and files were 0 KB. HexEditor did reveal nothing.
ii) FileScavenger still showed me the files, but the before scrambled file names were now 00000000000000. files had 0 KB as well and could not be recovered.
iii)Restoration showed the 0 KB files in a folder
iv) raw recovery only showd a big 73,23 MB file (= sum of all files I created)
v) DS did show the files, but the file names were scrambled and I only recovered 0 KB files.
Then, I did a 40xPRNG wipe with DBAN, formatted both and copied the same files on the 2 volumes.
Waited for 1/2 a day.
This time I did a 1 pass PRNG with DBAN.
Results: all recovery tools (Encase, FS, Rest., Ontrack ERProf, DS) did show nothing else than the system files (MFT file etc).
I could not find or even recover the files I created and then wiped with DBAN.
Conclusion:
-Files that were overwritten 1 time with PRNG data with Eraser could not be recovered with any of the above mentioned software tools.
-However, though the file names itself were scrambled, I could see that there were files that had been erased. This was also true after the Free Space and MFT erase process.
-after a 1xPRNG wipe with DBAN, I could not even find any deleted files and hence not recover them.
These results were obtained on NTFS partitions (512 Byte Cluster size) with disabled write cache on a 149 GB Samsung and a 19 GB Maxtor drive.
Comment:
Eraser is secure for the average user.
However, I'd be worried that one can see that there were files and that those have been deleted.
Therefore, I'd recommed to use DBAN if you want to be sure or if you want to give your hard drive away.
Beware that sophisticated attackers still can recover data that have been overwritten 20 times and maybe more.
30-pass random scrubbing DBAN seems to be secure for a High security level.
All paranoids are advised to smelt/pulverize their platters.
greets, Anonymous
PS: Maybe I'll do the same test but with more passes PRNG.
