What am I doing wrong?

[oaker47]

Hi All,

 

As a fairly recent new user, I am still getting to grips with interfacing CCleaner and Recuva and set myself a task to see how competent I was.

The results were pretty grim and I am posting here in order to try and establish what I am doing incorrectly.

As a test piece, I sent a .jpeg image to a USB drive folder, then deleted it and asked CCleaner to overwrite all the free space on that drive.

I then asked Recuva to try and recover any deleted files on that drive.

The .jpeg was still there and in recoverable condition, with two (why?) intact thumbnails on display!

As well as this, I would appreciate hearing of any practice/procedure that would avoid my arrival at overwritten (but really how securely?) files, but the original file names are still there "Bank Statement January 2010" etc.

Should I get a nasty on my PC, however difficult it may be for the bad guys to retrieve my info, I would prefer not to be telling them where to look!

 

Any advice appreciated - best regards Eljay.

[ishan_rulz]

How did you run CCleaner on a USB Drive folder?

I don't know how to do this, just curious.

 

Okay answered by Augeas.

Edited April 30, 2010 by ishan_rulz

[Augeas]

OK LJ, simple questions first. In CC you went to Options/Settings and ticked the box for your usb drive in the Wipe Free Space section? Did you then go to Cleaner/Windows/Advanced and tick the Wipe Free Space Box?

[oaker47]

OK LJ, simple questions first. In CC you went to Options/Settings and ticked the box for your usb drive in the Wipe Free Space section? Did you then go to Cleaner/Windows/Advanced and tick the Wipe Free Space Box?

Hi Augeus,

Thank you for your interest - that's two yesses to your questions.

Best regards eljay.

[ident]

Hi Augeus,

Thank you for your interest - that's two yesses to your questions.

Best regards eljay.

 

Wipe Free Disk Space limitations

 

CCleaner can't wipe every deleted file from your free disk space. There are some limitations, because of the way Windows stores some files. Here are some examples:

 

* The file is in the Master File Table (MFT). Windows stores some very small files (less than 1KB in size) directly in the MFT. They cannot be securely deleted. This is only an issue in NTFS-formatted drives.

* The file has been overwritten by another file (so no need to overwrite this again)

* The file had been overwritten by another file before you ran CCleaner, but the second file has now been deleted as well.

* The file was created almost exactly when you ran CCleaner.

 

 

http://docs.piriform.com/ccleaner/using-ccleaner/wiping-free-disk-space

[oaker47]

Hi ident,

 

Apologies for the delay in getting back here.

I will try to address your points in the order stated.

The drive on my PC: AMD Athlon II X2 240 Processor, 3.5GB RAM, NVIDIA GeForce 9500GT, MS Windows XP Home SP3, is NTFS formatted. The USB drive I used is FAT.

The particular .JPEG file should not have been over-written as this was one continuous real-time operation.

Same again re the overwriting theory: I copied the file from my PC desktop to the USB "E" drive, established it was there, then deleted it. I then

"wiped" all the free space on that drive and the MFT free space.

After that, I asked Recuva to search the "E" drive for any deleted picture files, whereupon it found the one I had deleted and overwritten (?), showing TWO examples of the relevant thumbnail.

"* The file was created almost exactly when you ran CCleaner." - as I say, this was one continuous operation; not hurried as I was aware that I needed to back-check every step so that I could ultimately repeat the procedure.

Do you have any advice on how to remove actual file names - rename the file before deletion and overwriting perhaps - or is there another way that genuine file names can be removed?

I should say at this point that I have tended to use Privacy Guardian to remove unwanted files, working history and so on, as I find it does the job so much quicker than CCleaner, but I would like to turn the whole job over to CCleaner.

That's about as much as I can add to this scenario at this time.

 

Best regards.

[Augeas]

I've just wfs'd a small flash drive and the two pics I copied there were overwritten.

 

When you run wfs, does it taks some time? If you monitor the e:\ directory whilst it's running, can you see a large file being created (and then deleted)? If so, wfs is probably working OK.

 

If you look at Recuva File Info for the two pics, are they overwritten by another file? Do they have a last accessed date of the wfs date, and time set to zero?

 

Look at the header info and scan down the file list. Are the majority of the headers zero bytes? All the above indicates that wfs is working.

 

There is no MFT on your FAT drive by the way. And assuming that this is a flash drive you can't securely delete a file on a flash drive either. WFS is the only way to go.

 

Recuva can't overwrite the file names, as it only overwrites MFT info on NTFS drives. You can do this yourself by creating sufficient zero-length files with harmless names on the drive, until the old file names are overwritten, and then deleting them, but it hardly seems worth while as the majority of the file names will be overwritten in normal use eventually.

[oaker47]

Thanks for your further contribution Augeas,

 

Some food for thought there.

