DavidHB said:Thus, when an overwriting program such as Eraser writes to the whole disk area used by a target file and the associated file table entries, that file (including any metadata the file or file system might contain) is completely and permanently destroyed. I am not aware of any published claim that this is not the case. Also, with modern drives, a single pass erase is as effective as a 35 pass erase; forensic analysis will therefore typically focus on the security weaknesses of the target system rather than attempt to recover erased data.
It is my personal belief that, because traces are so hard to find and remove, an ordinary private user will find it virtually impossible to secure his or her data against sustained expert forensic examination, other (possibly) than by encrypting all sensitive data.
No. We are also talking about the file system and the operating system with which that file system is associated. The behaviour of these very complex system components has major implications for user security.ZCode said:what do you mean by the "security weaknesses of the target system"? In this case we are just talking about hard-drive and the Eraser software itself, right?
If you overwrite the whole of the disk (e.g. by formatting and it and then erasing the free space), nothing except the (almost empty) file table will be left, and that disk will be pretty much secure, even against forensic examination. But it is only when disposing of the disk or putting it to some other use that you can do this.ZCode said:what are the "traces" of the files? If I already overwrite the whole disk with random 0/1s why would there be "traces" left? You mentioned all the metadata and the contents are destroyed, but you also mentioned that " virtually impossible to secure his or her data against sustained expert forensic examination"
DavidHB said:As I understand it, Eraser will prevent Windows making shadow copies (the most obvious cause of security weakness) of files it erases directly.
Yes. Shadow copies are not in space marked as free by the file system, so, by definition, are not covered by a free space erase. Deleting old restore points is a good idea; they take up space in any case. Once they (and the shadow copies in them) are deleted, a free space erase will work on what is left of those shadow copies.ZCode said:Eraser cannot erase all the shadow files when erasing all the unused space, right?
DavidHB said:Yes. Shadow copies are not in space marked as free by the file system, so, by definition, are not covered by a free space erase. Deleting old restore points is a good idea; they take up space in any case. Once they (and the shadow copies in them) are deleted, a free space erase will work on what is left of those shadow copies.ZCode said:Eraser cannot erase all the shadow files when erasing all the unused space, right?
Joel said:Nope, shadow copies operate on the block level, in other words, the system will take a snapshot of the disk as it was, and only modify blocks that have changed since.
Therefore, there will be no distinction between "normal" files and "system files"; everything will be imaged as one shadow copy. But yes, this does work on a disk basis so C: will have different shadow copies from D:
On server configurations, admins can also change the shadow copy storage path.
This is not quite the way it works. If a restore point (containing shadow copies) is deleted, the space is marked as free, and Eraser free space erase treats it as it would any other free space. If the restore point is not deleted, free space erasing will not touch it.ZCode said:I saw on this post ( coincidentally from you as well ) that Windows clears its old restoration points when Eraser erases unused space.
True. Hence the point about backups.Joel said:I think it is worthwhile to mention that disabling System Restore on any drive prevents Previous Versions to work, if you should use that feature.
ProbablyJoel said:David, did we write this somewhere before?
Joel said:You can see the test - System Restore can be on, but if there are no images, it's as good as off, isn't it?