Deleting deleted files


S

Scott

This might be another mad question, but what is the best way of
ensuring that deleted files cannot be recovered later? I realise the
sensible approach would be to 'shred' them in the first place (an
option in Norton Utilities) but what would you guys recommend to carry
out a clean-up later? I assume a back-up, reformat and restore would
work but I was wondering if anyone could recommend reliable software
that would avoid going to this extreme.
 
Ad

Advertisements

P

philo 

This might be another mad question, but what is the best way of
ensuring that deleted files cannot be recovered later? I realise the
sensible approach would be to 'shred' them in the first place (an
option in Norton Utilities) but what would you guys recommend to carry
out a clean-up later? I assume a back-up, reformat and restore would
work but I was wondering if anyone could recommend reliable software
that would avoid going to this extreme.


I've never used it myself, but something like this should do the trick

http://pcsupport.about.com/gi/o.htm?zi=1/XJ&zTi=1&sdn=pcsupport&cdn=compute&tm=78&f=10&su=p284.13.342.ip_p504.6.342.ip_&tt=3&bt=1&bts=16&zu=http://sourceforge.net/projects/eraser/
 
K

Ken Blake

This might be another mad question, but what is the best way of
ensuring that deleted files cannot be recovered later? I realise the
sensible approach would be to 'shred' them in the first place (an
option in Norton Utilities) but what would you guys recommend to carry
out a clean-up later? I assume a back-up, reformat and restore would
work but I was wondering if anyone could recommend reliable software
that would avoid going to this extreme.

1. Just delete it

2. Empty the recycle bin (or do a shift-delete in step 1 so it never
gets into the recycle bin).

3. Run any of several programs that overwrite the place where the file
was before being deleted. Read here for some choices:
http://www.howtogeek.com/72130/learn-how-to-securely-delete-files-in-windows/
Norton Utilities has such an option, but personally I wouldn't choose
to have anything to do with Norton Utilities. Norton used to make
great products, but it's been a long time since they sold out to
Symantec and they've been going downhill since then.

4. When you run one of those programs, choose the option to overwrite
it multiple times.

You can do just number 1, 1 and 2, 1, 2, and 3, or 1, 2, 3, and 4.
Which should you do?

It depends on you and how paranoid you are. But for almost everyone
who isn't an international spy, just number 1 or 1 and 2 is good
enough. Personally I never do more than 1 and 2, and do 2 very rarely.
 
J

Jim

1. Just delete it

2. Empty the recycle bin (or do a shift-delete in step 1 so it never
gets into the recycle bin).

3. Run any of several programs that overwrite the place where the file
was before being deleted. Read here for some choices:
http://www.howtogeek.com/72130/learn-how-to-securely-delete-files-in-windows/
Norton Utilities has such an option, but personally I wouldn't choose
to have anything to do with Norton Utilities. Norton used to make
great products, but it's been a long time since they sold out to
Symantec and they've been going downhill since then.

4. When you run one of those programs, choose the option to overwrite
it multiple times.

You can do just number 1, 1 and 2, 1, 2, and 3, or 1, 2, 3, and 4.
Which should you do?

It depends on you and how paranoid you are. But for almost everyone
who isn't an international spy, just number 1 or 1 and 2 is good
enough. Personally I never do more than 1 and 2, and do 2 very rarely.
CCleaner has secure delete features and free space erase. CCleaner
allows 1, 7 or 35 passes to overwrite.

Jim
 
S

Scott

Yes, I know. It's one of the choices mentioned in the web page I
cited,
http://www.howtogeek.com/72130/learn-how-to-securely-delete-files-in-windows/


And I often run CCleaner myself, although not being an international
spy, I don't use that feature of it.
Thanks for the responses, guys. I am not allowed to mention whether
or not I am an international spy :)

I wondered if anyone could recommend a particular program. I am happy
to experiment but thought I would ask first in case there is anything
particularly good or bad.
 
