Add total destruction method to CCleaner

[mr don]

It has been known for some time, that you can recover data from hard-drives utilizing specialized equipment that can:

 

- Use magnetic underscanning techniques that scan the undersides of a drive, picking up the "ghost" image

- Using specialized machines that can sidestep normal tracks on a drive & read slightly to the left or right of a track & pick up residual data there

- Electron Scanning Microscopes & other methods may involve being able to calculate the overwritten data content by analyzing the current 0 & 1 state, then applying filters to see what the percent of 0 or percent of 1 currently is, ie, is it 95% of a 1? or is it 90%? etc, then reconstruct various levels based on this tech.

 

Interesting article on data carving --> http://www.cgsecurity.org/wiki/PhotoRec_Data_Carving Though this is yet another type of data reconstruction, I found the way that it reconstructs it intelligently from existing file fragments to be interesting.

 

Now, what I would love to know, is while I understand that CCleaner can write or overwrite data onto a drive, I would love to know if it can totally destroy data?

 

Does it include a way to:

- Eliminate "ghost" images left when reading slightly to the right or the left of a track instead of dead center?

- Eliminate "ghost" images left on the undersides of magnetic media?

- Use specialized patterns that are sufficiently randomized as to prevent attempts at intelligent patterning decoder (IE, decipher the previous 0 or 1 based on the strength of the current 0 or 1 that "overwrites" the data) images?

 

I do believe the CCleaner people are great people that are very good at what they do, but I would like to know how it stacks up compared to the claims of something like Robinhood Evidence Eliminator?

 

I do not like that software. It is more confusing to use than CCleaner, + options have to be very explicit. Additionally, I have heard that if it detects you using a key it doesn't think is licensed to you, that it will go into a pretend mode of removing junk, giving you a false sense of security! This is bad for a number of reasons including over time that their key system may become compromised, which will compromise your machine, or if they update & "lose" your old key, then it no longer "works" etc.

 

I am not as interested, however, in that part, as I am in the forensics that this software mentions in their scareware website. So, if CCleaner does not include any magnetic underwriting, & if the data patterns are not carefully selected & sufficiently randomized as to be reverse decompiled under the hands of a skilled expert, then could this feature be added to a future release of CCleaner?

 

Basically, I would love to know that if I connect an external drive to CCleaner, someone can't "sidestep" the CCleaner overwrites, making the attempts to delete the data rather useless since they did not try to pull it from the deleted track, but rather from the sides or bottom of the magnetic track instead. Think of it like a highway. Normally, you go straight. But you can also go slightly left or right of the "track" you are on when driving to pass other people in many instances.

 

I guess the question I have here, is "Can a drive scrubbed with CCleaner be recovered if using specialized government computers/methods that us normal people don't have access to?"

 

I want to ask for secure data destruction, IE TOTAL data destruction in CCleaner if that doesn't exist. I am not 100% certain on all the methods CCleaner uses, however, but I don't remember reading that they scrub the sides or undersides of magnetic tracks. Perhaps I am wrong, however.

 

But assuming I am not, I am requesting this capability so I can know that a drive is scrubbed clean.

 

Additionally, I am not certain that I know that CCleaner can secure wipe a SSD Solid State Drive yet. I believe it does/should although I am not 100% certain at this time... As you know, "Wiping an individual file on a solid-state drive may not succeed in destroying the contents of the file, due to the wear-leveling mechanism that dynamically maps logical to physical disk clusters. However, if you simply delete a file and then wipe all of the free space on the drive, then the file?s contents should be destroyed." There is TRIM, but as far as I am aware, only Windows 7, the newest version of Linux kernel, or Windows Server 2008 RC 2 support the TRIM command. Hopefully, XP/Vista users? won't be left out when you get this sorted out? Of course, consideration also needs to be taken for SSD drives that don't support TRIM as this has to be supported by the drive as well. In non trim SSD, wear leveling simply writes to the pages until its full, at which time when new data needs to be written, the OS tells the controller "hey, I need to write new data", and the controller finds previously full pages of no longer needed data, zaps it empty, then writes the new data to the page.

