Overwriting question
Goto page 1, 2  Next  :||:
Networking/Security Forums -> Computer Forensics and Incident Response

Author: greyserfer PostPosted: Tue Aug 08, 2006 11:27 pm    Post subject: Overwriting question
    ----
Hi,

I have a question regarding overwriting files. I recently used Tolvanen's Eraser and erased some files by right clicking and choosing the erase option, and also by deleting the files, placing them in the recycle bin and then right clicking on the recycle bin and choosing "erase."

My question is, does the method I chose to overwrite the data make a difference?

I was just curious if the files I erased from the recycle bin could still be traced somehow from its original location? Or will it still be pretty impossible to recover the data?

Author: jansson_markusLocation: Finland PostPosted: Wed Aug 09, 2006 2:29 am    Post subject:
    ----
Basically just one pass of pseudorandom data will be enought to make your data unrecoverable. However, I would suggest tweaking your own erasing patter (in the Eraser) for, lets say 4 overwrites with pseudorandom data.

Also, keep in mind that Windows stores dozens of temporary files, log files, history files, registry hives, etc. etc. about your files and activity. They have to be cleaned up too. Also, dont forget to wipe the free space, file slacks and file names in your hdd:s too (with Eraser) to get "old, deleted files" wiped from the hdd aswell.

But erasing is only trying to resolve problem already taken place. Better option is to encrypt entire hdd (like with Compusec Free) or atleast parts of it (like with Truecrypt) and store your sensitive documents in the encrypted part of the hdd, so that NO plaintext versions of any sensitive documents ever get into your hdd in the first place. Smile

Author: greyserfer PostPosted: Wed Aug 09, 2006 3:47 am    Post subject:
    ----
Thanks, but I'm not sure that that really answered my question.

I just want to know if it matters from which location you overwrite the files (in this case, using Eraser). If I first deleted files and then overwrote them while they were in the Recycle Bin, is that the same thing as erasing them in their original location? Or will there still be a trace of the original file from it's original location?

Is that clear? Or did I just make it sound even more confusing?

Author: Tom BairLocation: Portland, Oregon USA PostPosted: Wed Aug 09, 2006 11:07 am    Post subject:
    ----
When you send a file to the Recycle Bin, the file remains in the original physical location on your hard drive.

Author: jansson_markusLocation: Finland PostPosted: Thu Aug 10, 2006 5:54 am    Post subject:
    ----
Tom Bair wrote:
When you send a file to the Recycle Bin, the file remains in the original physical location on your hard drive.

= Meaning that if you erase the content of recycle bin, those files will be erased. Smile

Author: greyserfer PostPosted: Thu Aug 10, 2006 4:34 pm    Post subject:
    ----
So if I erase the content from the Recycle Bin, does it in effect erase (overwrite) it from the original physical location? Or does the file still exist in the original physical location somewhere?


Also, a seperate question, if I use a program like ccleaner to delete .tmp files, can those still be located on the harddrive somewhere after they've been deleted?

Sorry for all the questions.

Author: patbatemanLocation: philadelphia PostPosted: Thu Aug 10, 2006 5:52 pm    Post subject:
    ----
greyserfer wrote:
So if I erase the content from the Recycle Bin, does it in effect erase (overwrite) it from the original physical location? Or does the file still exist in the original physical location somewhere?


Also, a seperate question, if I use a program like ccleaner to delete .tmp files, can those still be located on the harddrive somewhere after they've been deleted?

Sorry for all the questions.


By default sending something to the recycle bin and then emptying it will not erase anything. It merely marks the clusters that the file occupies as unallocated. This means the OS will just overwrite them next time it needs to. It would be a performance hit to zero out or overwrite every single file with pseudorandom data everytime you wanted to delete something.

In regards to CC cleaner, all that does is delete them - it does not overwrite them.

There are additional pieces of software which you can use to have things overwritten. I think mcafee suite does this now but i dont know what they call it. The only program ive ever used myself is Eraser. I used to to overwrite unallocated space while i went away for a weekend and hoped it didnt wreck my system. All went well. There are some other options as well. You should check it out for yourself.

Edit: Finally read the original post. So you are familiar with the program. In regards to the different methods I assume it says dod short, long, guttmann, RCMP something or other, and psuedorandom data. They are just different specs for deleting data. DoD is Department of Defense in the USA, and RCMP is Royal Canadian Mounted Police. Dod short is 3 pass and long is 7 IIRC. The guttman pattern is 35 pass, but he has said himself that that method is somewhat dated. He follows up by saying that a few passed of random data is the best you are going to get. Google his name and you will find his original paper on the subject.

Author: greyserfer PostPosted: Thu Aug 10, 2006 7:44 pm    Post subject:
    ----
Hi, thanks for the response.