 

Will do some further investigation and come back to you.

[oaker47]

Hello again Augeas,

 

I have now conducted a repeat experiment: Again I copied a .jpeg file to my USB drive and deleted the resultant copy file there. This time I waited 5 minutes, after which I dis-connected the USB drive and waited a further 5 minutes before re-attaching it.

 

I then asked CCleaner to wipe all the free space on that drive. After I had done that, I asked Recuva to search the drive for all deleted picture files.

 

This time it did find 2 copies of the .jpeg, but they were not recoverable and there were no thumbnails.

 

Do you think that this confirms the last of your theories: "* The file was created almost exactly when you ran CCleaner"?

 

With regard to the file names - am I still correct in thinking that if I re-name files before I use CCleaner or Privacy Guardian to bleach/over-write them, the original file names will no longer exist anywhere in the system?

 

Best regards.

[Augeas]

This time it did find 2 copies of the .jpeg, but they were not recoverable and there were no thumbnails.

 

Do you think that this confirms the last of your theories: "* The file was created almost exactly when you ran CCleaner"?

Not my theory, actually. What's in the file header of these jpgs, zeroes? You haven't answered whether wfs takes a long time to run, whether a large file is created, what the last accessed date is, etc.

 

With regard to the file names - am I still correct in thinking that if I re-name files before I use CCleaner or Privacy Guardian to bleach/over-write them, the original file names will no longer exist anywhere in the system?

I would say no, you're not correct. If I do a deep scan I can find several copies of files I know I have never even thought of deleting. Windows edits, copies etc and defrags (which I don't do) can create copies all over the place. Renaming files, which is what CC secure delete does, just deters a casual observer. And on a flash drive (which I assume we're discussing) file editing always creates a copy.

[oaker47]

Hello again Augeas,

 

Some answers for you then . . .

 

The WFS took slightly under 8 minutes to do its work on a 2GB USB drive.

 

Two files were created - one in excess of 19KB, the other more than 2KB.

 

Both appeared to be deleted at the end of the WFS.

 

Recuva found three captioned instances of the target file this time - one was displaying a thumbnail of a different .JPEG and two had no thumbnail displayed at all.

 

The Recuva file info showed that they had been overwritten by other files.

 

The "Last Accessed" date was that of the WFS and the time was indeed zero'd.

 

The Header Info displayed a complete array of zero bytes in each instance.

 

Finally, I would ask again about the deleting original file names before deleting (either using Privacy Guardian or CCleaner) - are you saying that even if I change a file name before deletion/shredding/overwriting, a reference will exist somewhere on my system carrying the original name?

 

Many thanks for your continued response.

[Augeas]

Hi Oaker,

 

From your description it seems that wfs is indeed running OK on your flash drive. The three instances of your target file are possibly three entries in the FAT from previous operations on that file - copy, edit, etc. The visible thumbnail apparently comes from space the jpg orginally occupied being used by another file - that's what you can see, and wfs will not touch this space.

 

WFS will overwrite all the free space on your drive. It won't overwrite the file names in the File Allocation Table, and these are apparently what you are seeing. There are applications that will overwrite these names (but not Recuva) by simply filling the disk with zero-byte files with dumb names, and then deleting them. You are still left with the dumb names, however.

 

I guess you can get rid of most stuff on your disk, by using wfs, wipe MFT (on NTFS) and some other FAT wiper on your flash drive. There's usually something left behind somewhere in Windows' dark corners that a determined and knowledgeable person could find, but I wouldn't worry too much about it. Knowing exactly what goes on between Windows, NTFS and the drive controller is limited to a select few, and I'm not one of them.

[Alan_B]

Just to clarify, we are talking about a real delete, and not the "move to recycle" delete ?

 

If your Flash Drive is optimized for Quick Removal,

it is reasonable to expect writes and deletes to be completed before you can launch a WIPE.

 

If instead it is optimised for performance your changes will sit in a cache for a while,

and you may be able to launch WIPE before the previous actions.

With this optimisation the software should keep track of your actions,

so that hopefully if you write a file and then try to read it before it is moved from the cache,

the software should read the file back out of the cache.

Similarly if you write and then delete whilst it is still in the cache,

the O.S. should merely flush it from the cache.

 

Is it possible that a WIPE FREE SPACE could bypass the cache and deal with the flash drive media,

and after that the O.S. may, at a convenient time, perform the write JPEG and delete JPEG.

I only ask the question - I do not know the answer,

and the answer may vary with the version of Windows.

 

You can control optimisation by plugging in the Flash Drive, then

Computer Management / System Tools / De4vice Manager / Disc Drives / *FLASH* / Policies,

Where using my Sony Flash drive, *FLASH* displays as "Sony Storage Media USB Device".

