Recuva finds phantom files in deep scan

[Augeas]

This is rather peculiar. I like to know more or less what's going off in my pc, but I just can't figure this out.

 

It is easily reproducible. Although I use FF, it's easier to test with IE (I'm on IE8) as that seems to create one file for each browsed item. I'll try to keep this simple: here goes.

 

I clear all IE stuff with CC normal delete, and also IE Recovery Active and Last Active. I browse, then clear as before with one overwrite. I can then see a number of ZZZ files using Recuva normal scan with the correct time and date. I then browse a little more, say look at the BBC website, and the ZZZ files are no longer seen under Recuva - the MFT entries have been reused.

 

Change Recuva to Deep Scan and run until a say 3 or 4 thousand files are listed, then cancel. With zz in the Filename box I can see the 20 or so ZZZ files, all with the correct time and date. So far so average. But:

 

1) The files have names, to wit some variation of ZZZ. Yet the files contain zeroes. Where does the name come from?

 

2) Some of the larger files are in multiple extents. How does Recuva know the extents and the number of clusters in the extents?

 

3) The files have a non-existant temp int files folder name. Where does that come from?

 

4) And even more puzzling, when an attempt is made to securely overwrite a small file it fails as the file is resident in the MFT. This is not true!

 

I have rebooted, with the option set to wipe the pagefile. The ZZZ files are still there. I deep scan/cancel several times. The ZZZ files are still there.

 

I searched the entire drive for any live file - including sys and hidden directories - with a ZZZ content, nothing.

 

Eventually these ZZZ files go, probably because the next Avast update creates several hundred new files and overwrites whatever's listing the ZZZ's. I'm also sure that this phenomenon applies to other than ZZZ files, it's just that these are easier to identify.

 

I'm perplexed. In theory, and according to the Piriform Docs, a deep scan should find files with signatures in their headers, and no multiple extents. It can't possibly interpret files full of zeroes. It's as if there's a mini MFT somewhere (they are not in the MFT). These files are being listed from another source. Where's this info coming from?