Deleting deleted files

[J. P. Gilliver (John)]

This might be another mad question, but what is the best way of
ensuring that deleted files cannot be recovered later? I realise the
sensible approach would be to 'shred' them in the first place (an
option in Norton Utilities) but what would you guys recommend to carry
out a clean-up later? I assume a back-up, reformat and restore would
work but I was wondering if anyone could recommend reliable software
that would avoid going to this extreme.

Depends whether the deleted file is still in the Recycle Bin: if it is,
and you restore it, I _think_ it isn't _copied_ from where it was, but
just marked as undeleted again, at which point shredding could be done.

I suspect the more deep recovery utilities (like the Shadow Explorer
that Graham mentioned?) _do_ reassemble a _copy_, thus leaving the
original (though fragmented), so using them and then shredding wouldn't
work - the original would still be there.

I think once you've got beyond it being recoverable from the ressicle
bin, you have to overwrite all the "free" space on your drive (and purge
the page file); this is less drastic than a complete reformat, and there
are utilities that do it. But as others have said, there are still nooks
and crannies (I hadn't even thought of reallocated sectors!) where
fragments of your file - or the whole file if it's something small like
a password, rather than something large like pr0n - could remain.

It all depends on what your _reason_ for wanting to do this is - and I
understand you may not want to say (-:!

 

[slate_leeper]

This might be another mad question, but what is the best way of
ensuring that deleted files cannot be recovered later? I realise the
sensible approach would be to 'shred' them in the first place (an
option in Norton Utilities) but what would you guys recommend to carry
out a clean-up later? I assume a back-up, reformat and restore would
work but I was wondering if anyone could recommend reliable software
that would avoid going to this extreme.

I've been using a free utility called PrivaZer (http://privazer.com/),
It cleans free space (with up to 35 passes). That would include space
previously occupied by files. The neat part is that it does a "smart"
clean. After the first time it is run, it recognizes sectors that are
still clean, and then cleans only newly released ones. In other words,
it runs much faster.

It also cleans MFT entries (names of deleted files), USN journal,
Windows history, and a variety of other things. All such items can be
selected or not selected before running. Settings are remembered for
subsequent runs. Items to be deleted can be viewed before the final
cleaning.

I've been using it for several months now, and had no problems. It was
scary running it the first time, but making a backup image prior to
trying it turned out to be unnecessary.

-dan z-




--
Protect your civil rights!
Let the politicians know how you feel.
Join or donate to the NRA today!
http://membership.nrahq.org/default.asp?campaignid=XR014887

Gun control is like trying to reduce drunk driving by making it tougher for sober people to own cars.

 

[mechanic]

LOL! That's OK. What you do is up to you, not me. I think most of
this stuff is overkill, but you don't have to think the same
thing I do.

Unfortunately we have to read so many of your posts telling us this.

 

[mechanic]

If it's the banking password problem, you can never be
too smug.

Use a bank with one of those PIN challenge-response gadgets (like
PINSentry) - no stored stuff on the machine.

 

[Scott]

Depends whether the deleted file is still in the Recycle Bin: if it is,
and you restore it, I _think_ it isn't _copied_ from where it was, but
just marked as undeleted again, at which point shredding could be done.

I suspect the more deep recovery utilities (like the Shadow Explorer
that Graham mentioned?) _do_ reassemble a _copy_, thus leaving the
original (though fragmented), so using them and then shredding wouldn't
work - the original would still be there.

I think once you've got beyond it being recoverable from the ressicle
bin, you have to overwrite all the "free" space on your drive (and purge
the page file); this is less drastic than a complete reformat, and there
are utilities that do it. But as others have said, there are still nooks
and crannies (I hadn't even thought of reallocated sectors!) where
fragments of your file - or the whole file if it's something small like
a password, rather than something large like pr0n - could remain.

It all depends on what your _reason_ for wanting to do this is - and I
understand you may not want to say (-:!

Nothing too sinister. Just that I've done some work at home and I
want to be able to say I have taken all reasonable steps to delete the
data. (Before anyone says it, I should have shredded the files a the
time.)

 

[Scott]

Heidi Eraser is a free shredder.

I tried downloading this. First attempt installed an Amazon toolbar
after I said I did not want this. Second attempt tried to install
music sharing software. Looks like a scam to me!

 

[Mark F]

CCleaner has secure delete features and free space erase. CCleaner
allows 1, 7 or 35 passes to overwrite.

Jim

1. Does anybody know of a program that can erase all of the
"unallocated" data on a drive without allocating all of the
unallocated space at the same time?

2. Assuming that 1 can be done, how about a program to erase all of
the data in a logical or physical sector range that isn't
allocated?

