Jump to content

Erased pictures actually erased?


pkeith89

Recommended Posts

I know there are a few topics that are similar to this, but after searching for a bit, I haven't found one that answers my range of questions, so I figured I would post one asking about this:

 

Suppose someone has a computer they are cleaning.

 

Then suppose that that person comes across 'suggestible images' on their computer that they don't want anyone to ever know about (don't worry, nothing that could get one locked up away somewhere - just pictures that they want removed from the face of the earth).

 

So that person then uses deep scanning with Recuva and overwrites them with 7+ passes, and there are no errors in this process. The person then decides to do another deep scan to see how much was actually removed. The same # of files found come up, this time with many more ignored, which they assume to be the overwritten files or files of 0 size (so they don't matter anyway as far as recoverable). Some of the images that are found using the deep scan are (after the person goes to the info section) denoted 'unrecoverable', and yet the thumbnail of the image is completely in tact. A large number of these thumbnails are the images they don't want to be seen.

 

The person then overwrites everything found again, uses CCleaner with free space wiping enabled, and basically every 'deep clean' option available, all with more than a single overwrite each time. This person does this process several times in a row over a period of several days (usually letting it run overnight - never both at the same time). They then run Recuva again with deep scan selected and the same thing happens. It appears to this person as though these images will not die. What do they have to do to kill them?

 

My thought about this situation has been that they are somehow stored in some kind of temp file in Recuva (if it sounds like I don't know what I'm talking about it's because I don't - I have a moderate understanding about computers in general but not enough to be called skilled). As a result, even if they are overwritten, Recuva will be able to display what they look like. Is this accurate to assume? Suppose the person uninstalls then reinstalls Recuva. Would the thumbnails be gone?

 

What would you suggest this person to do? They have already ordered a new hard drive but would still like peace of mind that the pictures can somehow go away.

 

Thanks

Link to comment
Share on other sites

  • Moderators

Give infinite time, resources and money any data on a working DiscDrive can be recovered. The only way to reliably remove data from the slightest possibility of recovery is to phyiscally destroy the drive (drill presses, drowning in salt water and shooting with a rifile are all popular ways of doing this).

 

ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION

DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF.

Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark)

ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T.

Support at https://support.ccleaner.com/s/?language=en_US

Pro users file a PRIORITY SUPPORT via email support@ccleaner.com

Link to comment
Share on other sites

  • Moderators

Just say 'I', it's less confusing than this person or that person, and one pass overwrite will stop a little more of your life slipping away pointlessly.

 

(A lot of this is generalising, and applies to NTFS only.) All file names, cluster addresses, file sizes etc are held in records in the Master File Table. The records can be reused, but not deleted, so the MFT does not shrink in size. When Recuva does a normal scan it will list the file names from the MFT. When Recuva does a deep scan it runs a normal scan first before looking at the unallocated data clusters.
 
A deep scan looks at each cluster and recognises - or not - a file signature. That's how it knows that the cluster is the start of a valid file. However a deep scan can only extract clusters sequentially, there is no file signature in subsequent file extents so they can't be patched together. A deep scan will not usually return any file name or directory info from these clusters, as that info is held in the MFT and there is no link back from cluster to MFT.
 
The ignored file count consists of undeleted files, zero length files, system files etc. Check the top four boxes in Options/Actions to see all these files.
 
If you run a wipe free space from CC Options/Settings then the records in the MFT will not be cleared, and file names will still be seen in Recuva even though the data is rubbish. If you select Wipe MFT then the file names of the deleted records in the MFT will be filled with rubbish (ZZZ's). If you use Drive Wiper you will get a free wipe MFT thrown in.
 
The act of wiping free space (there is no wiping, or erasing, or cleaning, or deleting, or cleansing, or whatever, all you can do to a storage device is write to it and read from it) is actually filling up all the unallocated clusters by creating large zero-content files and then deleting them. In other words the Windows file system – NTFS – allocates and deletes the files.
 
