Overwriter
Active Member
A computer hard disk is divided into small areas called clusters. A file can cover several clusters however it is unusual that the size of a file turns out to be an exact fit of a cluster size.
A cluster tip is a portion of a disk cluster that has not been fully taken up with the file written to it. Think of it this way, if you wrote a sentence on some paper with a pencil and then wanted to use the exact same line on the paper for a different message you would normally use an eraser to rub out the sentence and write your new message in its place. Well, windows kind of does this with hard drives but crucially windows doesn’t erase the whole sentence, it only overwrites the sentence with the new message, so if the new message is shorter than the previous one you get a cluster tip. It’s a little more complicated than this but this is just a simple guide !
Example. (file written on drive cluster).
“This is my secret message, my bank PIN number is 12345678.”
Now the user deletes this file with windows delete. The MFT record is cleared so windows sees this cluster as empty.
Although deleted the actual physical sector still looks like this.
“This is my secret message, my bank PIN number is 12345678.”
So as far as the windows user is aware the message is deleted and gone but in reality the message is still there, just the record of it and its location have been deleted by windows.
Now, say windows writes new data to the very same cluster some time later, the sector would look like this.
“My new word doc ####, my bank PIN number is 12345678.”
The #### are where windows thinks the file ends in that cluster but as you can see, a forensic examination clearly shows your previous and private message you thought had been deleted some time ago is still there !
This is why it is important to select “wipe cluster tips” when performing a free space wipe with Eraser.
A cluster tip is a portion of a disk cluster that has not been fully taken up with the file written to it. Think of it this way, if you wrote a sentence on some paper with a pencil and then wanted to use the exact same line on the paper for a different message you would normally use an eraser to rub out the sentence and write your new message in its place. Well, windows kind of does this with hard drives but crucially windows doesn’t erase the whole sentence, it only overwrites the sentence with the new message, so if the new message is shorter than the previous one you get a cluster tip. It’s a little more complicated than this but this is just a simple guide !
Example. (file written on drive cluster).
“This is my secret message, my bank PIN number is 12345678.”
Now the user deletes this file with windows delete. The MFT record is cleared so windows sees this cluster as empty.
Although deleted the actual physical sector still looks like this.
“This is my secret message, my bank PIN number is 12345678.”
So as far as the windows user is aware the message is deleted and gone but in reality the message is still there, just the record of it and its location have been deleted by windows.
Now, say windows writes new data to the very same cluster some time later, the sector would look like this.
“My new word doc ####, my bank PIN number is 12345678.”
The #### are where windows thinks the file ends in that cluster but as you can see, a forensic examination clearly shows your previous and private message you thought had been deleted some time ago is still there !
This is why it is important to select “wipe cluster tips” when performing a free space wipe with Eraser.
