[What am I doing wrong?]

Hello Alan,

 

Many thanks for your very thorough response. I have to admit that you are streets ahead of me in understanding the technology though.

 

I guess I have no reason to think that my system is in any way particularly vulnerable. I use Kaspersky Internet Security which appears to look after me very well.

 

I think my initial curiosity in respect of keeping private data private arose after I deleted some family photos from both my camera card and my PC.

 

I had to buy Photo Recovery to retrieve them from the camera card, (luckily I realised immediately what I had done and didn't overwrite anything).

 

However, I have fairly recently bought a new PC owing to the demise of the hard disk on the old one and couldn't find any licence details with which to download the program again - so I opted for Recuva and was amazed at how data that I thought was gone pretty much forever was still there or was at least recoverable.

 

Coming from the same organisation it then was logical to go for CCleaner, in the knowledge that the two were likely to interface perfectly.

 

I'll sign off now and thank you for your input, which I shall digest at leisure tomorrow.

 

All best wishes to you.

[What am I doing wrong?]

Snap ! !

I too have XP Home Edition, SP3.

 

My Flash drive is also optimised for quick removal.

This "should" make it safe to unplug without jumping through the hoops of "Safely Remove Hardware",

but I never take that risk - I always go for safety.

 

For both of us any write (and I assume delete) actions on the flash drive should delay the application and GUI responses by a few microseconds as the transaction requirements are written to the RAM cache.

When the O.S. has some spare time it will access the cache and spend the much larger time needed to perform the required transactions to update the flash drive.

 

The data in the RAM cache may persist until it is over-written with further transactions - then it is gone.

I would like to think that RAM loses all data upon Power Off,

but I believe my Acer Laptop maintains power from its battery to some parts of the circuitry whilst shut down.

 

I do not know, and a quick Google did not show me, where this RAM cache is located.

The CPU processors have various sizes (and speeds) of cache built in.

Level 1 is for "instant" access to recent instructions that may be repeated in a loop.

Level 2 and 3 are larger and slower for other purposes - I am going into brain fade here ! !

I suspect that a disc transaction cache MIGHT be built into the CPU silicon at some time,

but I do not think we have that yet.

 

I assume my disc drive transaction cache is part of a 1 GB memory upgrade I gave my P.C. 3 birthdays ago,

in which case it may get transferred in and out of Virtual memory = pagefile.sys = Hard disc drive area.

What I refuse to understand is why I still have 787,336 MB Available (unused) physical memory,

and yet "hours" have been wasted moving 388,716 MB into so slow virtual make-believe memory ! !

Additionally forensic investigators examine the hiberfil.sys on the Hard Drive to see what has entered RAM,

though I would have thought a child pornography URL would get over-written by shopping lists etc. the next day.

 

For maximum privacy you may need to purge the pagefile.sys, which I believe is a start-up option,

and you may need to disable hiberfil.sys.

 

CCleaner has no option for dealing with the disc drive transaction cache, nor pagefile.sys nor hiberfil.sys.

 

In practice I never bother to Wipe Free Space, nor shred or wipe deleted files.

 

I have excellent security software,

and nothing evil since my younger son left college 20 years ago and he stopped copying games onto floppy discs.

 

In theory I believe a hacker could penetrate my system and access data that was not deleted,

and he might be able to add a key-logger that could send him my internet banking passwords.

He could also destroy my system - but in 10 minutes I would fully recover via a backup partition image.

 

Any deleted data that was not shredded/wiped could be read and stolen,

but it would need the use of something like Recuva to access them.

It would probably need far more sophisticated tools to interpret any pagefile or hiberfil data.

 

I suspect that the risk of a hacker recovering deleted data is less than the risk that a wife would give a private investigator passwords and physical access to the system if she was looking for a divorce.

 

Regards

Alan

[What am I doing wrong?]

Hello Alan,

 

Thank you too for your response. I "shred" my session documents using Privacy Guardian and the Gutmann method, so they do tend to mostly disappear. Occasionally, for reasons that are beyond me, but that you may be alluding to, Recuva does find the odd one fairly intact and recoverable.

I still have XP Home Edition, SP3 and am not driven by the mostly cosmetic differences in my opinion to move on just yet.

I have located the check box that you refer to and it is indeed optimised for quick removal.

