What will Recuva 1.46 find for securely erased files_if anything?

[anna24]

Read a number of posts here & on other erasing tools' forums, but found nothing concrete about what Recuva (& perhaps tools like it) will show / recover, after running secure erasing tools.

 

Recuva itself has a secure erasing tool, once a search for deleted files is run. But what is generally shown by Recuva for files / folders that were previously securely erased w/ various tools like Eraser, Shredder & numerous others? When Recuva is run immediately after erasing files?

 

I don't know if running widely used "wiping" tools on a test file, on a magnetic HDD, on a NON system partition w/ no VSS, would cause Recuva to not display ANYTHING for the wiped file (under the specified circumstances).

 

When I erase "test" files using Eraser 6.x or Shredder 2.5, then immediately run Recuva, it finds NO trace of the erased files (or at least doesn't show any). Thats' w/ ALL the Recuva options checked under "Options," except Show Non Deleted files.

"Show Securely Erased Files" is checked, which seems to indicate there would BE something to show.

 

But it shows nothing - which is good - if the result is accurate & it's not just "failing to display" what ever remenants are left of securely erased files, even if random data. The absence of displayed data doesn't mean there IS no data. Please don't start the discussion, "the only way to be positive that data is unrecoverable is to destroy the device..." I'm asking about a specific set of events here.

 

By contrast, erasing free space on a partition using CCleaner (admittedly a different process than erasing a file), then Recuva shows a few folders w/ clearly obfuscated names & no recoverable data. That's fine.

 

I've just not found "documentation" of what recovery tools like Recuva will / won't be able to find & display, after running (well known, respected) erasing tools at the file / folder level, under circumstances described above.

 

Thanks.

[Guest Keatah]

I will suspect, but cannot say for sure as I've not fully investigated what that option does in Recuva. It may look for CCleaner's or Recuva's overwriting pattern or some other signature that is placed there by an erasing program. A developer or mod-in-the-know would need to comment on what criteria it looks for.

 

 

 

 

The bulk of erasers out there just write patterns over un-used clusters & sectors. They also obfuscate filenames by filling in a pattern or garbage. They typically target the $MFT and the sectors associated with the file being erased. You would need to investigate each program individually.

 

I would tend to believe Recuva would only recover what it or any other recovery utility can see. It doesn't do any forensic magic or off-track reading. No black magic. It would report back any obfuscated file, with the obfuscating name perhaps, and maybe the obfuscating data. But the actual former data? Not if it was properly overwritten. Not a chance!

 

So it is your responsibility to either trust or verify the activities of whatever erasing program you are using.

 

Ideally, let's say you have a file called Science.doc, and you properly erase it. This means having your erase program look it up in the directory folder & $MFT (windows machines) and getting all the location information about it, including the hidden alternate data streams, any traces in windows, any USN Journal entries, Bitmap records, all that good stuff. And of course the sector numbers of where it is on the disk.

 

Then your erase program should overwrite all the referencing traces, alternate streams, NTFS $Metafile references, logs, registry records & activities. And on rarer occasions parts of a file may be left in hiberfile.sys and pagefile.sys. And lastly it should erase or obfuscate the name from the $MFT.

 

While many erase programs zap the clusters and sectors by default, it remains to be seen and talked about if they dig into the other areas I mentioned. Bits of the file and records of its past existence are numerous.

 

The cheapest and most effective forensic wipe is the Secure Erase built into all modern drives. That combined with 1-pass random wipe. This Secure Erase I'm talking about is a full drive zap and is conducted by the disk's firmware.

 

The paranoid will always do that Gutmann thing and burn out their drive in the process!

[Guest Keatah]

Uhh huh.. I ran CCleaner's wipe $MFT and wipe free space. I then ran Recuva. And toggling the "show securely overwritten files" either displayed thousands of zzzz.z.z....z.z.z.z.zz.. files or not.

 

So that function is either looking for a signature left by CCleaner or a flag set by it. Someone from Piriform will need to explain it in a concise and confident manner.

[Augeas]

To answer the OP's question would require knowledge of the other products, which I don't have.

 

Recuva uses the file name to identify whether the file is securely deleted or not. There are no flags or file signatures. You can create a file, rename it to ZZZ.ZZZ or some variant, and then shift/delete it. Recuva will class it as a securely deleted file, even though it isn't.

 

PS This may not be concise or confident, but then I'm not someone from Piriform.

[Guest Keatah]

QWASZXER.DOC also behaves like that. So it's not the filename. I thought it was the filename too.

[Alan_B]

Perhaps it is a general convention for Recovery tools that when reporting files for which they have no information,

then they will NOT present such files at the start of an alphanumeric sorted list,

but put it at the end of the list after all the useful stuff they can retrieve,

and ZZZ.Z. etc is a pretty good name for that purpose.

[Augeas]

QWASZXER.DOC also behaves like that.

 

Not for me, acts like a normal file.

[anna24]

Some users of OTHER erasing tools than CCleaner or Recuva's own erasing function, must have then used Recuva to see what's detected.

When I erase "test" files using Eraser 6.x or Shredder 2.5, then immediately run Recuva, it finds NO trace of the erased files...

But it shows nothing - which is good - if the result is accurate

There may also be a difference (for some tools) in erasing files vs. free disk space - or not. Of course, Recuva is designed to recover deleted files, but it HAS an option to "show securely erased files."

 

I was asking what it typically shows after erasing files w/ tools like Eraser, Shredder, etc. - not after wiping free space w/ CCleaner. In my case, it finds nothing after using other tools.

Per documentation,"show securely erased files" is intended for use after wiping recovered, deleted files using Recuva's erasing tool. https://www.piriform...options-actions