why does Recuva find files that CCleaner removed?

[Tarq57]

OK, tried it out, just downloaded something (a jpg) to "D:\Incomplete, ran the latest version of CCleaner, 7pass deletion, one of the files was fully recoverable. Another was listed as ZZZZ.ZZ, and not able to be read. That's the limit of the test so far.

Is there a setting in the program that could be affecting its performance?

How many others have experienced this?

And I wonder how many unknowing users would find this occurring if they tested for it.

[davey]

OK, tried it out, just downloaded something (a jpg) to "D:\Incomplete, ran the latest version of CCleaner, 7pass deletion, one of the files was fully recoverable. Another was listed as ZZZZ.ZZ, and not able to be read. That's the limit of the test so far.

Is there a setting in the program that could be affecting its performance?

How many others have experienced this?

And I wonder how many unknowing users would find this occurring if they tested for it.

Hey Tarq57,

Thanks for testing so soon.

How many files were in that folder? Two?

The first in the directory unrecoverable and the last recoverable or vice-versa?

davey

[Tarq57]

There were two zero-byte files and a .dat file, which I didn't try to restore, a preview of a jpg, which was restorable, and the full version (complete) of same, which was the ZZZ file, and didn't display anything when restored and then opened.

[Augeas]

There were two zero-byte files and a .dat file, which I didn't try to restore, a preview of a jpg, which was restorable, and the full version (complete) of same, which was the ZZZ file, and didn't display anything when restored and then opened.

I'm confused. How many files were there in the d:\incomplete folder? One? Where do the other deleted files come from? If these files weren't in the incomplete folder then they wouldn't be overwritten, would they? Did CC successfully overwrite your jpg in the incomplete folder and the other files you have found were deleted by other means?

[Tarq57]

I'm confused. How many files were there in the d:\incomplete folder? One? Where do the other deleted files come from? If these files weren't in the incomplete folder then they wouldn't be overwritten, would they? Did CC successfully overwrite your jpg in the incomplete folder and the other files you have found were deleted by other means?

Sorry if not clear.

There were five files originally in the folder. A .DAT file, two entries for files selected that Limewire failed to connect to and thus download, a preview (or part downloaded) file, and the final fully downloaded version of same. (I had just selected a random word in the search terms, and selected 3 downloads at random, as a test.)

Only the last two were selected to be restored. The preview, or part file (.jpg) was fully restored, the full one was "restored" as a non-viewable ZZZZ.ZZZ file.

No other delete/erase method was used. The files were selected to be deleted (x7) by CCleaner only, and immediately following that (and CCleaner indicating in its report that the files had been deleted) Restoration was run, for the drive the folder is in.

This is a preliminary test only, so not exhaustive at all, but indicative enough for me.

[Augeas]

Thanks for that. I'm happy that CC has securely deleted the large jpg. I'll have a think about the others, being in the MFT, not being renamed, etc. (rather busy at the mo). Rgds.

[Augeas]

Hi,

 

Back from the pub. Right. Tarq, you mention that the large file renamed ZZZ could be restored but not read, exactly as should be expected. You're happy with this, I assume?

 

The other four files: I think we can discount the two zero-byte files, as they can neither be erased nor recovered. So that leaves the jpg preview and the index.dat file. If you have Recuva installed (as all good CC users should) then can you:

 

a) Look at the info section on these deleted files. Does it say that they have been overwritten? I would not expect this to be so as they are freshly deleted files, but it's good to check. In any event they wouldn't have been overwritten when you ran CC.

 

(b with ) shows as a smiley) You can look at the header info but I don't think this will show anything of value at this point.

 

c) Try the secure delete option (single overwrite) on these deleted files. If there is an error message saying that they can't be deleted as they are in the MFT then that explains why CC can't touch them. MFT entries are 2k so small files (after allowing for MFT info such as name, date, etc) can be stored in the MFT itself, and are thus untouchable. If they can be deleted then the header section will show zeroes and the preview for the jpg will disappear. Personally I don't think that either of your files will be small enough to fit in the MFT.

 

d) Report back. Rgds.

[Tarq57]

Hi, Augeas.