 

--> Interesting read I discovered "Contrary to popular myth, TRIM does NOT immediately erase the data. It just sets a flag in the logical->physical cluster map to say that the cluster doesn't need to be read and rewritten when the block goes through the next read/modify/write cycle. If the drive correctly follows the spec, this flag will also make reads of that logical cluster return all zeros, but I am thinking that maybe there is an alternative read command that doesn't do this... If the drive doesn't follow this rule, it will make the TRIM implementation incompatible with RAID3, RAID5, & RAID6.

 

Also, in order to facilitate wear leveling, SSD drives and even most USB sticks have more storage than they make visible to Windows, and it is possible that multiple historical versions of a logical cluster exist on the drive, but the map of logical to physical clusters points to only the latest one.

 

Using http://www.diskinternals.com/flash-recovery/ I recovered almost 200MB of photos from a 128MB CF Card that had been reformatted. Don't know how it is able to get at the physical clusters that are no longer pointed to in the map but it apparently does. Don't know if this is possible on an SATA SSD."

 

If this were true, wouldn't this also complicate erasing the data blocks if duplicate "spares" exist that are written to from time to time? Would this present any form of data breach/leak/undelete problem?

 

regards,

Don

[Augeas]

Mr Don,

 

Most of your post is based on the unproven premise that electron microscopes can read 'stray' data. None of your references claim to be able to read or reconstruct overwritten data.

 

CC is a pc cleanup tool. It is not a forensic cleaner. It is not possible for an application to 'scrub the sides or undersides of magnetic tracks'. As you point out, there are forensic data cleaners available.

 

I can see no physical reason why CC WFS couldn't be run on an SSD. Your SSD paragraph appears to be correct, except that the last sentence is a little awry.

[mr don]

Mr Don,

 

Most of your post is based on the unproven premise that electron microscopes can read 'stray' data. None of your references claim to be able to read or reconstruct overwritten data.

 

 

Augeas, have you read here? --> http://www.nber.org/sys-admin/overwritten-data-gutmann.html & also here? --> http://www.actionfront.com/ts_whitepaper.aspx

 

I ask, because sometimes what people think is at first impossible is not impossible. You may think I am being overly cautious, but on the flip side, let me take something less innocuous. Most people are aware that Yahoo archives are encrypted. This would keep ordinary users from being able to view the data right? I tested my own archives & I can get around the encryption to view the files. I don't even have to have Yahoo installed to view them. In light of the fact that situations like these may appear impossible to novices, I was just wondering... Not saying you are a novice or anything, as you appear pretty knowledgeable about many things, but there are those who fail to see things at the deeper level...

 

You seem to doubt that data can be read slightly to the left or right of a track, but according to Error Correcting Code info I located previously, it is something that drives can & do use occasionally to try to recover bits of data when they think a sector may be failing. It is just that data recovery labs may employ these techniques when a sector is NOT failing to try to glean "ghost" images. This is what is scary to me, which is why I suggested it.

 

I remember reading some of this stuff years ago, & while CCleaner appears to eliminate data, I was just wondering if it did the standard sanitation, leaving bits & pieces of data sticking around, or if it was more akin to a real life cross-cut shredder (once gone, nearly impossible to recover)?

 

The websites listed above may enable you to gain more insight into the area I posted about earlier. I should not have assumed that you knew what I was talking about, so that was partly my fault. I should have posted links, so I take the blame.

 

So, now you have a couple links that can show you a greater insight to what I was referring to.

 

Peace!

[ident]

Mr Don, The only true way to destroy data making it unrecoverable is by completely destroying the magnetic platters in the hard drive. No software can do this.

 

Criminal forensic data recovery cases done in a lab can(yes/no) lead to convictions from over written data. This is because hard drives write to magnetic data there's normally over spill of data either side of the data track. That level of data recovery is stupidly expensive. Mega ???

99.999% of ccleaners do not, need not, or ever will have to worry about the mist that clouds around the possibility that a forensic scope can gather enough data from the over spill to seal a conviction.

 

This is totally out of sight of what a PC clean up till should be used for.

[hazelnut]

For Christ's sake get real MrDon.

 

ccleaner is primarily a cleanup tool. You seem to want to turn it into something Nasa would be proud of.

 

Keep the program simple and small, that's what people like about it.

 

Try and keep your posts to a readable length, my eyes start to glaze over after the first few paragraphs.

[Winapp2.ini]

You can use CCleaner to do this already, just load it up, then set your computer on fire (and/or toss it out the window into a mulcher,) that will probably make your SSD unrecoverable.