I guess my question is still, whether or not files I erased (using eraser) out of the recycling bin is actually physically erased on the HD or if it's just the pointer to that file that is erased and the actual file is still physically on the drive somewhere.

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Thu Aug 10, 2006 7:56 pm    Post subject:
    ----
That's actually pretty easy to find out for yourself. DO the deletion and erasing, and then use PC File Inspector to see if the file still exists. The file is free, and I am sort of curious as to what results you come up with.

Author: patbatemanLocation: philadelphia PostPosted: Thu Aug 10, 2006 8:12 pm    Post subject:
    ----
greyserfer wrote:
Hi, thanks for the response.

I guess my question is still, whether or not files I erased (using eraser) out of the recycling bin is actually physically erased on the HD or if it's just the pointer to that file that is erased and the actual file is still physically on the drive somewhere.


I dont think i was unclear before, but the answer is YES

Author: greyserfer PostPosted: Fri Aug 11, 2006 2:39 am    Post subject:
    ----
Thanks for the suggestion. I didn't use pcinspector but I did find out that erasing from the recycle bin does in fact seem to overwrite the file(s) from it's original permanent location.

Groovicus wrote:
That's actually pretty easy to find out for yourself. DO the deletion and erasing, and then use PC File Inspector to see if the file still exists. The file is free, and I am sort of curious as to what results you come up with.

Author: newuser1 PostPosted: Wed Jan 21, 2009 12:37 am    Post subject:
    ----
patbateman wrote:
In regards to CC cleaner, all that does is delete them - it does not overwrite them.

Actually, CCleaner does allow you to overwrite. I know this is an old post so CCleaner may have updated its capabilities since then.

Apologies if this has been answered elsewhere, but does CCleaner overwrite all old files that have been previously deleted (but not overwritten), or only the ones that are currently in your recycle bin/temporary files, etc.? Does it just overwrite internet logs or can it also overwrite old files like jpeg images, word documents, etc.? Thanks.

Author: babyfaceLocation: Chicago PostPosted: Wed Jan 21, 2009 3:04 am    Post subject:
    ----
newuser1,

Unfortunately, CCleaner doesn't overwrite already-deleted files. However, if you really want that option, you might look into some freeware free-space shredders. I think one that does the trick is called "Simple File Shredder".

Hope that helps

Author: newuser1 PostPosted: Thu Jan 22, 2009 12:31 am    Post subject:
    ----
Thanks Babyface, I'll look into that.

Incidentally, another thing I've noticed about CCleaner is that it will clean up and overwrite your internet history on Safari, but it doesn't clear your recent searches.

Author: babyfaceLocation: Chicago PostPosted: Thu Jan 22, 2009 1:14 am    Post subject:
    ----
greyserfer wrote:
I did find out that erasing from the recycle bin does in fact seem to overwrite the file(s) from it's original permanent location.


I realize this is an old post, but i just thought i'd comment in case anyone else stumbles upon this issue. Emptying the recycle bin does NOT overwrite the files. All the data remains in place -- it is merely the link to that data that's removed. Though the file name is no longer in the directory, the file can still be accessed through any of a host of free recovery programs (for instance, Recuva). That is, provided you don't put a whole bunch of new data onto your hard drive (which could then overwrite wherever your "deleted" file was).

If you're someone who's accidentally emptied your recycle bin, only to realize what you really wanted to keep was in there, don't panic. A 10-min scan with something like Recuva can bring back practically anything.

newuser1--
And as for CCleaner, it's constantly expanding and updating, so i'm sure the addition of a form/search clearer for Safari is on the way. But if you're anywhere as impatient as i am, you could always post a suggestion on the CCleaner forums -- i hear Piriform is pretty good at looking those things over and responding.

Author: newuser1 PostPosted: Sun Jan 25, 2009 10:22 pm    Post subject:
    ----
babyface wrote:
newuser1,

Unfortunately, CCleaner doesn't overwrite already-deleted files. However, if you really want that option, you might look into some freeware free-space shredders. I think one that does the trick is called "Simple File Shredder".

Hope that helps

I tried Simple File Shredder, but to be honest, I'm having trouble figuring out how to shred free space. It looks like you have to run a separate program called Restoration, and then once the files are restored you can pick the ones you want to permanently delete and overwrite. I ran Restoration and it found about 2600 files, but I can't figure out how to delete/overwrite them. Can anyone help me figure out how to do this using Simple File Shredder/Restoration, or is there another more user-friendly program out there for overwriting free space? Thanks.



Networking/Security Forums -> Computer Forensics and Incident Response


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Goto page 1, 2  Next  :||:
Page 1 of 2

Powered by phpBB 2.0.x © 2001 phpBB Group