Some issues with Recuva- MFT entries and Hangs

[windyplayer]

With all the recent news stories about privacy, it has become even more important to some of us.

 

Recuva has a nice design and is easy and clear to use right out of the box with little study and up front training. Many competing products don't do nearly as well.

However, it seems that Recuva has some flaws regarding the leakage of information.

 

I recently did a backup of some old files from older media to newer media and after that operation I wanted to assure that no traces of those old files were left on my disk. First the 8GB of so of files were deleted from the disk in the normal way. Then File Shredder was used to attempt to clean the free space.

Then I went looking for a good program to make sure that File Shredder had done its work.

 

Recuva showed that File Shredder did not do a very good job. Recuva found some 7500 files many of which were recoverable. Well dozens of files, some images in fact, were recoverable to some extent. Enough that if the files were embarrasing or had legal or privacy issues, much information would have leaked out. So File Shredder does not do a good job of cleaning out Free Space. But back to Recuva.

 

I then deleted all the recovered files securely using Recuva. Then I used Recuva again to recover the files to see how well Recuva did of securely deleting the files. Both scans were shallow scans, not deep scans.

1. Almost all the files were still present in the MFT. So the names of the files most of their folder paths are still available. This is a problem for those of us who are really interested in privacy, or have legal or intellectual property concerns.
    
   
2. Some files were not securely deleted. Esp some small text files and small GIF images. They were competely recovered.
    
   
3. The larger files were deleted securely in terms of their contents.
    
   
4. During the recovery some files hung Recuva to the extent that it needed to be stopped and restarted without those files in the recover list. The recovery was from one disk to an external USB drive to avoid any issues with recovering to the same disk where the files resided. As I said there were about 7500 files, 8+GB of space to be recovered. The files that hung Recuva began with mpcache- and a video file. The files were quite large - some were almost 200MB in length. I suggest that you look into the file scan process that determines if a file has been over allocated in the MFT, since that algorithm may have a condition that causes it to loop. Also I suggest that if that process takes too long, you might just bail out and ignore the file, since it's likely not of interest anyway.
   

So my conclusion is that Recuva does much of the problem of providing data privacy, security and legal / intellectual property issues. However, leaving the MFT entries intact after a secure deletion allows enough data leakage that privacy / security / legal issues are compromised.

 

I suggest that you take the extra step to do something to remove the residue from the MFT so that no trace of the files exist on the hard drive.

 

Thanks for most of a great product with a well designed interface.

 

- wp

[Augeas]

Recuva does not overwrite the file name or other info in the MFT as there is no safe facility within NTFS to do that. To remove old MFT entries use Wipe Free Space - with the Wipe MFT box checked - in CCleaner.

[systemtest]

Curious. Since there is no safe NTFS facility to do it, but ccleaner does it while working in/under NTFS; one can conclude that CCleaner is unsafe.

[Alan_B]

Curious. Since there is no safe NTFS facility to do it, but ccleaner does it while working in/under NTFS; one can conclude that CCleaner is unsafe.

Strange that you understand Windows better than the Piriform developers,

and know exactly what the Microsoft restrictions are,

and the method that Piriform avoids them and why that method is flawed.

[Augeas]

Systemtest, not at all. CC uses a different method, it simply mimics what a user might do. CC Wipe MFT creates enough small files to fill all the free records in the MFT, and then deletes them. There will still be the same number of free records in the MFT (more or less) but the data they contain will be gibberish. Anyone can do that manually with patience.

 

Recuva however has to deal with an already deleted file. It can overwrite the file's data blocks, and does so, but there is no API command that will amend a free record in the MFT. NTFS will not allow it, and quite rightly so, and Microsoft have not seen the need for it. You can open a hex editor and alter the contents of a record in the MFT, but within a few seconds NTFS will detect the illegal changes and back them out (and send someone round to break your fingers).