ctechwriter
New Member
I'm writing an article about using Eraser to securely delete files, so I was hoping I could get some clarification when the Recycle Bin comes into play.
My previous understanding was that when you send a file to the Recycle Bin, Windows simply adds a metadata entry in the Recycle Bin to point to the original data block location of the deleted file. But after more research, it appears that the file is actually ~copied~ to the Recycle Bin. So my questions are:
1. Are deleted files actually copied to the Recycle Bin? That is after sending a file to the Recycle Bin, will there be two forensically vulnerable copies of the file, one in the Recycle Bin and one at the original location? Or is the actual data ~only~ at the original location?
2. Assuming there are two copies, does Windows preserve the original data blocks, so no overwriting takes place? Piriform suggests that to be the case, so that when you restore a file, it restores the original blocks.
3. What happens when you wipe the Recycle Bin ~before~ you empty it? Is the original file index, the Recycle Bin index and both copies of the data (if two exist) wiped?
4. What happens when you wipe the Recycle Bin ~after~ emptying it? Is anything from the previously emptied file wiped? I'm assuming at that point, you'd need to wipe free space to securely delete the file.
5. If two copies exist and you ~restore~ a file, do you need to wipe the free space to remove the Recycle Bin's copy?
6. Not so much related to the Recycle Bin, but I've always assumed the DoD 3-pass erasure method to be quite sufficient. Is there every really a need for Gutmann or even a 7-pass method? I'm mainly talking about protection from [possibly high-tech] thieves that might aquire a computer, not Snowden level stuff.
Thanks in advance for any insight you can offer.
My previous understanding was that when you send a file to the Recycle Bin, Windows simply adds a metadata entry in the Recycle Bin to point to the original data block location of the deleted file. But after more research, it appears that the file is actually ~copied~ to the Recycle Bin. So my questions are:
1. Are deleted files actually copied to the Recycle Bin? That is after sending a file to the Recycle Bin, will there be two forensically vulnerable copies of the file, one in the Recycle Bin and one at the original location? Or is the actual data ~only~ at the original location?
2. Assuming there are two copies, does Windows preserve the original data blocks, so no overwriting takes place? Piriform suggests that to be the case, so that when you restore a file, it restores the original blocks.
3. What happens when you wipe the Recycle Bin ~before~ you empty it? Is the original file index, the Recycle Bin index and both copies of the data (if two exist) wiped?
4. What happens when you wipe the Recycle Bin ~after~ emptying it? Is anything from the previously emptied file wiped? I'm assuming at that point, you'd need to wipe free space to securely delete the file.
5. If two copies exist and you ~restore~ a file, do you need to wipe the free space to remove the Recycle Bin's copy?
6. Not so much related to the Recycle Bin, but I've always assumed the DoD 3-pass erasure method to be quite sufficient. Is there every really a need for Gutmann or even a 7-pass method? I'm mainly talking about protection from [possibly high-tech] thieves that might aquire a computer, not Snowden level stuff.
Thanks in advance for any insight you can offer.