Ad

Advertisements

P

Paul

Scott said:
This might be another mad question, but what is the best way of
ensuring that deleted files cannot be recovered later? I realise the
sensible approach would be to 'shred' them in the first place (an
option in Norton Utilities) but what would you guys recommend to carry
out a clean-up later? I assume a back-up, reformat and restore would
work but I was wondering if anyone could recommend reliable software
that would avoid going to this extreme.
Heidi Eraser is a free shredder.

*******

To clean up after the fact, is tricky.

If you use a VSS based backup of the partition, the tool used
may just copy the $MFT, and there could be fragments of things
still present in there. VSS works at the sector level, copying
things that are "busy". But it might not be designed as
a "forensic cleaning tool".

If you use Robocopy, that works at the file level. If you start
with a clean partition (empty $MFT), then copy all the files
over to the clean partition, the $MFT is built from scratch.
But then the question would be, how good a job does Robocopy do of
copying modern bells n' whistles NTFS file systems
(hard links, junction points, reparse points). I don't
know the answer to that. I use Robocopy to move WinXP
around, but I haven't tried it with any newer OS.
(If you do that to WinXP, you'll need to do fixboot
later...)

Personally, I don't think the answer to the clean up
question is that clear. You would need a utility that
promotes "forensic cleanliness", and even then, you'd be
left wondering if there is anything it missed (like, cluster
tips).

Windows file systems "leak like a sieve", and it's easy to be
lulled into a false sense of security.

Sometimes, it is the fault of the programs you use. Like
the time Microsoft Word was leaving some "undefined" storage
near the end of a Word file. That's not something you
can fix with Robocopy...

I don't consider myself competent to address even half
of the leakage methods. Or, more importantly, how you'd
go about testing for the various leakage mechanisms
(in a way that *guarantees* nothing will leak).

*******

While hardware full disk encryption would be a possible
answer, I still haven't seen an announcement that the
transition is complete. The disk companies were promising
that all disks would have encryption capabilities, but
I haven't heard a squeak since. I don't know if the
government had anything to say about it, or not. On
the plus side, government does like security designs
in the products it buys (to keep our info safe). But
doesn't like that same protection, when it makes
finding out what the "bad guys" are doing. And that
might carry more weight.

Full disk encryption already exists, in the form of
Seagate Momentus disks with FDE. But for that to work,
there seemed to be a need for something at BIOS time,
to enter a key so the disk could be used. And that
didn't appear to be something that an end-user could
easily do. At least, I haven't seen any "how-to" articles
for an FDE. I presume part of the transition to all disks
having hardware encryption, is having a standard method
of authentication. (It's not really authentication,
it is the ability to deliver a key to the disk controller
board, such that you get unscrambled data back. Enter the
wrong key, and all you get is binary garbage.)

*******

The safest way to deal with high-security content, is
to use a Linux LiveCD, where temporary file storage is
in RAM. Do your edits, put the results back on your
USB flash. Shut down Linux, and allow the BIOS to come
up at least once more (to initialize and overwrite RAM),
before turning off system power. You allow the BIOS
to POST, and then press the key to enter Setup. And when
the Setup screen appears, at that point the RAM should
be flushed. Then, turn off the power. At least that won't
leave tracks on any hard drives (unless you want it to).

Paul
 
P

Paul

Jim said:
CCleaner has secure delete features and free space erase. CCleaner
allows 1, 7 or 35 passes to overwrite.

Jim
On a modern drive, one pass is enough. Gutmann has written refutation
articles, about needing 35 passes on a modern drive. That was more
of an issue, when the recording methods were different.

http://en.wikipedia.org/wiki/Gutmann_method

And the number of passes isn't really the issue, it's knowledge
of whether CCleaner even knows about all the places it should be
looking.

I guess it really depends, on how secure you want to be, that
nothing is leaking. "Mostly secure", then Ccleaner is probably
good enough. Like, your mom not finding your porn collection.
But if it is your banking password, I'd be less sure about that,
as the banking password is tiny, and there are lots more ways
to "lose" it.

If it's the banking password problem, you can never be
too smug.