 

Alan

[oaker47]

Hi Oaker,

 

From your description it seems that wfs is indeed running OK on your flash drive. The three instances of your target file are possibly three entries in the FAT from previous operations on that file - copy, edit, etc. The visible thumbnail apparently comes from space the jpg orginally occupied being used by another file - that's what you can see, and wfs will not touch this space.

 

WFS will overwrite all the free space on your drive. It won't overwrite the file names in the File Allocation Table, and these are apparently what you are seeing. There are applications that will overwrite these names (but not Recuva) by simply filling the disk with zero-byte files with dumb names, and then deleting them. You are still left with the dumb names, however.

 

I guess you can get rid of most stuff on your disk, by using wfs, wipe MFT (on NTFS) and some other FAT wiper on your flash drive. There's usually something left behind somewhere in Windows' dark corners that a determined and knowledgeable person could find, but I wouldn't worry too much about it. Knowing exactly what goes on between Windows, NTFS and the drive controller is limited to a select few, and I'm not one of them.

[oaker47]

Hello again Augeas,

 

Thanks for that. I'm not about to get paranoid about security to the "nth degree" at my time of life (I am a slightly silver surfer), but I see forums loaded with pleas for help from all kinds of folk because they have become infected with this, that or the other and I do wonder just how careless you need to be to get that deep in the brown stuff?

 

I'm not a "geek" by any means, but there was a time, some 20 years ago in my professional life when the manual work that I was doing went computerised and my employer automatically assumed that there was no way that I was going to be able to cope, so he brought in a young and unmotivated young person who knew nothing about the industry but could work an Apple Macintosh computer.

 

I, in a fairly senior position had to hand 22 years of acquired knowledge to this person, who effectively took my job away because they had some computer knowledge and at the time I didn't.

 

From that day on I have made it my business to learn as much as I can and to be as tough a target as possible for anyone else that ever tried to benefit from what I didn't know about computers.

 

I've enjoyed your dialogue that has no doubt added to my knowledge in pursuit of that aim.

 

All best wishes.

[oaker47]

Hello Alan,

 

Thank you too for your response. I "shred" my session documents using Privacy Guardian and the Gutmann method, so they do tend to mostly disappear. Occasionally, for reasons that are beyond me, but that you may be alluding to, Recuva does find the odd one fairly intact and recoverable.

I still have XP Home Edition, SP3 and am not driven by the mostly cosmetic differences in my opinion to move on just yet.

I have located the check box that you refer to and it is indeed optimised for quick removal.

Now here we are at the fringe of my knowledge of this particular area - can I interpret that the particular cache you are referring to is located om my hard disk, whilst the actual files that are being processed are on my USB drive?

Would this mean that I would have to exercise some deletion/overwriting on my hard disk to achieve a more positive removal - and is this cache deletion covered by any of the Advanced check boxes in CCleaner to achieve this?

Sorry if I am displaying my ignorance at this point, but I am keen to acquire this knowledge.

 

Best regards.

[Alan_B]

Snap ! !

I too have XP Home Edition, SP3.

 

My Flash drive is also optimised for quick removal.

This "should" make it safe to unplug without jumping through the hoops of "Safely Remove Hardware",

but I never take that risk - I always go for safety.

 

For both of us any write (and I assume delete) actions on the flash drive should delay the application and GUI responses by a few microseconds as the transaction requirements are written to the RAM cache.

When the O.S. has some spare time it will access the cache and spend the much larger time needed to perform the required transactions to update the flash drive.

 

The data in the RAM cache may persist until it is over-written with further transactions - then it is gone.

I would like to think that RAM loses all data upon Power Off,

but I believe my Acer Laptop maintains power from its battery to some parts of the circuitry whilst shut down.

 

I do not know, and a quick Google did not show me, where this RAM cache is located.

The CPU processors have various sizes (and speeds) of cache built in.

Level 1 is for "instant" access to recent instructions that may be repeated in a loop.

Level 2 and 3 are larger and slower for other purposes - I am going into brain fade here ! !

I suspect that a disc transaction cache MIGHT be built into the CPU silicon at some time,

but I do not think we have that yet.

 

I assume my disc drive transaction cache is part of a 1 GB memory upgrade I gave my P.C. 3 birthdays ago,

in which case it may get transferred in and out of Virtual memory = pagefile.sys = Hard disc drive area.

What I refuse to understand is why I still have 787,336 MB Available (unused) physical memory,

and yet "hours" have been wasted moving 388,716 MB into so slow virtual make-believe memory ! !

Additionally forensic investigators examine the hiberfil.sys on the Hard Drive to see what has entered RAM,

though I would have thought a child pornography URL would get over-written by shopping lists etc. the next day.

