jopa66 Posted November 4, 2009 Share Posted November 4, 2009 After scanning hard drive for deleted files, this file continually shows up. The file is unimportant and I do not need to recover it, although I can easily do so with Recuva and the recovered file is 11KB in size. It is intact and openable. The name of the file is: Outlook Express emails.zip and is simply a WinRar archive of the default OE folders. My querry is that I would rather just never see this again and would like to eliminate it once and for all. Recuva will not securely delete the file - giving the error as in the title of this message. ie: Size - unknown Status - Not overwritten - Unable to overwrite special file type. Have used other tools, namely: Restoration and EasyRecovery, both of which cannot even find this file. Have also tried wiping free space with Eraser and Restoration but file still appears in Recuva. And, since I originally restored to a separate hard drive, the file is now "stuck" on both drive C: and drive D: Have run Recuva is debug mode. Log is as follows: 61KQTlRGUyAgICAAAggAAAAAAAAA+AAAPwD/AD8AAAAAAAAAgACAAOvt4QQAAAAAoBQ0AAAAAABa rDoAAAAAAPYAAAABAAAAD5pfvLBfvIYAAAAA+jPAjtC8AHz7uMAHjtjoFgC4AA2OwDPbxgYOABDo UwBoAA1oagLLihYkALQIzRNzBbn//4rxZg+2xkBmD7bRgOI/9+KGzcDtBkFmD7fJZvfhZqMgAMO0 QbuqVYoWJADNE3IPgftVqnUJ9sEBdAT+BhQAw2ZgHgZmoRAAZgMGHABmOwYgAA+COgAeZmoAZlAG U2ZoEAABAIA+FAAAD4UMAOiz/4A+FAAAD4RhALRCihYkABYfi/TNE2ZYWwdmWGZYH+stZjPSZg+3 DhgAZvfx/sKKymaL0GbB6hD3NhoAhtaKFiQAiujA5AYKzLgBAs0TD4IZAIzABSAAjsBm/wYQAP8O DgAPhW//Bx9mYcOg+AHoCQCg+wHoAwD76/60AYvwrDwAdAm0DrsHAM0Q6/LDDQpBIGRpc2sgcmVh ZCBlcnJvciBvY2N1cnJlZAANCk5UTERSIGlzIG1pc3NpbmcADQpOVExEUiBpcyBjb21wcmVzc2Vk AA0KUHJlc3MgQ3RybCtBbHQrRGVsIHRvIHJlc3RhcnQNCgAAAAAAAAAAAAAAAAAAg6CzyQAAVao= [2009-11-04 11:20:22] [iNFO ] Reading MFT [2009-11-04 11:20:22] [iNFO ] Reading files [2009-11-04 11:20:24] [iNFO ] Building folders [2009-11-04 11:20:24] [iNFO ] Restoring tree [2009-11-04 11:20:24] [iNFO ] Analyzing damage [2009-11-04 11:20:24] [iNFO ] 5941 deleted files, 40641 filesystem objects [2009-11-04 11:20:24] [iNFO ] Processing deleted emails [2009-11-04 11:20:25] [iNFO ] Processing recycle bin [2009-11-04 11:20:25] [iNFO ] Returning list [2009-11-04 11:20:25] [iNFO ] 806 / 2553 [2009-11-04 11:20:25] [iNFO ] Exiting scan [2009-11-04 11:20:29] [ERROR] Not a PNG file [2009-11-04 11:20:29] [ERROR] jpg error [2009-11-04 11:20:56] [ERROR] Recuva exception: MboxFileRecordImpl.cpp(99) : Unable to overwrite special file type (0x000000b5) [2009-11-04 11:20:56] [ERROR] Not a PNG file [2009-11-04 11:20:56] [ERROR] jpg error Link to comment Share on other sites More sharing options...
Moderators Augeas Posted November 4, 2009 Moderators Share Posted November 4, 2009 From the Piriform docs: You cannot securely delete the ZIP file in Step 2 before you recover it. Recuva only creates the ZIP file when you choose to recover the emails. I guess that means that if you wanted to recover deleted emails then you would have to recover them all, and the zip file containing them would be created at the time if recovery. So the zip filemane that Recuva finds is a pseudo-name, and thus can't be securely deleted. It makes sense as there isn't a Outlook Express emails.zip file name in the MFT (not that I've ever seen), and the deleted emails presumably live in the mail client's data bases. Link to comment Share on other sites More sharing options...
