Recuva and Eraser

Conan1

New Member
I used Eraser to erase a Seagate external hard drive. I deleted a few of the files by specifically picking them and erasing them and deleted some the normal way. I then moved the files I wanted off the drive and performed a 3 pass free space erase. Just for grins I turned plausible deniability on. Not sure I used this right however...I only picked one file (C:\WINDOWS\system\TIMER.DRV). Anyways, I then used Recuva to see what it found. It found some files that it says were not deleted such as $Boot, $LogFile, and $MFT. The only path for these is E:\. Other files that it says were not deleted were $Quota and $Reparse in E:\$Extend\. It also says change.log and MountPointManagerRemoteDatabase were not deleted and these are located in E:\System Volume Information\. Do you think I need to worry about these files?

It also found thousands of randomly named files with no extension. They are also located in the same randomly named folder and are the same size. They were last modified at the same time. Their state is excellent but from what I've read this makes sense and these files are securely deleted and unrecoverable. Is this right? There are also tons of other randomly named files that are listed as in poor condition or unrecoverable.

It also found two desktop.ini files in Recycler. Anything to worry about?

One last question. Since I turned on plausible deniability shouldn't Recuva not even show that these files were erased? Or am I not understanding this process correctly? Sorry for the long post. Just want to make sure I understand what I'm doing. Any help would be appreciated
 
I don't know the answer for sure. Were any of the files actually recovered by Recuva actually readable - in part or whole?

Eraser has problems sometimes erasing locked files, especially Windows files / system (what it CONSIDERS system files). Don't know what was EVER in the files you mention.
MOst don't sound like contain much private data, but... The boot & MFT aren't going to contain private data, AFAIK. Don't know what Quota or Reparse files are in Windows, or if part of the external drive's files.

Did you del and / or erase all files you were interested in, then erase free space (on E:)?

Maybe nothing to do w/ the "recovered" files, but I would choose another file for plausible deniability besides a Windows system file, as they're often locked. Not sure, but Eraser might have problems using a locked system file.
It also found thousands of randomly named files with no extension.
Did it give any name or part of name for them. Can you open any (like w/ a utility such as Filealyzer http://www.safer-networking.org/en/filealyzer/index.html If thousands & all same size,could be the file used for plausible deniability.
 
None of the files seem to be readable. When I go into thumbnail mode on Recuva I can't see a preview of them. Even the one's whose status is Excellent. I also used FileAlyzer on it. It doesn't seem to recognize it. It says the last access was in 1899.

I did delete or erase all the files I was interested in before running the free space erase.

Thanks for the tips about plausible deniability.

I think I should be OK. Just wanted to check here and see what people had to say about the types of files Recuva found.
 
So I'm still confused. I changed the plausible deniability file to a non-Windows system file so that there would be no issues with the file being locked. I then defragmented my drive and removed all restore points (because I read that this was a good idea on this forum). After this I told Eraser to erase a Recycler folder that keeps appearing on my External Hard Drive. Then I performed a free space erase. I then ran Recuva. It found about 3000 files after a Deep Scan. I told it not to ignore any files. Again, all most all of these are the same size and are completely randomly named. Most of these files have an Excellent status and the rest are listed as Unrecoverable. Their names have random letters and symbols and have no discernible pattern and no extension. It did find a few files again like tracking.log and $MFT (no extension) that it says were "Not Deleted". I'm not really worried about these files (from the first response and what I've read I shouldn't be right?) but is this what the results Recuva generates should look like when plausible deniability is on?? Is this setting working correctly? From what I read in another post I thought that if plausible deniability is turned on then Recuva should not even report that a file was deleted.

Joel, or someone with a good knowledge of Eraser, can you please help clear this up for me??
 
Conan1 said:
I used Eraser to erase a Seagate external hard drive. I deleted a few of the files by specifically picking them and erasing them and deleted some the normal way. I then moved the files I wanted off the drive and performed a 3 pass free space erase.
Okay, that's a valid way of using Eraser.

