Beware of 'Wipe Free Space'

[AssChin79]

Last night I executed a 'Wipe Free Space Drives' task using the 3-pass (US DOD 5220.22-M) option against an extra SATA disk (D:\). Once it was completed I loaded my forensics investigation project using EnCase. I created a snapshot of the ambient slack prior to the wipe and another following the wipe. The diiff revealed that while 1/3 of the actual deleted data was un-reconstructable in full, all the deleted file names were visible and 3/4 of 'wiped' deleted files were fully recoverable and viewable within the EnCase gallery.

 

Just to be certain, I tried another test disk and following the same procedures I received the same results.

 

I then executed another slack wiping utility (Eraser) against the first disk and interrogated the disk in EnCase and that program properly Zero'd out all the deleted files (including their original file names) and left the workstation in the proper, secure state.

[login123]

Hi, AssChin79, welcome. The developers read these threads pretty thouroughly, and will be interested to see your comments. Encase is pretty heavy duty stuff, a bit beyond my means.

[Augeas]

Well, CC isn't, and has never claimed to be, a forensic cleaner. It's a widely used, easy to use, general purpose utility that clears temp and unneeded files from mainly home pc's. It has some data overwrite function that was possibly added in response to user demand. I wouldn't expect it to stand up against specialist data overwriters.

 

Wipe Free Space uses one pass of zeroes, and (as far as I know, I haven't ever used it) doesn't touch the MFT, so all old file names will remain. I believe CC just uses the 'Fill the disk with large files then delete them' philosophy. It puts off casual probers.

[marmite]

Interesting points. I've used Eraser for years. Wiping is all that it does and it does it very well. I can't comment on the accuracy of the OP's findings, but if any product offers 'secure deletion' as ccleaner does, then it should do what it claims to do.

 

I'm betting (it's not mentioned explicitly) that when the OP ran Eraser (and Encase [a leading commercial forensic investigative tool] found the drive wiped clean) it was also done with just a 3-pass. I would call that to all intents and purposes 'forensically clean'. Even with electromagnetic scanning tools what might be recovered is still moot .

 

So when something like ccleaner offers a 35-pass Gutmann (or as Augeas said t'other day "My post count would be halved if Gutmann had kept his mouth shut.") then I would certainly not expect to be able to retrieve the file content!

 

If the OP is correct, why not get ccleaner to wipe 3 times properly, rather than 35 times 'not very well'? Probably wouldn't help the sales pitch ... the causual user would say "huh, this only does a 3 pass erase"

 

I would like to see the devs' comments too. I would expect a 3-pass (or logically, a one-pass, but I'm the nervy type) to leave file content unrecoverable by any software. Also interesting that the other product does (apparently) erase file names on a free-space wipe - wonder why ccleaner (apparently) doesn't?

 

Edited to add: Augeas I've just read here that you think 'wipe free space' doesn't perform multiple passes. I can't find that in the documentation - have you a reference to that please?

[Augeas]

I thnk that one of the dev's posted that shortly after the wipe free space option came out (on Feb 27 09) but I can't find the reference now. In any event the wipe speed indicates that it's one pass. If anyone tried to Gutmannise wipe free space then they'd still be waiting for it to complete. That's terabytes of writing.

[Andavari]

If anyone tried to Gutmannise wipe free space then they'd still be waiting for it to complete. That's terabytes of writing.

That would be too slow, and verging on the point if something needed wiped that much and for paranoia's sake it would be more time friendly to just remove the hdd and incinerate it.

[marmite]

If anyone tried to Gutmannise wipe free space then they'd still be waiting for it to complete. That's terabytes of writing.

Absolutely ... and a useless exercise As per my first post, IMHO Gutmann is a pointless overkill in any scenario.

 

But I wasn't thinking about Gutmann - I just wondered if the OP was expecting three passes and actually got just one.

[Steff]

Question to AssChin79 or anyone else with knowledge...

 

I'm currently on the hunt for a secure, stable disk wiper and file shredder.

