Augeas
-
Posts
4,542 -
Joined
Posts posted by Augeas
-
-
The referred article also says that 'On modern, high-capacity drives, multiple overwrites are no more effective than a single overwrite' and that 'The single overwrite ATA-SE method ....... has replaced the old DoD 5220.22-M standard'.
I don't seem to be getting my point over very well. None of the Gutmann passes are relevant, as the disk data coding methods they are trying to obliterate haven't been used for 15 years. Of course any one Gutmann pass is as effective in overwriting data as any other pass, but because it's overwriting, not because of what it's overwriting with. There's no difference between overwriting with a passage from the Book of Revelations or a selection of juicy swear-words.
The reason why Gutmann created his muliple passes is because with the old coding methods you could predict what the bit pattern written to the disk would be, and overwrite accordingly. You can't predict the bit pattern using current PRML/EPMRL coding.
The rather complex description of the way data is encoded on disk was to show how difficult it would be to decode the raw signals of even non-overwritten data. The reason the disk controller does this is solely to ensure that data can be read from the disk with an error rate of around one bit in 1,000,000,000,000,000 (I couldn't type 10 to the power of 15). It has nothing to do with data security.
Of course you can't scramble the RLL or any other coding sequence, that's how the data is coded to be physically represented on the disk.
I find your suggestions for secure deletion rather fantastic. I mean in the realm of fantasy, not super duper. Just run one overwrite and be sure that nobody can ever read that data again. The stuff you're trying to secure may well be found elsewhere on the disk, but that's another topic I don't want to get involved with.
-
None of the Gutmann passes are relevant today, and haven't been for the past 15 years or so (well, perhaps one of the first and last four, which are random passes). The authority - the written docuumantation - for this is Pete Gutmann himself, as has already been mentioned in this thread - "A good scrubbing with random data will do about as well as can be expected"
The Gutmann method is irrelevant, as it attempts to eliminate the possible use of threshold detection to identify a value (where the strength of a signal retrieved is above or below a threshold), whereas all current disks use PRML coding, which relies on a detection of data sequences to establish a signal.
The process of writing and subsequent reading/decoding data on a hard drive is phenomenally complicated. No user data is ever stored on a disk, or ever has been. It is coded and expanded many times before being written, and subsequently needs the exact reverse process to be decoded. If I published a track's worth of data as it is stored on a disk, in zeroes and ones, deleted or otherwise, then few if any would be able to translate it into data.
To read data off a disk you, or mercifully the disk controller, would have to detect and process the waveform into a digital signal (a very complex filtering and sampling process), strip off the parity bits, detect the sector sync mark, decode the RLL sequence, descramble the data, correct any errors using the ECC algorithm, and unwrap the CRC code. And possibly quite a lot more. To do this you would need to be in possession beforehand of many parameters such as the RLL type, the pseudo-random scrambler sequence, and the type of correction codes used. You would need to know what disk make and model and what coding the manufacturer used. So it's no small task. And with Hyper-tuning, where some of these parameters are optimised iteratively when the disk is burned-in at the factory, you would never know what they are.
So, one pass of random data will do. Using CC's one pass of zeroes is just as good, as it's scrambled on the disk anyway. So why does CC offer Gutmann (and other methods of overwriting)? I con only guess, as mentioned, that it's for marketing. It's certainly a waste of time and effort.
-
You are able to recover to the same drive, you are at risk of overwriting data waiting to be recovered, and with that amount of data the risk is just about 100%, which makes it a certainty. You need to borrow or beg another drive and recover to that.
-
Unfortunately not, you will still get the deleted files as well. The only thing I can suggest is that you run with this option, and when the file count is greater than (your estimate of) the number of non-deleted files cancel the scan. The files so far found will be displayed. You'll probably have to have a few goes to get the right list, but it is a fast scan.
-
I don't get the incomplete message when I cancel stage 2, and I always cancel it.
What does Recuva do if you run it on some other drive, your system drive for instance?
-
Pic 3 shows 'Incomplete Results' at the bottom of the panel. I have never seen this before, and I've no idea what it indicates, but it's probably a clue to what's happening.
-
Yep, I have the main Piriform page back now. Maybe maintenance.
-
In the forum, when you click on the large Piriform logo you are directed back to the forum. Shouldn't this go to www.piriform.com?
I don't know if this is some temp problem, but I can't open www.piriform.com, I get 'An application error occurred on the server.'
-
Juds, if you told us a little more here without opening two topics then maybe we could help. You appear to have unticked all the options for file cleanup.
What options have you selected in CC, if any? What does Analyse say?
-
I ran with every option selected.
It would help if you could run Analyse before running wfs, so you could see how much data is to be removed. CC will delete data on your sys drive but not your other (d) drives.
-
I ran the CCleaner with 'Wipe Free Space' checked.
When you run CC you run every option that's selected. Was wfs the only option selected, or did you have any others?
-
I can't really think of much else. You could try to cancel stage 2, which I always do as a matter of course.
-
Is there anything in the Filename or Path box (top r/h)? If so clear the box. Have you run a wipe MFT with Cleaner or other software? If so the entries in the MFT may be zero bytes in length, which Recuva will not show by default. Deselect this in Options/Actions.
-
I think that these messages are shown because there is no default application set when you open the files. In other words if you clicked on one of these files and Windows asked you what you wanted to open it with, and you chose an application but didn't tick the box that says 'Make this the default application' (or something like that).
As Willy says, the entries can be deleted with impunity. Like Arnie, they'll probably be back.
-
That having to wait for mouse-over was infuriating, but now there's no option to get UK results only. Not one I could find anyway. I wish they'd stop meddling with the setup.
