Jump to content

Return to Piriform.com

Photo

Cleaning $MFT on an NTFS drive


  • Please log in to reply
4 replies to this topic

#1 OFFLINE Idle

Idle

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 02 March 2009 - 01:13 PM

MrRon wrote: http://forum.pirifor...p...st&p=128971

that fully wiping the $MFT on a NTFS drive is a feature being worked on at Piriform.

How will the method work?

Microsoft's own wiping tool SDelete does not do it.

From: http://technet.micro...s/bb897443.aspx

"
The reason that SDelete does not securely delete file names when cleaning disk free space is that deleting them would require direct manipulation of directory structures. Directory structures can have free space containing deleted file names, but the free directory space is not available for allocation to other files. Hence, SDelete has no way of allocating this free space so that it can securely overwrite it.
"

-Idle

#2 OFFLINE Augeas

Augeas

    Moderator

  • Moderators
  • 2,958 posts
  • Gender:Not Telling
  • Location:Where Stuff is made, UK

Posted 02 March 2009 - 02:16 PM

From what I can make of M/S's description of Sdelete, it is saying that it doesn't (and can't) use its chosen secure overwrite method, to wit the DOD standard, to overwrite file names in the MFT, so instead it renames the files 26 times, which might be considered secure if not overkill.

If Sdelete did what it said then one would end up with a jam-packed useless disk. It doesn't seem to say that at the end of the allocation and overwrites/renames it deletes all the files it has created, but perhaps I'm nit-picking.

I have no idea how Piriform are going to manage overwriting 'spare' filenames in the MFT, and they probably won't tell us. I hope they won't use Sdelete's method. Maybe it will be to scan the MFT, count up the number of slots containing deleted file names, allocate the same number of new small files with some max length file name, then delete the lot. Huh, anyone could do that!

#3 OFFLINE taotra

taotra

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 09 March 2009 - 06:27 PM

If you want to wipe deleted and securely deleted files, including MFT entries (e.g., file names), download the freeware:

Revo Uninstaller
http://www.revounins...e_download.html

It comes in both installed and portable versions. Open it, go to Tools -> Tracks Cleaner (at bottom) -> Evidence Remover, select the desired drive and run it. Once done, run Recuva and you'll see that everything's gone. Just beautiful and safe.

#4 OFFLINE Idle

Idle

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 09 March 2009 - 08:03 PM

This project has ntfswipe with the --mft option, but it doesn't appear to be functional: http://gnuwin32.sour...s/ntfsprogs.htm

It's a port from http://www.linux-ntfs.org

Since there isn't a manpage for ntfswipe in the package, the status of the program is unclear.

-Idle

#5 OFFLINE Idle

Idle

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 09 March 2009 - 08:06 PM

This project has ntfswipe with the --mft option, but it doesn't appear to be functional: http://gnuwin32.sour...s/ntfsprogs.htm

It's a port from http://www.linux-ntfs.org

Since there isn't a manpage for ntfswipe in the package, the status of the program is unclear.

-Idle


Correction: The status is "broken" as per the project page: http://www.linux-ntf...php?id=ntfswipe

-Idle