*******

Even if you "erase and reformat" a drive, the spared
out sectors could have your banking password in them.
Or that key for your Truecrypt that you've been using.
To stop that, there's an option for the hardware Secure
Erase command, that also attempts to erase even
reallocated sectors. (It tries to erase all sectors,
even ones you cannot address from the interface.) That's
to stop "microscope style" data recovery. I tried this
a couple years ago, and it requires setting a password
during the procedure (to prevent others from setting
a password and locking you out). Something like that.

http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

Paul
 
K

Ken Blake

Thanks for the responses, guys. I am not allowed to mention whether
or not I am an international spy :)


LOL! That's OK. What you do is up to you, not me. I think most of this
stuff is overkill, but you don't have to think the same thing I do.


I wondered if anyone could recommend a particular program. I am happy
to experiment but thought I would ask first in case there is anything
particularly good or bad.

They all do essentially the same thing. The only real issue is how
easy they are to use. Try one or two and see what you think.
 
J

Jim

Heidi Eraser is a free shredder.

*******

To clean up after the fact, is tricky.

If you use a VSS based backup of the partition, the tool used
may just copy the $MFT, and there could be fragments of things
still present in there. VSS works at the sector level, copying
things that are "busy". But it might not be designed as
a "forensic cleaning tool".

If you use Robocopy, that works at the file level. If you start
with a clean partition (empty $MFT), then copy all the files
over to the clean partition, the $MFT is built from scratch.
But then the question would be, how good a job does Robocopy do of
copying modern bells n' whistles NTFS file systems
(hard links, junction points, reparse points). I don't
know the answer to that. I use Robocopy to move WinXP
around, but I haven't tried it with any newer OS.
(If you do that to WinXP, you'll need to do fixboot
later...)

Personally, I don't think the answer to the clean up
question is that clear. You would need a utility that
promotes "forensic cleanliness", and even then, you'd be
left wondering if there is anything it missed (like, cluster
tips).

Windows file systems "leak like a sieve", and it's easy to be
lulled into a false sense of security.

Sometimes, it is the fault of the programs you use. Like
the time Microsoft Word was leaving some "undefined" storage
near the end of a Word file. That's not something you
can fix with Robocopy...

I don't consider myself competent to address even half
of the leakage methods. Or, more importantly, how you'd
go about testing for the various leakage mechanisms
(in a way that *guarantees* nothing will leak).

*******

While hardware full disk encryption would be a possible
answer, I still haven't seen an announcement that the
transition is complete. The disk companies were promising
that all disks would have encryption capabilities, but
I haven't heard a squeak since. I don't know if the
government had anything to say about it, or not. On
the plus side, government does like security designs
in the products it buys (to keep our info safe). But
doesn't like that same protection, when it makes
finding out what the "bad guys" are doing. And that
might carry more weight.

Full disk encryption already exists, in the form of
Seagate Momentus disks with FDE. But for that to work,
there seemed to be a need for something at BIOS time,
to enter a key so the disk could be used. And that
didn't appear to be something that an end-user could
easily do. At least, I haven't seen any "how-to" articles
for an FDE. I presume part of the transition to all disks
having hardware encryption, is having a standard method
of authentication. (It's not really authentication,
it is the ability to deliver a key to the disk controller
board, such that you get unscrambled data back. Enter the
wrong key, and all you get is binary garbage.)

*******

The safest way to deal with high-security content, is
to use a Linux LiveCD, where temporary file storage is
in RAM. Do your edits, put the results back on your
USB flash. Shut down Linux, and allow the BIOS to come
up at least once more (to initialize and overwrite RAM),
before turning off system power. You allow the BIOS
to POST, and then press the key to enter Setup. And when
the Setup screen appears, at that point the RAM should
be flushed. Then, turn off the power. At least that won't
leave tracks on any hard drives (unless you want it to).

Paul
Probably the best way to deal with sensitive files is to secure delete
them right away instead of putting them in the trash. Use Eraser,
CCleaner or whatever program you like best to do this and overwrite
the files 3, 7 or even 35 times if you are really paranoid.

It's much more difficult to completely erase free space on a hard
drive and be confident all sensitive material is gone and not
retrievable.

