[Erased pictures actually erased?]

Give infinite time, resources and money any data on a working DiscDrive can be recovered. The only way to reliably remove data from the slightest possibility of recovery is to phyiscally destroy the drive (drill presses, drowning in salt water and shooting with a rifile are all popular ways of doing this).

 

Out of curiosity, how is this possible? If a file is overwritten with random digits, then overwritten again with different random digits, then overwritten again, how is it possible for any piece of software to accurately restore a file? Even if it was somehow able to restore one full overwrite maybe by being able to recognize how a file was overwritten, how would it be able to do this for multiple overwrites?

 

 

 

Just say 'I', it's less confusing than this person or that person, and one pass overwrite will stop a little more of your life slipping away pointlessly.

 

(A lot of this is generalising, and applies to NTFS only.) All file names, cluster addresses, file sizes etc are held in records in the Master File Table. The records can be reused, but not deleted, so the MFT does not shrink in size. When Recuva does a normal scan it will list the file names from the MFT. When Recuva does a deep scan it runs a normal scan first before looking at the unallocated data clusters.

 

A deep scan looks at each cluster and recognises - or not - a file signature. That's how it knows that the cluster is the start of a valid file. However a deep scan can only extract clusters sequentially, there is no file signature in subsequent file extents so they can't be patched together. A deep scan will not usually return any file name or directory info from these clusters, as that info is held in the MFT and there is no link back from cluster to MFT.

 

The ignored file count consists of undeleted files, zero length files, system files etc. Check the top four boxes in Options/Actions to see all these files.

 

If you run a wipe free space from CC Options/Settings then the records in the MFT will not be cleared, and file names will still be seen in Recuva even though the data is rubbish. If you select Wipe MFT then the file names of the deleted records in the MFT will be filled with rubbish (ZZZ's). If you use Drive Wiper you will get a free wipe MFT thrown in.

 

The act of wiping free space (there is no wiping, or erasing, or cleaning, or deleting, or cleansing, or whatever, all you can do to a storage device is write to it and read from it) is actually filling up all the unallocated clusters by creating large zero-content files and then deleting them. In other words the Windows file system – NTFS – allocates and deletes the files.

 

The act of wiping the MFT is similar, but a number of small (712 byte) files sufficient to fill all the deleted records in the MFT are created and deleted. You will still have the same number of deleted files but they will be rubbish, and the cluster addresses in the MFT records will no longer point to the old deleted file’s data.

 

On the rare times I have tested wfs on small test volumes – I can’t be bothered to run it on my main drives – I have seen 100% overwrites of unallocated space. If some data can be seen after a wfs it is because a wipe MFT has not been done (or Drive Wiper not used) and the clusters of a deleted record, as addressed in the MFT entry, have been used by a newer live record, so that both the deleted and new file cluster addresses point to the same cluster. Looking at the deleted file with Recuva will show the live data. The clusters of the deleted file cannot be overwritten as that would overwrite the live file.

 

 

Sorry, I will use 'I' from now on, although I was asking for a friend.

 

I wasn't able to follow this with 100% understanding, but if I understand it generally, are you suggesting that perhaps the MFT wipes are not really wipes?

 

Thank you for the info, guys

[Erased pictures actually erased?]

I know there are a few topics that are similar to this, but after searching for a bit, I haven't found one that answers my range of questions, so I figured I would post one asking about this:

 

Suppose someone has a computer they are cleaning.

 

Then suppose that that person comes across 'suggestible images' on their computer that they don't want anyone to ever know about (don't worry, nothing that could get one locked up away somewhere - just pictures that they want removed from the face of the earth).

 

So that person then uses deep scanning with Recuva and overwrites them with 7+ passes, and there are no errors in this process. The person then decides to do another deep scan to see how much was actually removed. The same # of files found come up, this time with many more ignored, which they assume to be the overwritten files or files of 0 size (so they don't matter anyway as far as recoverable). Some of the images that are found using the deep scan are (after the person goes to the info section) denoted 'unrecoverable', and yet the thumbnail of the image is completely in tact. A large number of these thumbnails are the images they don't want to be seen.

 

The person then overwrites everything found again, uses CCleaner with free space wiping enabled, and basically every 'deep clean' option available, all with more than a single overwrite each time. This person does this process several times in a row over a period of several days (usually letting it run overnight - never both at the same time). They then run Recuva again with deep scan selected and the same thing happens. It appears to this person as though these images will not die. What do they have to do to kill them?

 

My thought about this situation has been that they are somehow stored in some kind of temp file in Recuva (if it sounds like I don't know what I'm talking about it's because I don't - I have a moderate understanding about computers in general but not enough to be called skilled). As a result, even if they are overwritten, Recuva will be able to display what they look like. Is this accurate to assume? Suppose the person uninstalls then reinstalls Recuva. Would the thumbnails be gone?

 

What would you suggest this person to do? They have already ordered a new hard drive but would still like peace of mind that the pictures can somehow go away.

 

Thanks