Recuva finding thousands of files after drive wipe

[diverjer]

Ran drive wipe on a USB drive with simple overwrite 1 pass and wipe MFT free space.  Took 10 hours on this slow 256GB USB Drive.    Then I ran Recuva and the quick scan found nothing in a few seconds.  Then ran deep scan and it's found 3,009 files and says it will run for at least 2 more hours.  How is that possible, I thought the 1 pass overwrite wrote 0's over top of the whole 256GB.  Want to get data off this USB drive as it has a speed problem and PNY says to return it.  Thinking I may just be out the cost and won't return the drive?  Using Crystal Disk to check access time for reads and write and it is very slow.  But would not want PNY to have the drive if data can be recovered.  

[Guest johnccleaner]

It's possible for data to be recovered after a 1-pass wipe, so that's not unexpected. You might try recovering a few of these files to see if there seems to actually be any useful data that can be recovered; if not, you may not have anything to worry about.

If it does seem like any files are intact, I would recommend formatting the drive, then performing a multiple pass wipe (at least a 3 or 7 pass wipe).

After that, it is possible that some file names might still be viewable via a file recovery program, but it should highly unlikely for data to be recovered.

(Note that the only 100% effective way to prevent any data from being recovered is to physically destroy the drive.)

[diverjer]

About 1 minute into the Recuva deep scan it displayed that it found the 3,009 files, but didn't list anything.   Also, displayed that it would run for 2 hours or more.   I just let it run and about 8 hours later found it was finished.  Had files names displayed and a summary of 2,476 files found and 534 ignored, that adds up to the 3,009 it discovered in the first minute.  File names it displayed are familiar, path is weird all f:\?\ 

Recuva came up with that 3,009 within seconds makes me think CCleaner didn't really wipe out the MFT, but that makes sense as the options says wipe MFT free space. 

I may just keep it as it was only $19.00.  I got some really strong magnets that constructions sites use to pick up nails etc, thought about that.  However, many say that doesn't work on this type of drive.    Running CCleaner with option 3 or 7 check might run a week.  Takes 10 hours with 1 overwrite and I actually ran that twice so it gotten 2 overwrites.   Then it's not like I sit there and watch it run. 

Think you are right only way to be sure data not there, especially for an OCD person like me, is a hammer.   Just for fun I might try that big magnet.  It's is so strong it dangerous, you would not want your hand  within a foot of magnet and a piece of metal.   

 

[diverjer]

What the heck, I started again with a 3 overwrite, just to see if any difference.  Added option checked to alternate date streams and cluster tips, don't know if that has any affect on the drive wipe option or not?  .  Only going to take 1 day 3 hours and 39 minutes. 

Edited January 27, 2023 by diverjer

[Andavari]

You could alternatively just do a full format using what's built into Windows which will actually securely wipe the whole partition of the USB flash drive. Warning: Doing a full format of USB flash drives with for example Windows 10 built in format tool is a very effective way of killing drive making it locked/write-protected.

[diverjer]

Well after a day and one half of cleaning with 3 overwrites, Revuva says found 0 files ignored 24 and there weren't anything listed to recover.  Much different than before.  Kind of like before Recuva ran deep scan for a few seconds and says found 24 files and then after another another 46 minutes of scanning, I get the message "Found 0 files 24 ignored in 46 minutes". 

Wonder what those 24 files are that it finds within a few seconds and after 46 minutes ignored?   Guess that would be a question for another site.

[Augeas]

The 24 files ignored are most likely the system files that are reinstated after the device has been erased (by Drive Wiper) and then formatted as NTFS. They are ignored as Recuva ignores live files - unless you specifically ask otherwise. They will not contain any user data.

There's quite a lot of confusion in this thread. I don't know if you were initially using Drive Wiper from Tools or Wipe Free Space from Options/Settings. Drive Wiper doen not, as far as I know, have an option to wipe the MFT, you get it whether you want it or not.  Alternate data streams and cluster tips belong to Secure File Deletion, a separate process entirely that doesn't affect Wipe Free Space. Furthermore the WFS settings in Options/Settings are ignored by Drive Wiper. They are two different independent processes.

Wipe Free Space in Options/Settings does not allow you to erase any live user data, and this is perhaps what you were using on the first run. Drive Wiper in Tools does allow a complete disk and data erase, which is what appears to have happened in the second run.