The act of wiping the MFT is similar, but a number of small (712 byte) files sufficient to fill all the deleted records in the MFT are created and deleted. You will still have the same number of deleted files but they will be rubbish, and the cluster addresses in the MFT records will no longer point to the old deleted file’s data.
 
On the rare times I have tested wfs on small test volumes – I can’t be bothered to run it on my main drives – I have seen 100% overwrites of unallocated space. If some data can be seen after a wfs it is because a wipe MFT has not been done (or Drive Wiper not used) and the clusters of a deleted record, as addressed in the MFT entry, have been used by a newer live record, so that both the deleted and new file cluster addresses point to the same cluster. Looking at the deleted file with Recuva will show the live data. The clusters of the deleted file cannot be overwritten as that would overwrite the live file.
 
 

 

Link to comment
Share on other sites

Give infinite time, resources and money any data on a working DiscDrive can be recovered. The only way to reliably remove data from the slightest possibility of recovery is to phyiscally destroy the drive (drill presses, drowning in salt water and shooting with a rifile are all popular ways of doing this).

 

Out of curiosity, how is this possible? If a file is overwritten with random digits, then overwritten again with different random digits, then overwritten again, how is it possible for any piece of software to accurately restore a file? Even if it was somehow able to restore one full overwrite maybe by being able to recognize how a file was overwritten, how would it be able to do this for multiple overwrites?

 

 

 

Just say 'I', it's less confusing than this person or that person, and one pass overwrite will stop a little more of your life slipping away pointlessly.

 

(A lot of this is generalising, and applies to NTFS only.) All file names, cluster addresses, file sizes etc are held in records in the Master File Table. The records can be reused, but not deleted, so the MFT does not shrink in size. When Recuva does a normal scan it will list the file names from the MFT. When Recuva does a deep scan it runs a normal scan first before looking at the unallocated data clusters.
 
A deep scan looks at each cluster and recognises - or not - a file signature. That's how it knows that the cluster is the start of a valid file. However a deep scan can only extract clusters sequentially, there is no file signature in subsequent file extents so they can't be patched together. A deep scan will not usually return any file name or directory info from these clusters, as that info is held in the MFT and there is no link back from cluster to MFT.
 
The ignored file count consists of undeleted files, zero length files, system files etc. Check the top four boxes in Options/Actions to see all these files.
 
If you run a wipe free space from CC Options/Settings then the records in the MFT will not be cleared, and file names will still be seen in Recuva even though the data is rubbish. If you select Wipe MFT then the file names of the deleted records in the MFT will be filled with rubbish (ZZZ's). If you use Drive Wiper you will get a free wipe MFT thrown in.
 
The act of wiping free space (there is no wiping, or erasing, or cleaning, or deleting, or cleansing, or whatever, all you can do to a storage device is write to it and read from it) is actually filling up all the unallocated clusters by creating large zero-content files and then deleting them. In other words the Windows file system – NTFS – allocates and deletes the files.
 
The act of wiping the MFT is similar, but a number of small (712 byte) files sufficient to fill all the deleted records in the MFT are created and deleted. You will still have the same number of deleted files but they will be rubbish, and the cluster addresses in the MFT records will no longer point to the old deleted file’s data.
 
On the rare times I have tested wfs on small test volumes – I can’t be bothered to run it on my main drives – I have seen 100% overwrites of unallocated space. If some data can be seen after a wfs it is because a wipe MFT has not been done (or Drive Wiper not used) and the clusters of a deleted record, as addressed in the MFT entry, have been used by a newer live record, so that both the deleted and new file cluster addresses point to the same cluster. Looking at the deleted file with Recuva will show the live data. The clusters of the deleted file cannot be overwritten as that would overwrite the live file.

 

 

Sorry, I will use 'I' from now on, although I was asking for a friend.

 

I wasn't able to follow this with 100% understanding, but if I understand it generally, are you suggesting that perhaps the MFT wipes are not really wipes?