[ishan_rulz]

You can use CCleaner to do this already, just load it up, then set your computer on fire (and/or toss it out the window into a mulcher,) that will probably make your SSD unrecoverable.

 

Pretty much this.

[Nergal]

uh o_O hwhat?

 

I use a specialized software called drillpress this erases all of my drives till they are no longer usable. Though I've heard the software named Fire&DropOutWindow is very accurate.

 

 

*Serious Face*

Yes, CCleaner is not a forensic cleaner and I can't imagine why a member/user who has been here as long as you, Mr. Don, would even ask this question as it's been answered often for 1 posters . . . with a much shorter question/explanation.

 

please, for your own sake, understand that while we have nothing against you nor your questions. Most of us don't want to read an article length question (as well as second post) which is mostly a hypothesis. Please do yourself a favor and Look up the acronym TLDR.

[mr don]

uh o_O hwhat?

 

I can't imagine why a member/user who has been here as long as you, Mr. Don, would even ask this question as it's been answered often for 1 posters . . . with a much shorter question/explanation.

 

I do understand. Thanks for the answers. You are all awesome.

 

Sorry for the trip-up. I use CCleaner myself & am very familiar with the features. I have tested a few programs in time past, but I got deep into data recovery techniques + whether a file could be undeleted after a secure wipe, etc. with certain programs...

 

I do believe that what trips a lot of people up is leaving data in plain site that they thought they erased, or using a quick erase vs secure. I will be testing for sure more on this later. I have a few decent data recovery programs, so it will be interesting. I merely asked earlier like I did, because Evidence Eliminator seems to claim that it is the only one of it's kind that can really/truly destroy data beyond recovery...

 

I was just wondering if that is true or a bunch of FUD. The tools I use may be different from Law Enforcement, so I was hoping for input concerning real field testing & use. It was not meant in such a manner to really bug anyone, but I merely wanted to know more about how good it is in the real world criminal investigations scenes.

 

I will be checking a few stories online + doing my own research later just to test (& partly just for fun, because I like to see if things can be defeated or if they truly work in a manner making it impossible). I know that I have accomplished in other areas, things that some people would have said is impossible but there are so many different areas to work on that it is difficult to be an expert in them all.

 

A lot of people around here do standard computer stuffs, but many times I find myself digging to a deeper level than most because I have a fascination for the "impossible" things. I like to learn to a greater degree, become extremely knowledgeable, & if possible, even more so than even the Law. I have simply heard too many cases of the Law being abused, so I very nearly worship knowledge because of the power it brings.

 

I appreciate everyone's response. Most future responses should be far shorter, but my concern was the privacy vs snoops issue. I am once again very sorry if I caused anguish with length, but I confess that I crave knowing things inside & out, more intimately than most. It is just one of those things with me.

 

Thanks everyone, & I really have to go to bed. I am sleepy!

 

Peace!

 

Edit: I also asked about it, because contrary to what many "Experts" here may claim that magnetic underwriting is impossible, or that it is impossible to defeat forensics with something like CCleaner, ---> http://www.youtube.com/comment_servlet?all_comments=1&v=xYgcCfrYA7k has many replies.

 

These are from users worldwide, so I would think that such a wide range of users (hopefully) would know. One of the users mentioned CCleaner, but they said CCleaner did secure wipes but just not as good as Evidence Eliminator did. I am not here to promote EE in any way, I just wondered if CC could be "brought up to par" on data destruction. Now, it is possible they used an older version prior to the wipe free space & file slack etc, so I am not 100% sure yet. More testing to do later... Sigh!!!!

 

Will try to update the results later when I have time to actually do this, which may take a while because I am also in the process of moving. So please forgive me if it takes a long time to update this with results.

 

I have noted that my responses were a bit lengthy, but only because I have a fascination with data & whether it can truly be destroyed. P.S. EE seemed to work on the last test I did, but more testing to follow. I will probably wait till CC 3.0 or so & test CC along with some other apps to see how they stack.

 

Thanks for your time & understanding.

 

Night!

[ident]

I think my javascript skills will be coming out tomorrow, see what i can knock up to shrink your posts

[hazelnut]

I think my javascript skills will be coming out tomorrow, see what i can knock up to shrink your posts

 

Don't worry ident, MrDon's posts will be smaller in future, either by his own efforts or by way of moderator intervention.