Jim
 
J

Jim

On a modern drive, one pass is enough. Gutmann has written refutation
articles, about needing 35 passes on a modern drive. That was more
of an issue, when the recording methods were different.

http://en.wikipedia.org/wiki/Gutmann_method

And the number of passes isn't really the issue, it's knowledge
of whether CCleaner even knows about all the places it should be
looking.

I guess it really depends, on how secure you want to be, that
nothing is leaking. "Mostly secure", then Ccleaner is probably
good enough. Like, your mom not finding your porn collection.
But if it is your banking password, I'd be less sure about that,
as the banking password is tiny, and there are lots more ways
to "lose" it.

If it's the banking password problem, you can never be
too smug.

*******

Even if you "erase and reformat" a drive, the spared
out sectors could have your banking password in them.
Or that key for your Truecrypt that you've been using.
To stop that, there's an option for the hardware Secure
Erase command, that also attempts to erase even
reallocated sectors. (It tries to erase all sectors,
even ones you cannot address from the interface.) That's
to stop "microscope style" data recovery. I tried this
a couple years ago, and it requires setting a password
during the procedure (to prevent others from setting
a password and locking you out). Something like that.

http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

Paul
I don't recommend doing a Secure Erase unless you are going to toss
the drive. Parted Magic has the Secure Erase feature and I tried it on
2 old drives. You get a warning that if you proceed that it may brick
your drive. Pay attention to the warning as it did brick one drive but
spared the other. I forget the message but it said I had a partition
bug and could not be repaired. Tried eveything but the drive was
toast. No problem as I was going to toss it anyway, but be warned
Secure Erase can brick your drive.

Jim
 
Ad

Advertisements

Y

Yousuf Khan

Thanks for the responses, guys. I am not allowed to mention whether
or not I am an international spy :)

I wondered if anyone could recommend a particular program. I am happy
to experiment but thought I would ask first in case there is anything
particularly good or bad.
If you have an SSD, then part of its ATA specs requires it to have a
secure eraser function built in. Of course that means that it'll erase
everything, not just deleted things. It'll even erase the partition
table completely, and bring it back to a pristine factory condition.

I believe the secure erase feature is also available in ATA hard disks,
but in an SSD, it's particularly easy and relatively fast, as the secure
erase just involves setting the FLASH cells back to their default states.

Yousuf Khan
 
G

Gene E. Bloch

Probably the best way to deal with sensitive files is to secure delete
them right away instead of putting them in the trash. Use Eraser,
CCleaner or whatever program you like best to do this and overwrite
the files 3, 7 or even 35 times if you are really paranoid.

It's much more difficult to completely erase free space on a hard
drive and be confident all sensitive material is gone and not
retrievable.
I don't find it difficult to do using Heidi Erase or Eraser, but it sure
takes a long time :)

Even with only one over-write...
 
J

Jim

I don't find it difficult to do using Heidi Erase or Eraser, but it sure
takes a long time :)

Even with only one over-write...
Not difficult but did it really get rid of everything? I doubt it.
Browse some of the security forums and you will be suprised how
difficult it is to totally delete sensitive files from a drive. Of
course this doesn't matter to the vast majority of computer users, but
if the IRS or any government agency is looking then it becomes a large
problem. I doubt that the average crook who rips off a laptop would be
smart enough to recover any data if it has one over-write.

Jim
 
W

WayPoint

This might be another mad question, but what is the best way of
ensuring that deleted files cannot be recovered later? I realise the
sensible approach would be to 'shred' them in the first place (an
option in Norton Utilities) but what would you guys recommend to carry
out a clean-up later? I assume a back-up, reformat and restore would
work but I was wondering if anyone could recommend reliable software
that would avoid going to this extreme.
I'm thinking that a program like Shadow Explorer may be able to easily
bring back the very file you want to remove permanently.

http://www.shadowexplorer.com/documentation.html

What would be a work around for this?

Graham
 
Ad

Advertisements

P

Paladin

On Sun, 11 Aug 2013 11:47:30 +1000, WayPoint wrote:


Turn off System Restore.
Disable the Volume Shadow Copy Service.
I'm not telling you to do this , just throwing it out there :)
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top