I keep reading a lot of recommendation pointing to Eraser but last night I

read a disclaimer from one of these people. His recomenndation was to

NOT use any Eraser version beyond version 5.7.

Quote:

-"the last version whose core was developed by the original author, Sami Tolvanen"

 

Any comment on this?

 

I have my doubts though to Wipe Erased, Unused space on a Disk within

a running Windows plattform.... especially on the Operating Disk.

 

Any comments on this?

 

Any alternativ suggestions that boots under DOS? KillDisk?

 

Anyone?

 

/Steff

[marmite]

... His recomenndation was to NOT use any Eraser version beyond version 5.7.

Quote:

-"the last version whose core was developed by the original author, Sami Tolvanen"

@ Steff: What was his justification for that statement?

 

@ AssChin: What version of Eraser were you using (quite successfully, by the sound of it)?

 

I have my doubts though to Wipe Erased, Unused space on a Disk within

a running Windows plattform.... especially on the Operating Disk.

 

Any comments on this?

Just a comment on free space wiping in general. IMHO habitually wiping free-space is a time-consuming and unnecessary exercise. If you create a lot of material that you subsequently don't want to leave visible or recoverable then it's better (and easier) to securely delete these files as you go along.

 

I tend just wipe stuff on a point of principle ... privacy! If someone breaks into the house and nicks my PC I don't want bank details or family photos available to all and sundry. Anything non-transient just goes into a TrueCrypt volume.

[Steff]

Answer to Marmite...

 

He was refering to that later point releases (i.e. 5.8+) have had

extremely serious bugs these bugs don't exist in version 5.7.

 

Read his own words here...

 

@ Steff: What was his justification for that statement?

 

@ AssChin: What version of Eraser were you using (quite successfully, by the sound of it)?

 

 

Just a comment on free space wiping in general. IMHO habitually wiping free-space is a time-consuming and unnecessary exercise. If you create a lot of material that you subsequently don't want to leave visible or recoverable then it's better (and easier) to securely delete these files as you go along.

 

I tend just wipe stuff on a point of principle ... privacy! If someone breaks into the house and nicks my PC I don't want bank details or family photos available to all and sundry. Anything non-transient just goes into a TrueCrypt volume.

[marmite]

He was refering to that later point releases (i.e. 5.8+) have had

extremely serious bugs these bugs don't exist in version 5.7.

 

Read his own words here...

Thanks Steff; strong words. Though you wonder how many of those issues are personal. Also, I wouldn't expect a complete rewrite of the 'core' to be a minor point release.

 

There are currently 13 open defects on Eraser - none look particularly serious. I'm not 'defending' the product - I'm following up to look after my own interests because I don't want to be using something that will break my system. And I don't use it to wipe free space ... which may be safer

[login123]

Hi, Steff. Some information here and in that wilders link in post 1. I've used v. 5.84 also, but frankly don't remember which one I used for the free space wipe. Better safe than sorry, eh?

 

Also, some members here have had experience with DBAN, maybe they will comment after a time. DBAN is at http://www.dban.org/

 

If your purposes involve matters which require absolute data security, like the code to launch the missles or the formula for Coca-Cola, you should not count on any software app. Replace and destroy the HD. Just my opinion.

[marmite]

If your purposes involve matters which require absolute data security, like the code to launch the missles or the formula for Coca-Cola, you should not count on any software app. Replace and destroy the HD. Just my opinion.

Or to corrupt a line from 'Aliens' ... "I say we take off and nuke the whole HD from orbit - it's the only way to be sure"

[Steff]

Or to corrupt a line from 'Aliens' ... "I say we take off and nuke the whole HD from orbit - it's the only way to be sure"

 

marmite:

So true. At some point the man seems to have ended up with a messed up harddrive,

using Eraser. But we will probably never know the full story why this happened.

 

login123:

I don't even like Coca Cola...but then again... the formula could be worth a couple of bucks. ;-)

There are several methods if you want to be s(ec)ure, degausser, catepillar, sledge hammer...

 

I'm just looking for a stable product that does what it's supposed to without any surprises.