 

For maximum privacy you may need to purge the pagefile.sys, which I believe is a start-up option,

and you may need to disable hiberfil.sys.

 

CCleaner has no option for dealing with the disc drive transaction cache, nor pagefile.sys nor hiberfil.sys.

 

In practice I never bother to Wipe Free Space, nor shred or wipe deleted files.

 

I have excellent security software,

and nothing evil since my younger son left college 20 years ago and he stopped copying games onto floppy discs.

 

In theory I believe a hacker could penetrate my system and access data that was not deleted,

and he might be able to add a key-logger that could send him my internet banking passwords.

He could also destroy my system - but in 10 minutes I would fully recover via a backup partition image.

 

Any deleted data that was not shredded/wiped could be read and stolen,

but it would need the use of something like Recuva to access them.

It would probably need far more sophisticated tools to interpret any pagefile or hiberfil data.

 

I suspect that the risk of a hacker recovering deleted data is less than the risk that a wife would give a private investigator passwords and physical access to the system if she was looking for a divorce.

 

Regards

Alan

[oaker47]

Snap ! !

I too have XP Home Edition, SP3.

 

My Flash drive is also optimised for quick removal.

This "should" make it safe to unplug without jumping through the hoops of "Safely Remove Hardware",

but I never take that risk - I always go for safety.

 

For both of us any write (and I assume delete) actions on the flash drive should delay the application and GUI responses by a few microseconds as the transaction requirements are written to the RAM cache.

When the O.S. has some spare time it will access the cache and spend the much larger time needed to perform the required transactions to update the flash drive.

 

The data in the RAM cache may persist until it is over-written with further transactions - then it is gone.

I would like to think that RAM loses all data upon Power Off,

but I believe my Acer Laptop maintains power from its battery to some parts of the circuitry whilst shut down.

 

I do not know, and a quick Google did not show me, where this RAM cache is located.

The CPU processors have various sizes (and speeds) of cache built in.

Level 1 is for "instant" access to recent instructions that may be repeated in a loop.

Level 2 and 3 are larger and slower for other purposes - I am going into brain fade here ! !

I suspect that a disc transaction cache MIGHT be built into the CPU silicon at some time,

but I do not think we have that yet.

 

I assume my disc drive transaction cache is part of a 1 GB memory upgrade I gave my P.C. 3 birthdays ago,

in which case it may get transferred in and out of Virtual memory = pagefile.sys = Hard disc drive area.

What I refuse to understand is why I still have 787,336 MB Available (unused) physical memory,

and yet "hours" have been wasted moving 388,716 MB into so slow virtual make-believe memory ! !

Additionally forensic investigators examine the hiberfil.sys on the Hard Drive to see what has entered RAM,

though I would have thought a child pornography URL would get over-written by shopping lists etc. the next day.

 

For maximum privacy you may need to purge the pagefile.sys, which I believe is a start-up option,

and you may need to disable hiberfil.sys.

 

CCleaner has no option for dealing with the disc drive transaction cache, nor pagefile.sys nor hiberfil.sys.

 

In practice I never bother to Wipe Free Space, nor shred or wipe deleted files.

 

I have excellent security software,

and nothing evil since my younger son left college 20 years ago and he stopped copying games onto floppy discs.

 

In theory I believe a hacker could penetrate my system and access data that was not deleted,

and he might be able to add a key-logger that could send him my internet banking passwords.

He could also destroy my system - but in 10 minutes I would fully recover via a backup partition image.

 

Any deleted data that was not shredded/wiped could be read and stolen,

but it would need the use of something like Recuva to access them.

It would probably need far more sophisticated tools to interpret any pagefile or hiberfil data.

 

I suspect that the risk of a hacker recovering deleted data is less than the risk that a wife would give a private investigator passwords and physical access to the system if she was looking for a divorce.

 

Regards

Alan

[oaker47]

Hello Alan,

 

Many thanks for your very thorough response. I have to admit that you are streets ahead of me in understanding the technology though.

 

I guess I have no reason to think that my system is in any way particularly vulnerable. I use Kaspersky Internet Security which appears to look after me very well.

 

I think my initial curiosity in respect of keeping private data private arose after I deleted some family photos from both my camera card and my PC.

 

I had to buy Photo Recovery to retrieve them from the camera card, (luckily I realised immediately what I had done and didn't overwrite anything).

 

However, I have fairly recently bought a new PC owing to the demise of the hard disk on the old one and couldn't find any licence details with which to download the program again - so I opted for Recuva and was amazed at how data that I thought was gone pretty much forever was still there or was at least recoverable.

 

Coming from the same organisation it then was logical to go for CCleaner, in the knowledge that the two were likely to interface perfectly.

 

I'll sign off now and thank you for your input, which I shall digest at leisure tomorrow.

 

All best wishes to you.