Conan1 said:
Just for grins I turned plausible deniability on. Not sure I used this right however...I only picked one file (C:\WINDOWS\system\TIMER.DRV). Anyways, I then used Recuva to see what it found.
Okay. Plausible Deniability only works when you actually erase something. When erasures are done and its off, it will not be applied when you turn it on. For it to work, you have to turn it on and erase something.

Conan1 said:
It found some files that it says were not deleted such as $Boot, $LogFile, and $MFT. The only path for these is E:\. Other files that it says were not deleted were $Quota and $Reparse in E:\$Extend\. It also says change.log and MountPointManagerRemoteDatabase were not deleted and these are located in E:\System Volume Information\. Do you think I need to worry about these files?
I assume these are files reported by Recuva. Those are created by Windows and should not contain anything private.

Conan1 said:
It also found thousands of randomly named files with no extension. They are also located in the same randomly named folder and are the same size. They were last modified at the same time. Their state is excellent but from what I've read this makes sense and these files are securely deleted and unrecoverable. Is this right? There are also tons of other randomly named files that are listed as in poor condition or unrecoverable.
Yes, those are the files Eraser erased your unused space with.

Conan1 said:
It also found two desktop.ini files in Recycler. Anything to worry about?
Shouldn't be.

Conan1 said:
One last question. Since I turned on plausible deniability shouldn't Recuva not even show that these files were erased? Or am I not understanding this process correctly? Sorry for the long post. Just want to make sure I understand what I'm doing. Any help would be appreciated
Plausible deniability only works when you erase something. You have to turn it on then erase.

It also only allows you to make things plausibly deniable in that "hey those files were deleted and not erased", not that "Eraser was never used." If what you want is the latter... you'll have to ditch Windows. with MUIs and such you'll have traces of the programs you've run before all over your registry and disk.
 
phkhgh said:
Did you del and / or erase all files you were interested in, then erase free space (on E:)?
That's the standard method for erasing system drives. 6.2 has a new feature to wipe the entire disk... but that's for 6.2

phkhgh said:
Maybe nothing to do w/ the "recovered" files, but I would choose another file for plausible deniability besides a Windows system file, as they're often locked. Not sure, but Eraser might have problems using a locked system file.
There shouldn't be a problem. But The reason why files can be picked is because v5 always used system files, which is out of place on a non-system drive. You can use any file you want really, so long no program has locked the file and prevent others from reading it. Running programs allow you to read the exe.

phkhgh said:
It also found thousands of randomly named files with no extension.
Did it give any name or part of name for them. Can you open any (like w/ a utility such as Filealyzer http://www.safer-networking.org/en/filealyzer/index.html If thousands & all same size,could be the file used for plausible deniability.
I'm quite sure these are the files generated by the unused space erasure.

Thanks for answering these phkhgh.
 
Conan1 said:
So I'm still confused. I changed the plausible deniability file to a non-Windows system file so that there would be no issues with the file being locked.
There should be no problem, as I've pointed out earlier. If there were, the task will report that there were errors.

Conan1 said:
I then defragmented my drive and removed all restore points (because I read that this was a good idea on this forum). After this I told Eraser to erase a Recycler folder that keeps appearing on my External Hard Drive. Then I performed a free space erase. I then ran Recuva. It found about 3000 files after a Deep Scan. I told it not to ignore any files. Again, all most all of these are the same size and are completely randomly named. Most of these files have an Excellent status and the rest are listed as Unrecoverable. Their names have random letters and symbols and have no discernible pattern and no extension.
Free space erase residue, most likely.

Conan1 said:
It did find a few files again like tracking.log and $MFT (no extension) that it says were "Not Deleted". I'm not really worried about these files (from the first response and what I've read I shouldn't be right?)
That's expected and normal.

Conan1 said:
But is this what the results Recuva generates should look like when plausible deniability is on?? Is this setting working correctly? From what I read in another post I thought that if plausible deniability is turned on then Recuva should not even report that a file was deleted.
I think you're misunderstanding the Plausible deniability feature. It does not mask any erasure or deletion. It just merely covers what you erased.
 
Great I think I understand everything now. Thanks for all of your help! I really appreciate it.
 
Back
Top