xp/2k NTFS wiping encrypted files (WINDOWS EFS ENCRYPT)



Something new here and i'm really curious whats going on. Admin, you might want to look into this.

I'm using win2k with a ntfs partition, and i'm setting up a folder that is encrypted using windows EFS.

I'm right clicking the folder, properties, advanced and selecting encrypt.

At this point i have no real way of telling if it is encrypted. I'm assuming it is.

When i try to set scheduler to erase these folders they show up in file dialog in red type.

When I do a verify, eraser does not erase the file. It trys, but verify shows the same data.

When I attempt to erase a large file with more than one pass eraser wipes it several times. For example, 3 passes...the top progress bar shows it passing through several 1 to 3 passes back to back before it finally finishes. At this point since verify shows the same data i'm not sure its even erasing the data.

I want to do some more tests with winhex to see if i can see the actual encrypted files.

What exactly is going on here. Is eraser not working on these EFS encrypted files?
ok, winhex is showing the file encrypted.

Eraser does not erase the encrypted file/directories.

AND winhex doesn't either, however it does give a messagebox saying it won't erase encrypted or compressed files. Nice to know that.

Something wierd. Deleting the file with shift/delete, and then running a erase free space still didn't touch that EFS directory of the disk! The only way i could get it to erase the files that was once deleted in that directory was to delete the encrypted directory, then erase. (unencrypt would probably work also) Winhex did the same thing.

I'm assuming EFS and NTFS are somehow locking those clusters on the drive somehow. I don't know i'm confused again. Any insight?
guester said:
When I do a verify, eraser does not erase the file. It trys, but verify shows the same data.
You cannot use the verify.exe program to verify if the program overwrites encrypted or compressed files. Eraser does erase these files by overwriting their clusters directly, because opening the file causes Windows to decrypt/uncompress it on-the-fly. Therefore, verify.exe does not show you the encrypted/compressed clusters, but instead the decrypted/uncompressed contents.