 

Thank you for the info, guys

Link to comment
Share on other sites

  • Moderators

 

Out of curiosity, how is this possible? If a file is overwritten with random digits, then overwritten again with different random digits, then overwritten again, how is it possible for any piece of software to accurately restore a file? Even if it was somehow able to restore one full overwrite maybe by being able to recognize how a file was overwritten, how would it be able to do this for multiple overwrites? 
In layman terms (or as much as possible), destruction of data is a whole different thing than what you think of when you hear the word. A bit (1/8 of a byte) is written to a piece of hardware- be it Hard Disc or NVRAM (like a phone, or SSD or usbstick) via electrical energy, electrons fundamentally change the structure of the minerals used in that device (a hard drive is magnetized it's electrons switched between positive and negative). Through the power of - what I, a very learned person when it comes to computers, can only assume is - witchcraft, software (sometimes using the MfT as an index like recuva sometimes not) can read the history of bits (electrons) binary movements (postive to negative). Thus maybe a free program (recuva) can't retrieve your 'friends' data while a Soviet Style Autocracy, or Evil Skynet,with trillions of dollars and an electron microscope and supercomputers programmed by mensa-hackers could retrieve it in nanoseconds....or anywhere in the grey area between the two examples.Also, no need to quote entire posts (as you have) just the pertinent parts (like mine), no worries it's a mistake I too oftwn make, but it was really hard to scroll through Aug's pist above

 

ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION

DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF.

Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark)

ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T.

Support at https://support.ccleaner.com/s/?language=en_US

Pro users file a PRIORITY SUPPORT via email support@ccleaner.com

Link to comment
Share on other sites

@ Augeas:
I have a couple of questions relating to this issue.
Am assuming that pkeith89 is concerned about the preview images that recuva finds.
Am assuming that the file system is NTFS.
Am assuming that nothing illegal is going on.  
If there is, there are a gazillion other ways to tie the user to the deeds.  

My questions are about these quoted parts:  
1. "The records can be reused, but not deleted, so the MFT does not shrink in size."
Q 1a:  Is there a maximum size?
Q 1b:  If so what happens when you reach it?  
Q 1c:  Why hasn't my MFT spilled out all over the desk, I have used this computer for many years.  :lol:
 
2. "If you select Wipe MFT then the file names of the deleted records in the MFT will be filled with rubbish (ZZZ's)."
Q 2a:  In this instance does the image still show in Recuva?

3.  "The act of wiping the MFT is similar, but a number of small (712 byte) files sufficient to fill all the deleted records in the MFT are created and deleted. You will still have the same number of deleted files but they will be rubbish, and the cluster addresses in the MFT records will no longer point to the old deleted file’s data."
Q 3a:  In this instance does the image still show in Recuva?

4.  (Rephrased a bit) "... if the address for a deleted file and a new file point to the same cluster ... The clusters of the deleted file cannot be overwritten as that would overwrite the live file.
q 4a:  In this instance what image will show?  

And a couple of comments:  
Many of the difficulties of wiping a hard drive arise because windows is using it at the time and files are locked. So, if your friend has ordered a new HDD, there are several options for wiping the old one, once it is not used as the boot drive containing the operating system.

There is DBAN, Darik's Boot and Nuke.  Free.  The DBAN trademark has been sold to Blancco, and they sort of suggest that the older freeware version is questionable, but by all accounts it completely erases the drive it is used on.  
Another option would be to just delete everything from the old drive, give it a full format, then use CCleaner to wipe the free space. Also a free option.  
BE CAREFUL, make sure you wipe the correct drive.

Also, if the data you want to conceal is important enough, destroy the drive. 

Google shows several methods, some quite amusing. 

 

When you overwrite a file, you are rearranging the magnetic media from the arrangement that displayed old file to the arrangement that displays the new file.  Think of it as drawing a picture in wet sand.  The magnetic media is the sand grains.  You rearrange the sand grains to show a picture.  Now wipe that away and draw a new picture.  Same sand grains, just arranged differently. 

