How does the MFT-cleaning work

[Jeroen1000]

Hi guys,

 

I can't seem to figure out what I should expect. Most tools when erasing a file, just rename it a lot of times so that a weird (more or less random) name ends up in the MFT. Although the clusters this file occupied are overwritten, this behaviour is kind of annoying: some of those random MFT-records 'pretend' to be pictures or documents. This makes my checks for recoverability with Recuva harder. Of course, a fake file name is better than the original name, no doubt about that.

 

What is important is that these MFT record points to a non-existing file. So this record can be reused for a new file. I hope I'm correct thusfar?

 

I believe the MFT-cannot shrink, but can CCcleaner use up these free MFT-records and put something more logical in them like 0001, 0002, 0003, etc?

 

Also, I'm wondering what the MFT-clear does exactly:).

 

cheers,

Jeroen

[Augeas]

As far as I know the only safe way to overwrite unused records in the MFT is to create sufficient 'harmless' files to fill all the unused records, and then delete them. Naturally these harmless files will have some sort of name and format, and can be seen with Recuva (which is presumably what is annoying you).

 

MFT records for deleted files still point to a file and may point to one or more clusters on the disk. Both the MFT records and the clusters they point to can be used by the file system when creating and managing live files.

 

It's up to the CC developers to choose whether they change the naming of the files they create.

 

Is this what you mean by 'what the MFT-clear does'?

[Jeroen1000]

As far as I know the only safe way to overwrite unused records in the MFT is to create sufficient 'harmless' files to fill all the unused records, and then delete them. Naturally these harmless files will have some sort of name and format, and can be seen with Recuva (which is presumably what is annoying you).

 

MFT records for deleted files still point to a file and may point to one or more clusters on the disk. Both the MFT records and the clusters they point to can be used by the file system when creating and managing live files.

 

It's up to the CC developers to choose whether they change the naming of the files they create.

 

Is this what you mean by 'what the MFT-clear does'?

 

Yes that is what I meant. I've been busy doing some testing but I had to cut my most interesting test short as the partition was > 100 GiB and it was taking a lot of time to complete (so I'll have to redo it). So here is what I did:

 

After a Recuva scan (a 'regular' one not a deep scan), it listed the name of an MP3-file and nicely told me which file had overwritten it.

 

I ran a free space wipe with East-Tec eraser 2008, and as expected, the (MFT-record) file name remained. So I have myself a reusable MFT-record that still holds information about an MP3 which has either been moved or deleted.

 

So when I do a free space wipe with CCleaner, it should 'overwrite' (as you described above) the MFT-record belonging to the MP3?

I'll report back if this works.

[eL_PuSHeR]

Some applications like Paragon Partition Manager (or Paragon Defrag) can shrink the MFT.

[Jeroen1000]

I'm happy to report the MFT-cleaner does seem to work. I had an MP3-file reference in the MFT-table, and although the file was no longer physically on disk (it had already been overwritten by another file in this case), its MFT-record was still intact.

 

CCleaner seems to like the letter Z to fill the MFT-record with but I'm okay with that:).