Now here we are at the fringe of my knowledge of this particular area - can I interpret that the particular cache you are referring to is located om my hard disk, whilst the actual files that are being processed are on my USB drive?

Would this mean that I would have to exercise some deletion/overwriting on my hard disk to achieve a more positive removal - and is this cache deletion covered by any of the Advanced check boxes in CCleaner to achieve this?

Sorry if I am displaying my ignorance at this point, but I am keen to acquire this knowledge.

 

Best regards.

[What am I doing wrong?]

Hello again Augeas,

 

Thanks for that. I'm not about to get paranoid about security to the "nth degree" at my time of life (I am a slightly silver surfer), but I see forums loaded with pleas for help from all kinds of folk because they have become infected with this, that or the other and I do wonder just how careless you need to be to get that deep in the brown stuff?

 

I'm not a "geek" by any means, but there was a time, some 20 years ago in my professional life when the manual work that I was doing went computerised and my employer automatically assumed that there was no way that I was going to be able to cope, so he brought in a young and unmotivated young person who knew nothing about the industry but could work an Apple Macintosh computer.

 

I, in a fairly senior position had to hand 22 years of acquired knowledge to this person, who effectively took my job away because they had some computer knowledge and at the time I didn't.

 

From that day on I have made it my business to learn as much as I can and to be as tough a target as possible for anyone else that ever tried to benefit from what I didn't know about computers.

 

I've enjoyed your dialogue that has no doubt added to my knowledge in pursuit of that aim.

 

All best wishes.

[What am I doing wrong?]

Hi Oaker,

 

From your description it seems that wfs is indeed running OK on your flash drive. The three instances of your target file are possibly three entries in the FAT from previous operations on that file - copy, edit, etc. The visible thumbnail apparently comes from space the jpg orginally occupied being used by another file - that's what you can see, and wfs will not touch this space.

 

WFS will overwrite all the free space on your drive. It won't overwrite the file names in the File Allocation Table, and these are apparently what you are seeing. There are applications that will overwrite these names (but not Recuva) by simply filling the disk with zero-byte files with dumb names, and then deleting them. You are still left with the dumb names, however.

 

I guess you can get rid of most stuff on your disk, by using wfs, wipe MFT (on NTFS) and some other FAT wiper on your flash drive. There's usually something left behind somewhere in Windows' dark corners that a determined and knowledgeable person could find, but I wouldn't worry too much about it. Knowing exactly what goes on between Windows, NTFS and the drive controller is limited to a select few, and I'm not one of them.

[What am I doing wrong?]

Hello again Augeas,

 

Some answers for you then . . .

 

The WFS took slightly under 8 minutes to do its work on a 2GB USB drive.

 

Two files were created - one in excess of 19KB, the other more than 2KB.

 

Both appeared to be deleted at the end of the WFS.

 

Recuva found three captioned instances of the target file this time - one was displaying a thumbnail of a different .JPEG and two had no thumbnail displayed at all.

 

The Recuva file info showed that they had been overwritten by other files.

 

The "Last Accessed" date was that of the WFS and the time was indeed zero'd.

 

The Header Info displayed a complete array of zero bytes in each instance.

 

Finally, I would ask again about the deleting original file names before deleting (either using Privacy Guardian or CCleaner) - are you saying that even if I change a file name before deletion/shredding/overwriting, a reference will exist somewhere on my system carrying the original name?

 

Many thanks for your continued response.

[What am I doing wrong?]

Hello again Augeas,

 

I have now conducted a repeat experiment: Again I copied a .jpeg file to my USB drive and deleted the resultant copy file there. This time I waited 5 minutes, after which I dis-connected the USB drive and waited a further 5 minutes before re-attaching it.

 

I then asked CCleaner to wipe all the free space on that drive. After I had done that, I asked Recuva to search the drive for all deleted picture files.

 

This time it did find 2 copies of the .jpeg, but they were not recoverable and there were no thumbnails.

 

Do you think that this confirms the last of your theories: "* The file was created almost exactly when you ran CCleaner"?

 

With regard to the file names - am I still correct in thinking that if I re-name files before I use CCleaner or Privacy Guardian to bleach/over-write them, the original file names will no longer exist anywhere in the system?

 

Best regards.

[What am I doing wrong?]

Thanks for your further contribution Augeas,

 

Some food for thought there.