The CCleaner SLIM version is always released a bit after any new version; when it is it will be HERE :-)

Pssssst: ... It isn't really a cloud. Its a bunch of big, giant servers.

Link to comment
Share on other sites

  • Moderators

Login, please don't derail, the original poster was confused enough by our posts, carry out your question in a separate thread to allow best help to original

 

ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION

DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF.

Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark)

ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T.

Support at https://support.ccleaner.com/s/?language=en_US

Pro users file a PRIORITY SUPPORT via email support@ccleaner.com

Link to comment
Share on other sites

I thought you might not like my input, but I think the answers to my questions will help explicate Augeas' answer. 

Its why I asked them. 

pkeith89 said

"I wasn't able to follow this with 100% understanding, but if I understand it generally, are you suggesting that perhaps the MFT wipes are not really wipes?"

And think the comments will help also. 

The CCleaner SLIM version is always released a bit after any new version; when it is it will be HERE :-)

Pssssst: ... It isn't really a cloud. Its a bunch of big, giant servers.

Link to comment
Share on other sites

  • Moderators

@pkeith89,

As stated earlier, physical destruction is the ONLY way to guarantee those incriminating Selfies won't come back to haunt you.

It's what all the companies I have worked for do with their dead storage devices; be it 14" Winchester DASD's all the way down to floppies.

It was cheaper, quicker and less effort to replace the medium than to waste the resources trying to achieve the Holy Grail of having sensitive data not be recovered.

Backup now & backup often.
It's your digital life - protect it with a backup.
Three things are certain; Birth, Death and loss of data. You control the last.

Link to comment
Share on other sites

  • Moderators

....but it was really hard to scroll through Aug's pist above

 

If only I were Nergal, If only I were.

 

Keith, I'm not sure how to explain the wipe MFT any better, It's just file allocation and deletion. Anyone could do it.

 

(I have to say that I know no more about Recuva or NTFS or the world than anyone else, I've just spent too much time playing with a hex editor.)

 

Login:

 

1a) The MFT is just a very protected file, it can grow to any size.

1b) Then the disk is full.

1c) As the 1k records in the MFT are reused, you will reach some sort of equilibrium, where records are used/deleted/reused and the MFT won't grow any more.

 

2a) No. Wiping the MFT means creating new files which will reuse the deleted records in the MFT. Nothing of the old records, or the files they represented, in the MFT will remain. The image and its preview are held in the file's data clusters, not in the MFT.

 

3a) No (see 2a)

 

4a) The MFT record contains the file's data cluster addresses. If the file is deleted the MFT record still contains these addresses. A new file may be created which uses another MFT record (they are reused in ascending order) but is allocated the same data clusters. So both live and deleted records point to the same clusters. Recuva will see the clusters which contain live data. You can recover the live data if you want to but you can't overwrite it, as it is live data. This will not happen if you have run a wipe MFT, as no deleted record in the MFT will then hold any old cluster addresses. A wipe MFT uses 712-byte files and these files have no data clusters allocated.

 

At the end of all this I don't know why data can be seen after running a wipe free space. But it is very difficult to diagnose anything when you're not actually in front of the pc and can't see what's being done.

Link to comment
Share on other sites

Thanks Augeas.  That answers a couple of questions I have had for years. 

 

"At the end of all this I don't know why data can be seen after running a wipe free space."

Maybe, probably, the answer lies in 1c or 4a. 

 

In any case that was as good an explanation as pkeith89 could get anywhere. 

I've looked around quite a bit. 

Most of the gooroos don't cover it nearly as well as Augeas did.

 

Still, the bottom line for pkeith89, imho, depends on the importance of the leftover data. 

The only way to be SURE it is gone is to destroy the machine that held it. 

The CCleaner SLIM version is always released a bit after any new version; when it is it will be HERE :-)

Pssssst: ... It isn't really a cloud. Its a bunch of big, giant servers.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.