(Very pleased to see that your priorities are similar to mine. Always pub first.)

 

I don't have Recuva installed. Tried installing it 3 or 4 months ago, would not start at all, 'twas related to a known bug, according to the forum post I can't find at the mo, sorry.

I use "Restoration" by Brian Kato. That's the program that has found the files mentioned. Also use "Eraser". (But wasn't in the test described.)

 

I'll have to run some kind of test again, the contents of that folder have been repeatedly used or overwritten since the test.

Have just downloaded the latest version of Recuva, assuming it works I'll try it all out as you suggest, get back, probably in a day, maybe 2.

 

Is there a way of viewing the contents of the MFT? (and editing same)?

[Augeas]

Is there a way of viewing the contents of the MFT? (and editing same)?

I'm sure there is, but not with anything that I have installed. This looks interesting...

 

http://www.cnwrecovery.com/

[Tarq57]

Update.

Installed (successfully) latest Recuva version. Played a round with it a bit (as you do) to work out what it does (or not), seems quite an effective application. Very nice. (Congrats.)

So. Testing CCleaner, same method as earlier. Downloaded a few files to D:\Incomplete, using p2p. Some jpg/jpeg's, a mpg, a couple of mp3's.

(with the p2p program, comes the opportunity to "preview" part downloaded files, I guess so you can check you're getting what you expect to. Previewed files are created in the same folder, and are, as suggested, incomplete versions of the full download. So for example, you'll get half a picture, or 1/4, or the first few seconds of video, or song etc.)

Closed the p2p. Ran CCleaner. (7 pass.) Ran Recuva. All the previews of the files were able to be recovered, in excellent condition. All the others were ZZZZZ.ZZZ etc, recoverable but (apparently) not viewable.

So that's where we're at.

Haven't tested CCleaner with other files at all, such as temp. internet files etc, but the above test is proof to me that in some circumstances, Cceaner does not properly erase files.

Hope that helps.

[davey]

Hi Tarq57,

Thanks again for taking the time to do testing.

As regards these "preview" files how many end up in the MFT?

All of them and they are recoverable?Viewable?

Some of them and the others not in the MFT are unrecoverable?Viewable?

davey

[Tarq57]

1) I don't know how many of them "end up" in the MFT. I assume all of them have some kind of reference within the MFT, at least until that is overwritten in the normal course of events.

Selecting "secure delete all" (from a partition, not just the incomplete folder) results in a few entries unable to be deleted, because the MFT is where they were.

2) All the preview files tested were recoverable and viewable. Anything with a ZZ in the name (ie: without a file extension indicated, or an extension that reads ZZZ) are sometimes recoverable, but I haven't been able to view them in any of the applications selected (Windows picture and fax viewer, WMP, Media Player Classic, Notepad.)

 

How do I find out "how many end up in the MFT"?

[davey]

How do I find out "how many end up in the MFT"?

Only way I know of is to attempt "secure delete" in Recuva.It will come back saying it couldn't because it is in the MFT.

Augeas may have another method.

[Augeas]

I think you flatter my skills, Davey! I have noticed, by looking at deleted files with Recuva, that those secureley deleted by CC which are in the MFT are overwritten with zeroes (I only do one overwrite). However if you select secure delete on these files with Recuva it will fail, as the file is in the MFT. That leads me to conclude that CC does something simple such as overwrite the file to be deleted with zeroes, rename it, and then delete it. That's given away a few secrets. Recuva, on the other had, possibly can't do the same trick, as it would have to manipulate the MFT directly instead of using operating system (Windows) read/write/delete commands. Overall, I'm rather glad Recuva doesn't try to tweak the MFT.

 

A day or so ago I had to securely delete some 50 gb of old data, a large amount for me, a load of old backups I was consolidating. When this was done I checked with Recuva and found about four files which hadn't been renamed or overwritten. I securely deleted them (except for one which was in the MFT!) and eventually these files were overwritten by new files. I wonder if some files are in some way unavailable to CC when it runs? Either locked, or in the swap file, or yet to be committed to disk? I don't know, just speculating.

 

It all keeps the brain active, what few cells are left.