All change is bad, especially change for the better.
-
Hi Oaker,
From your description it seems that wfs is indeed running OK on your flash drive. The three instances of your target file are possibly three entries in the FAT from previous operations on that file - copy, edit, etc. The visible thumbnail apparently comes from space the jpg orginally occupied being used by another file - that's what you can see, and wfs will not touch this space.
WFS will overwrite all the free space on your drive. It won't overwrite the file names in the File Allocation Table, and these are apparently what you are seeing. There are applications that will overwrite these names (but not Recuva) by simply filling the disk with zero-byte files with dumb names, and then deleting them. You are still left with the dumb names, however.
I guess you can get rid of most stuff on your disk, by using wfs, wipe MFT (on NTFS) and some other FAT wiper on your flash drive. There's usually something left behind somewhere in Windows' dark corners that a determined and knowledgeable person could find, but I wouldn't worry too much about it. Knowing exactly what goes on between Windows, NTFS and the drive controller is limited to a select few, and I'm not one of them.
-
You can't undo Cleaner's deletions. You could try Recuva. Download it and run it from a flash drive or a different drive/partition to avoid overwriting anything on your main drive. If you can't find the file then a deep scan will probably find an earlier edit copy.
-
First i have used recuva to do a deep scan for images.Run the complete scan as you normally would then recover the files to a folder in another drive to ensure you retrieve all files.
.....
.....
then select the folder that you have all your recovered files in.
Now all you do is hit the mutilate tab and it will do it's work.
I don't know where this completely erroneous idea came from, it is absolutely wrong. I can't think of many things more pointless than recovering deleted files to another drive and then deleting them. Apart from being a waste of severeal hours of your life, it will leave the original deleted files untouched on the disk.
If you want to overwrite deleted files then either use Recuva's secure delete facility, or run a wipe free space utility.
-
Roma, what on earth are you doing? There is absolutely and utterly no point in recovering deleted files and then deleting them. If you want to overwrite already deleted files then use Recuva to do this. Highlight or check the files found by Recuva, right click and select secure delete. That's it.
-
This time it did find 2 copies of the .jpeg, but they were not recoverable and there were no thumbnails.
Do you think that this confirms the last of your theories: "* The file was created almost exactly when you ran CCleaner"?
Not my theory, actually. What's in the file header of these jpgs, zeroes? You haven't answered whether wfs takes a long time to run, whether a large file is created, what the last accessed date is, etc.
With regard to the file names - am I still correct in thinking that if I re-name files before I use CCleaner or Privacy Guardian to bleach/over-write them, the original file names will no longer exist anywhere in the system?I would say no, you're not correct. If I do a deep scan I can find several copies of files I know I have never even thought of deleting. Windows edits, copies etc and defrags (which I don't do) can create copies all over the place. Renaming files, which is what CC secure delete does, just deters a casual observer. And on a flash drive (which I assume we're discussing) file editing always creates a copy.
-
I've just wfs'd a small flash drive and the two pics I copied there were overwritten.
When you run wfs, does it taks some time? If you monitor the e:\ directory whilst it's running, can you see a large file being created (and then deleted)? If so, wfs is probably working OK.
If you look at Recuva File Info for the two pics, are they overwritten by another file? Do they have a last accessed date of the wfs date, and time set to zero?
Look at the header info and scan down the file list. Are the majority of the headers zero bytes? All the above indicates that wfs is working.
There is no MFT on your FAT drive by the way. And assuming that this is a flash drive you can't securely delete a file on a flash drive either. WFS is the only way to go.
Recuva can't overwrite the file names, as it only overwrites MFT info on NTFS drives. You can do this yourself by creating sufficient zero-length files with harmless names on the drive, until the old file names are overwritten, and then deleting them, but it hardly seems worth while as the majority of the file names will be overwritten in normal use eventually.
-
Yes, but only as a 'Do you want to delete all this stuff or not?', not applicable to individual items. You can of course right click on any category to be cleaned and select either Analyse or Clean, and that restricts cleaning to one category at a time.
I don't look, or want to look, at the list of individual files scheduled for cleaning, let alone investigate each one for elegibility for deletion. Even I can find something better to do than that.
-
OK LJ, simple questions first. In CC you went to Options/Settings and ticked the box for your usb drive in the Wipe Free Space section? Did you then go to Cleaner/Windows/Advanced and tick the Wipe Free Space Box?
-
Yes, you could waste hours on the various permutations. I did discover that when you have no Excludes at all and Recent Documents ticked the My Recent Documents folder is deleted in its entirety and recreated. I wonder if this has something to do with the problem of selective excludes? Compounded of course by the possible assumption that nobody would want to do a selective deletion on recent docs?
Fewer sys restore points than before
in Software
Posted
I'm not pointing any fingers at CC, as I run CC infrequently and I have noticed this independently of CC runs.
I seem to have far fewer sys restore points than usual. I'm on XPH SP3, and I don't use CC's sys rest facility. I have the sys restore space set to 2 gb, and I always used to have around 50 or more points available, mqaking each point about 40 mb. Every so often Windows would chop off a dozen or so to give room for new daily points.
Now I have 14 points, and have had for the past few weeks. I know, from using Recuva, that I have just had another clear-out, and I have more deleted files shown in Recuva than usual, over 4k rather than the usual 1.5 to 2.5. It seems as if something is restricting the number of sys restore points that Windows can create, or forcing it to clear out points more frequently. I have only one disk by the way.
Not that I ever use sys restore, I'm just curious why my pc is not doing as it's told. I might stop and start it to see what happens but that would take more than a fortnight to test.