I like Piriforms products but in this case they dont do enough for me. They don't seem to

take care of slack (cluster tips) and the MFT. So... thats why I poped up in here. :-))

 

But mission acomplished now. What did I do?

I wiped my harddrive using TeraBytes CopyWipe (Random Pattern).

Then partioned, formatted and restored the information from my backup disk.

Easy enough.... the disk is now clean from "garbage" and I am in full control of the disk.

 

But before I did all this I wanted to test the Wipe Free Space function in Eraser 5.7.

I ended up with a positiv result. So maybe, maybe I can trust it. ;-)

 

With a new fresh disk I will from now on be more observant when I delete sensitive information...

...(probably) using Context Menu File Shredder in Eraser 5.7 (or later???).

 

Stay cautious... :-)

[marmite]

But mission acomplished now.

Glad you're sorted ... by whatever means

 

I will from now on be more observant when I delete sensitive information...

...(probably) using Context Menu File Shredder in Eraser 5.7 (or later???).

FWIW I've never had a problem with Eraser, and at some point I've probably done a system partition free space wipe, though I've no idea at what version. I can say that I will continue to confidently use context menu 5.8.7 for secure file deletion. Just as a result of a couple of recent threads on these forums I've done quite a bit of messing around with deletion / recovery and I still find Eraser to be the most performant and the best at it what it does ... this includes a comparison with the PGP shredder. I'll be the first to post if my partition disappears

 

Also note I'm not knocking ccleaner here either ... in this context I'm more interested in ad hoc file wiping; not something done as part of a wider-scoped and periodic 'cclean' for which I will still use a ccleaner 3-pass.

[Steff]

Glad you're sorted ... by whatever means

 

 

FWIW I've never had a problem with Eraser, and at some point I've probably done a system partition free space wipe, though I've no idea at what version. I can say that I will continue to confidently use context menu 5.8.7 for secure file deletion. Just as a result of a couple of recent threads on these forums I've done quite a bit of messing around with deletion / recovery and I still find Eraser to be the most performant and the best at it what it does ... this includes a comparison with the PGP shredder. I'll be the first to post if my partition disappears

 

Also note I'm not knocking ccleaner here either ... in this context I'm more interested in ad hoc file wiping; not something done as part of a wider-scoped and periodic 'cclean' for which I will still use a ccleaner 3-pass.

 

Good to know. I have noticed that I tend to rely more and more on Eraser as a shredder. :-)

For now I'm happy with 5.7 but will check later verions... later. But I would never trust it, or any other

software, to Wipe Free Space on a running Windows System Disk. That task is best trusted from DOS.

 

I regulary use TeraByte Image for DOS for "Ghosting".

And most important for this forum... I use Piriform products ;-)

 

- CCleaner Garbage Cleaner with 1 overwrite pass.... Daily.

- Defraggler Quick Defrag... making sure permanent files is Defragged.

- Recuva has a nice feature... to securly overwrite deleted files.

But Recuva won't touch MFT and Slack (Cluster Tips). Hopefully in later versions.

Think about it... the only Free Space needed to overwrite is the Deleted Free Space.

Never Used Free Space has never been touch... so waste time on those clusters?

 

Have a Nice Evening (Swedish Time)

[Alan_B]

WHAT ABOUT METADATA ?

 

Is there universal agreement or understanding of what Metadata is and does ?

 

Do they all get wiped ?

Do some or all escape wiping ?

Do any that are not wiped have the potential to carry "private data" and leak when fragmented or upon next reboot ?

 

Are the answers to the above dependant upon the O.S. and the tool used to wipe "free space" ?

i.e. Mostly this topic has referred to various tools that run under Windows,

but at least one referred to a DOS tool, and I am sure that Unix/Linux boot discs can also do powerful stuff ! !

 

On my system PerfectDisk excludes 13 files from being defragged.

3 are files that Windows Explorer knows about, and I can tell you size and last modified dates etc.

10 are a mystery - they are Metadata, and one of these now has 384 fragments.

