Jump to content

Cleaning $MFT on an NTFS drive


Idle

Recommended Posts

MrRon wrote: http://forum.piriform.com/index.php?s=&amp...st&p=128971

 

that fully wiping the $MFT on a NTFS drive is a feature being worked on at Piriform.

 

How will the method work?

 

Microsoft's own wiping tool SDelete does not do it.

 

From: http://technet.microsoft.com/en-us/sysinte...s/bb897443.aspx

 

"

The reason that SDelete does not securely delete file names when cleaning disk free space is that deleting them would require direct manipulation of directory structures. Directory structures can have free space containing deleted file names, but the free directory space is not available for allocation to other files. Hence, SDelete has no way of allocating this free space so that it can securely overwrite it.

"

 

-Idle

Link to comment
Share on other sites

  • Moderators

From what I can make of M/S's description of Sdelete, it is saying that it doesn't (and can't) use its chosen secure overwrite method, to wit the DOD standard, to overwrite file names in the MFT, so instead it renames the files 26 times, which might be considered secure if not overkill.

 

If Sdelete did what it said then one would end up with a jam-packed useless disk. It doesn't seem to say that at the end of the allocation and overwrites/renames it deletes all the files it has created, but perhaps I'm nit-picking.

 

I have no idea how Piriform are going to manage overwriting 'spare' filenames in the MFT, and they probably won't tell us. I hope they won't use Sdelete's method. Maybe it will be to scan the MFT, count up the number of slots containing deleted file names, allocate the same number of new small files with some max length file name, then delete the lot. Huh, anyone could do that!

Link to comment
Share on other sites

If you want to wipe deleted and securely deleted files, including MFT entries (e.g., file names), download the freeware:

 

Revo Uninstaller

http://www.revouninstaller.com/revo_uninst...e_download.html

 

It comes in both installed and portable versions. Open it, go to Tools -> Tracks Cleaner (at bottom) -> Evidence Remover, select the desired drive and run it. Once done, run Recuva and you'll see that everything's gone. Just beautiful and safe.

Link to comment
Share on other sites

This project has ntfswipe with the --mft option, but it doesn't appear to be functional: http://gnuwin32.sourceforge.net/packages/ntfsprogs.htm

 

It's a port from http://www.linux-ntfs.org

 

Since there isn't a manpage for ntfswipe in the package, the status of the program is unclear.

 

-Idle

 

Correction: The status is "broken" as per the project page: http://www.linux-ntfs.org/doku.php?id=ntfswipe

 

-Idle

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.