The second run seems to have done the trick. Multiple passes should not be required and on NAND flash are positively horrendous.

[diverjer]

I can see why it is confusing.  I didn't know if Options, Settings had any carryover to what I actually used which was Tools, Drive Wiper, Entire Drive, Passes and Drive letter.    From what is said, I guessing that Options, Settings has no affect on the Tools, Drive Wiper, Entire Drive, Passes and Drive letter function.  I did do a quick format of f: as NTSF and then ran Recuv again with box 1,2,3,5 checked and got 24 files listed.  Looked like system files. 

 

[Augeas]

Yes, Drive Wiper in Tools is entirely independent of any other CC setting. It is confusing to have two ways of wiping free space within CC, but that's how it is. Anyway you seem to have found a solution.

[nukecad]

Just to chime in here.
(and to note that I'm no expert on Recuva. I've only ever used Recuva once, I usually have backups for if something goes wrong).

That 3rd option in the Recuva actions: "Show securely overwritten files".

I think that the only way it could do that is by reading from the MFT what files used to be there but have since been deleted.
It couldn't know from the actual data because that's been overwritten.

TBH it seems an odd option to have if the files can't be recovered anyway because they have been securely overwritten, but I guess someone might want to try and see what used to be there even if there's no real chance of getting it back?

[diverjer]

I certainly don't understand Recuva, just tried those actions, they are not the default.  I believe the 5th one is on by default.  

CCleaner wipe did a format at the end of running and I think that put the 24 files out there that are ignored.    I think they must be system files as it found 24 files seconds after starting-- then ran a day and half wiping data 3 times.  I was lucky and just happen to look at CCleaner before heading out to eat some lunch.  Seen it running with a 2 minutes  remaining so I watched it finish.  When it finished is when I seen it do a format.  I had no idea it did a format at the end of a drive wipe.  

I played around later and did a format using exFAt and then ran Recuva and with actions above and it had only 2 files (don't see with explore).

Went back and ran format back to NTSF and ran Recuva with actions shown above and it showed the 24 files again (don't see with explore).  

So those files that it finds at first must be system files and it recreates them again at the end with the format.  

Anyway feel sure my USB drive is clean and think I know a little bit more about CCleaner wipe and Recuva as well as files created by Format.  Usually with explore after a format you just see system volume after a format and can't drill down into it to see what it contains.    Or if you can I haven't made the effort to try it.  Thinking Recuva is showing what is in that system volume?

[Augeas]

If, in Recuva, you select Scan for Non-Deleted Files and run a standard quick scan then the 24 system files will magically appear. They will all begin with a $ sign, with the first being the $MFT.

 

[diverjer]

Yep here is NTSF format

[diverjer]

This is after exFAT format

[Andavari]

On 28/01/2023 at 19:30, diverjer said:

got 24 files listed.  Looked like system files.

Possibly was because modern versions of Windows always annoyingly in my opinion place a hidden 'System Volume Information' folder and some files inside that folder on all drives attached to the system. It even does that on USB flash drives formatted as FAT, FAT32, exFAT - think it would just be reserved for just NTFS but no it's every file system that I've seen. It's one of the reasons those USB flash drive full capacity write testing tools that check every byte on a drive to make sure it isn't counterfeit complain at the very end of the test that they couldn't check a certain amount of bytes.

[Augeas]

My Sys Vol Info folders are empty. The 24 files are, as the O/P listed, all system files required by NTFS to work. You can't avoid them. You can edit them, if you have a perverse nature (and a hex editor), but NTFS will change them back again a few seconds later. I know, I've tried it.

[InThoseBushesOverThere]

On 28/01/2023 at 23:03, nukecad said:

TBH it seems an odd option to have if the files can't be recovered anyway because they have been securely overwritten, but I guess someone might want to try and see what used to be there even if there's no real chance of getting it back?

Yes, precisely that. I once accidentally deleted a project and lost everything. A recovery tool was able to recover what files were in the project. Even though the files were just gibberish beyond repair, it was still immensely helpful to me to see what was there before so I could start over and use those corrupted files as a guide.

[Augeas]

I think it's a bit of flam. Recuva can't tell whether a file has been securely overwritten or not (not after the event anyway) as a secure overwrite is simply an edit. Recuva will list all deleted files from the MFT whether they have been 'securely overwritten' or not.