 

For all I know there could be dozens of other Metadata files that are not excluded because Windows does not fall apart when they are defragmented.

 

OOPS - Metadata has increased from 384 up to 388 excess fragments, and its sum total size is now 168.35 MB.

NB In the past I used DisKeeper and at times Metadata took over 1 GB.

 

Alan

[marmite]

What about metadata?

 

Is there universal agreement or understanding of what Metadata is and does ?

'Metadata' is a generic term ... what particular metadata (what files/objects) are you referring to Alan?

 

Edited to add ... and if we're talking files then it won't be related to free space wiping anyway; more to do with ordinary ccleaner clean-ups.

[Alan_B]

'Metadata' is a generic term ... what particular metadata (what files/objects) are you referring to Alan?

 

Edited to add ... and if we're talking files then it won't be related to free space wiping anyway; more to do with ordinary ccleaner clean-ups.

 

I know that Perfect Disc excludes ten Metadata items from defraging,

but I do not know if the exclusions are to avoid damaging the Operating System,

or if it is to avoid wasting time trying to defrag items that are fully protected by the Operating System.

The items I know of are :-

C:\$MFT0::BITMAP

C:\$MFT0Mirr

C:\$LogFile

C:\$Volume

C:\$Bitmap

C:\$Boot

C:\$BadClus:$Bad

C:\$Extend\$Quota

C:\$Extend\$Reparse

C:\$Extend\$UsnJnl:$J

It shows that there are 387 excess fragments in C:\$Extend\$UsnJnl:$J

and all the others have zero fragments.

A separate table shows the sum total of ALL Metadata is 168.35 MB and has 391 excess fragments.

 

I deduce that in addition to the ten I know off that are excluded from being defragmented,

there is another unknown quantity of items that are not excluded and yet have built up another 4 fragments in the last two months since I ran a defrag.

 

I further deduce that since the size of 168.35 MB is the same as yesterday, but the excess fragments has increased,

then some bits of some metadata items have been updated with newer information appearing in the new fragments,

and the superseded / obsolete data is no longer included as part of the item,

and that data is now totally exposed to any file recovery utility that can access "free space".

 

I also assume that the metadata that is not excluded from defraging may be readable as complete files,

and even if not, every time it fragments, and every time it is defragmented, further data will be leaked.

 

Above is a whole big chunk of FUD - Fear, Uncertainty, and Doubt.

Before I used "Wipe Free Space" I would need to know :-

what parts of my privacy might be exposed via Metadata that is not wiped ;

what damage could the O.S. suffer if some metadata items were wiped ;

whether all free space wipers have identical exclusion/inclusion policies for all types of metadata ;

and whether the same policies apply to wiping via a Boot CD of any sort (Boot XP, Boot DOS, Boot Linux, etc.)

 

I am trying to get light shone into dark corners that many users of free space wipers may not be aware of.

I only know that "Dragons be here" and I will not venture myself without clarification ! !

 

Regards

Alan

[marmite]

Alan your post has piqued my curiosity . As someone who develops Enterprise level systems on an XP / W2k3 platform, I have never even had to concern myself with most of the "super-hidden" objects mentioned above; never mind worried about them. When you use some of the tools that expose things like this, there's maybe a tendency to worry unnecessarily (but understandably) about potential issues with them.

 

Before I used "Wipe Free Space" I would need to know :-

whether the same policies apply to wiping via a Boot CD of any sort (Boot XP, Boot DOS, Boot Linux, etc.)

Given the correct tools, I would have though that once you get down to disk level, the principles are the same whatever OS you're looking at. But that's not an area I have any experience with, practical or otherwise; so I won't comment further on that.

 

Before I used "Wipe Free Space" I would need to know :-

what parts of my privacy might be exposed via Metadata that is not wiped ;

Since these objects do not constitute free space, this is not a free space issue. You might be concerned at what's in these objects from a privacy perspective; but that's a different question.