Moderators DennisD Posted November 4, 2009 Moderators Share Posted November 4, 2009 Hi jopa, and welcome to Piriform. If it's any consolation, you're not alone: It must be some MS thing, as I've never, ever used Outlook Express. EDIT: You just beat me Augeas. It must be created whether you use OE or not. Link to comment Share on other sites More sharing options...
Moderators Augeas Posted November 4, 2009 Moderators Share Posted November 4, 2009 Ha, you tarried too long at the pub, Dennis! I think that the file name is one of Piriform's own, and just means that there are some emails available to be recovered from whatever client you're using. I can't remember what clients are supported without looking at the docs again. Link to comment Share on other sites More sharing options...
Moderators DennisD Posted November 5, 2009 Moderators Share Posted November 5, 2009 Ha, you tarried too long at the pub, Dennis! I think that the file name is one of Piriform's own, and just means that there are some emails available to be recovered from whatever client you're using. I can't remember what clients are supported without looking at the docs again. If only that were true. After recovery, it's an empty 0 byte file, and I don't use an email client. Windows Live Mail is listed, which I have, but it's web based and I don't have Windows Live Desktop installed which I think (emphasise "I think") I would need to use it as an email client. I hardly use it anyway, and certainly haven't deleted any mail from it in an age. And I don't use Live Mail for Piriform emails. I'd be interested to learn how many more folk not using an email client of any sort can pick up this 0 byte file with a scan. Link to comment Share on other sites More sharing options...
cartel Posted April 11, 2010 Share Posted April 11, 2010 Hey I never use outlook express, why is this file here and why is it not deleting? I even used Eraser and it's THE ONLY file that keeps returning. Whats the story on this file and where did it come from? Filename: Outlook Express emails.zip Path: C:\ Size: Unknown (Unknown) State: Excellent Creation time: Unknown Last modification time: Unknown Last access time: Unknown Comment: No overwritten clusters detected. Link to comment Share on other sites More sharing options...
cartel Posted April 11, 2010 Share Posted April 11, 2010 and another thing, I use Windows 7 x64 and there is no "outlook express" period. There is Windows Mail, nothing even beginning with outlook in the whole OS. Link to comment Share on other sites More sharing options...
Moderators Augeas Posted April 12, 2010 Moderators Share Posted April 12, 2010 I think the answer is in the last four posts in this (old) thread, Cartel. Link to comment Share on other sites More sharing options...
Moderators DennisD Posted April 12, 2010 Moderators Share Posted April 12, 2010 If I scan my C: drive with Recuva, that same 0 byte file still pops up in the scan. It's an MS thing I guess, and I really care less about it as it's harmless. It shall remain a mystery for me. Link to comment Share on other sites More sharing options...
cartel Posted April 12, 2010 Share Posted April 12, 2010 Well I never recovered any emails, I don't use outlook and it just showed up the last few weeks. I would like to see it gone. Link to comment Share on other sites More sharing options...
cartel Posted January 10, 2011 Share Posted January 10, 2011 Outlook Express emails.zip has disapeared! I don't see it. Not sure if a M$ update did it or the new eraser got it or the ccleaner unused space wipe did it. ??? Anyone still have it? Link to comment Share on other sites More sharing options...
Moderators DennisD Posted January 10, 2011 Moderators Share Posted January 10, 2011 Yep. Still there. Still recoverable, and still a 0 byte empty zip which won't delete, and still doesn't bother me although I would never have remembered it. Thanks for that. Link to comment Share on other sites More sharing options...
Therealjoshuad Posted February 8, 2012 Share Posted February 8, 2012 Ha, you tarried too long at the pub, Dennis! I think that the file name is one of Piriform's own, and just means that there are some emails available to be recovered from whatever client you're using. I can't remember what clients are supported without looking at the docs again. I get why one might assume that, but it wouldn't make sense to donut that way. To recover meats you would want to not modify it in any way, and also, this method isn't done with pictures, or docs. One theory I have is that the Ccleaner or maybe even recuva itself writes this file in the "overwrite" operation. (free space wipe, the cleaning with multiple pass checked, or recuva's overwrite command) I notice after a wipe it creates tons of jpg files with a $ and random numbers and letters such as $Ryh577fh.jpg This makes sense to me as a sort of plausible deniability, sort of like TrueCrypt's hidden container. "yes, here are important looking (but benign)things that I deleted, nothing more to see" Security through obsecurity. I could be wrong, but this is my theory. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now