 

Will do some further investigation and come back to you.

[What am I doing wrong?]

Hi ident,

 

Apologies for the delay in getting back here.

I will try to address your points in the order stated.

The drive on my PC: AMD Athlon II X2 240 Processor, 3.5GB RAM, NVIDIA GeForce 9500GT, MS Windows XP Home SP3, is NTFS formatted. The USB drive I used is FAT.

The particular .JPEG file should not have been over-written as this was one continuous real-time operation.

Same again re the overwriting theory: I copied the file from my PC desktop to the USB "E" drive, established it was there, then deleted it. I then

"wiped" all the free space on that drive and the MFT free space.

After that, I asked Recuva to search the "E" drive for any deleted picture files, whereupon it found the one I had deleted and overwritten (?), showing TWO examples of the relevant thumbnail.

"* The file was created almost exactly when you ran CCleaner." - as I say, this was one continuous operation; not hurried as I was aware that I needed to back-check every step so that I could ultimately repeat the procedure.

Do you have any advice on how to remove actual file names - rename the file before deletion and overwriting perhaps - or is there another way that genuine file names can be removed?

I should say at this point that I have tended to use Privacy Guardian to remove unwanted files, working history and so on, as I find it does the job so much quicker than CCleaner, but I would like to turn the whole job over to CCleaner.

That's about as much as I can add to this scenario at this time.

 

Best regards.

[What am I doing wrong?]

OK LJ, simple questions first. In CC you went to Options/Settings and ticked the box for your usb drive in the Wipe Free Space section? Did you then go to Cleaner/Windows/Advanced and tick the Wipe Free Space Box?

Hi Augeus,

Thank you for your interest - that's two yesses to your questions.

Best regards eljay.

[What am I doing wrong?]

Hi All,

 

As a fairly recent new user, I am still getting to grips with interfacing CCleaner and Recuva and set myself a task to see how competent I was.

The results were pretty grim and I am posting here in order to try and establish what I am doing incorrectly.

As a test piece, I sent a .jpeg image to a USB drive folder, then deleted it and asked CCleaner to overwrite all the free space on that drive.

I then asked Recuva to try and recover any deleted files on that drive.

The .jpeg was still there and in recoverable condition, with two (why?) intact thumbnails on display!

As well as this, I would appreciate hearing of any practice/procedure that would avoid my arrival at overwritten (but really how securely?) files, but the original file names are still there "Bank Statement January 2010" etc.

Should I get a nasty on my PC, however difficult it may be for the bad guys to retrieve my info, I would prefer not to be telling them where to look!

 

Any advice appreciated - best regards Eljay.

[Default Settings?]

Many thanks for your assistance - will take a look.

[Default Settings?]

Hello all,

 

I am a new poster here, so please forgive a rather pathetic first posting.

I have had CCleaner installed (free) for more than a year now and to date have usually only run it to remove unneccessary junk from my PC.

The main privacy software I have used to date is Privacy Guardian and I had faith in it's user-friendly method of hopefully removing all sensitive but unwanted junk from my PC.

However, I recently tried out the "Bleach Free Space on Disk" option in case the areas where I had been cleaning were not the only references on my hard drive and I might therefore be vulnerable still in the event of a Trojan assault.

Whilst most of the files were shredded, fragments remained, as did file names. Maybe I hadn't configured it correctly - who knows?

I was concerned that file names might give an interloper the edge in knowning what data could be worth persuing.

Whilst swatting up on the larger scope of what CCleaner is capable of, I came across a reference to its free space wiping ability and was keen to give it a try.

I quite stupidly un-checked all the boxes in the Windows section except the wipe that I required.

It appeared (at least, without the deep scan facility) to remove both files and their names and I was so impressed that I made my PayPal donation.

I had not made a note of the in-place default settings for the Windows element, thinking that they would be restored upon re-boot.

I'm somewhat embarrassed that this didn't happen and more or less in the same state about admitting that my computer knowledge doesn't extend to checking all the right boxes to re-configure it as it was originally downloaded.

Sorry to be a complete pain, but would anyone like to remind me what they were please?

In return I can only promise to scour this website for as much knowledge about the product as I can aspire to, so that my next posting here might not be so feeble!

 

Thank you in anticipation of your patience for a quite "silver surfer" who ought to know better.

 

Best regards - oaker47.