 

Before I used "Wipe Free Space" I would need to know :-

what damage could the O.S. suffer if some metadata items were wiped ;

whether all free space wipers have identical exclusion/inclusion policies for all types of metadata ;

Effectively this is the same issue. Any OS files, hidden or otherwise, should not constitute free space. Therefore, any tool that wipes free space must be able to recognise the difference between free space and used space; otherwise it's not doing it's job. And if it fails to do that on your system volume then it's potential bad news.

 

But if your disk tool can quite happily recognise these files, why shouldn't your free space wiper? They are both reading your disk directly and dealing with the raw entries; whereas your OS view is only showing you what it wants you to see. Your free space wiper probably doesn't give a damn whether the 1s and 0s it's reading translate to the disc space behind 'C:\$Extend\$UsnJnl:$J' or 'C:\my family pic.jpg' ... all it is interested in is whether that disk space is in use.

 

I expect any tool, ccleaner included, that claims to be able to wipe your system volume, can do so effectively and properly. There can't be worse press for a piece of software than 'a feature' that trashes your OS partition!

 

That's not to say throw caution to the wind. I think Steff's approach is the safest (and the approach you seem to advocate with your reference to a boot disk), which is not to do this on an active system partition; i.e. do it from a start-up task outside of Windows or better still from a boot disk. But this is one scenario when I'd definitely want a current partition back-up available!

 

And if you're still unsure I think the safest way for the nervous or untrusting is ... fill your free space with 'filler' files and then securely delete them ... it certainly works!

 

And at the end of the day it also really comes back around to whether you need to wipe your free space. One of those issues that will run and run I think. But as I said earlier in the thread ... the only point in wiping free space is if you have files that have been insecurely deleted and you really feel the need to write all over your free space to make sure they're gone. If you have sensitive or private stuff you no longer want wipe it as you go along or keep it in an encrypted volume. If you do either of those there's no need to wipe free space.

[login123]

Marmite: "And if you're still unsure I think the safest way for the nervous or untrusting is ... fill your free space with 'filler' files and then securely delete them ...this tool will do the filling bit. It certainly works!"

 

I can't download Disk Filler from that link. The only available file is one that Mr. Edwards says is not it. Am I doing something wrong?

[marmite]

I can't download Disk Filler from that link. The only available file is one that Mr. Edwards says is not it. Am I doing something wrong?

Damn - I do apologise. It's a widget I've had for a couple of years and I just googled it to find the web site ... since the site was still up I didn't even check the download link.

 

I've taken that link out to stop others getting the same problem - thanks for pointing it out. Meanwhile I'll google for a similar tool!

[login123]

Disk Filler is gone?

 

Careful...get a reference here that there is a baddie named Disk Filler: http://www.probertencyclopaedia.com/cgi-bi...er&offset=0

 

Looks like it is one of the old "FAT Eater" viruses.

[marmite]

Disk Filler is gone?

There's always copy'n'paste

 

I suppose another thing worth mentioning is that if you only have one big volume, or a very big system volume, then the whole fill-and-delete thing ain't gonna be quick!

[marmite]

Okay. Well there's nothing quite like a practical test

 

If there's one set of tools that I trust more than pretty much anything, it's Sysinternals. I used this piece of software to wipe my system volume free space. The accompanying article has some interesting information about how sdelete works, both for secure file deletion and free space wiping.

 

sdelete was written by Mark Russinovich, who is a Technical Fellow at Microsoft. He's forgotten more about the internal workings of Windows operating systems than I will ever learn.

 

Needless to say I'm still here, and so is my system partition. I analysed my volume before and after the clean with a recovery tool, and as expected sdelete had securely wiped my free space. That's with just the default single sdelete pass (sdelete uses DOD 5220.22-M, but you can specify multiple passes if you wish). Also note that sdelete is a command-line tool; don't use it if you're not comfortable with that, or with interpreting the parameter selection/syntax. Additionally, it is only for use on XP onwards.

 

Of course, I would hope and indeed expect that ccleaner be just as well behaved. And it has the advantage of a nice user interface

 

Please note that a lot of this thread has strayed from the OP's original concerns. I'm just talking here about the practicalities of wiping free space on the system volume.