3. How about a program that does 1 or 2 for SSDs?

The goals are:
A. Be able to erase all of the unallocated space without
Windows deciding that the backup used for System Restore isn't
really needed, and therefore the System Restore stuff can be
deleted.
B. Files can be made by automatic programs during the time that
the unallocated space is being erased.

 

[Mark F]

I don't recommend doing a Secure Erase unless you are going to toss
the drive. Parted Magic has the Secure Erase feature and I tried it on
2 old drives. You get a warning that if you proceed that it may brick
your drive. Pay attention to the warning as it did brick one drive but
spared the other. I forget the message but it said I had a partition
bug and could not be repaired. Tried eveything but the drive was
toast. No problem as I was going to toss it anyway, but be warned
Secure Erase can brick your drive.

What did you do with the drive after it was "bricked"?

If you weren't sure that the drive was erased before it was bricked
you should have physically destroyed the drive.

My current procedures are still:
1. write random 2 times, 3 times if SSD
2. assign or change access passwords to random values.
3. take apart the drive and run the platters between the poles
of a somewhat dangerous magnet.
4. break the larger chips up so no more than 1/4 of each
chip in a piece.
5. sand down the platters.
6. run CD's through a cross cut shredder

For additional fun, one should add:
7. melt the platters (to ensure the entire platter gets hot enough
to destroy magnetically stored data.)
8. heat the chips to a similar temperature.
9. burn CD pieces.

(Best to use "Terminator 2" rules or more severe.)

 

[Anthony Buckland]

On Sat, 10 Aug 2013 21:58:41 +0100, Scott




LOL! That's OK. What you do is up to you, not me. I think most of this
stuff is overkill, but you don't have to think the same thing I do.
...

I can think of a scenario or two.

- You're passing your computer on to someone else. You suspect
that there are a lot of records of your passwords, credit card
numbers, etc. that you deleted, and you would like to have them
stay deleted.

- You have a new partner. She has many great characteristics,
but she is very jealous. You just wiped a number of pictures
of your previous partner -- worse, some of them were tastefully
nude. Worse yet, during the period between partners, you
downloaded some erotica, and your new (suspicious) partner
doesn't like that stuff.

 

[Ken Blake]

On 10/08/2013 2:35 PM, Ken Blake wrote:

I can think of a scenario or two.

- You're passing your computer on to someone else. You suspect
that there are a lot of records of your passwords, credit card
numbers, etc. that you deleted, and you would like to have them
stay deleted.

- You have a new partner. She has many great characteristics,
but she is very jealous. You just wiped a number of pictures
of your previous partner -- worse, some of them were tastefully
nude. Worse yet, during the period between partners, you
downloaded some erotica, and your new (suspicious) partner
doesn't like that stuff.

Sure. My point was not that there were no things that you wanted to be
deleted, but rather that going to great lengths to delete them as
permanently as possible is almost always overkill.

How likely is it that the recipient of your old computer or your new
partner wants to go to great, difficult lengths, to explore what has
been deleted? And how likely is it that either of those people would
have the technical skills to do so?

My point is that both the desire and the technical skills are highly
unlikely to be there, especially in the same person. That's why I
consider worrying about this to usually be overkill. In the *enormous*
majority of cases, simply deleting the files and emptying the recycle
bin is sufficient.

For example, my wife. Even though I had no previous partner, let's
assume for the sake of the discussion, that I had. Might my wife look
through my hard drive for pictures of my previous partner? If she
couldn't find any, would she look in the recycle bin? If she couldn't
find any there, might she try undeleting files?

The answer to those three question are no, NO! And NO!!!! She probably
doesn't know anything about the recycle bin, and almost certainly has
no idea of how to undelete files, or even that it's possible. And even
though she has her own computer, which she uses every day, she's not
at all unusual in these regards.

Yes, of course there are people who have the skills to look for and
find deleted files. But they are rare and those that do exist are
probably not the same people who are interested in seeing what you had
on your drive. That's why I consider this to usually be overkill. Not
always overkill, but *usually* There are some situations in which you
need to be more careful; I gave one, jokingly, being a international
spy, and there are undoubtedly others. But they are rare, and that's
why I think worrying about this sort of thing is usually overkill.

And one other point: if some time has passed since deleted files were
removed from the recycle bin, and the computer has been used since
then, the deleted files have very likely been overwritten, and there
is little or nothing left to find.

 

[Wolf K]

[...]
CCleaner has secure delete features and free space erase. CCleaner
allows 1, 7 or 35 passes to overwrite.

Jim

1. Does anybody know of a program that can erase all of the
"unallocated" data on a drive without allocating all of the
unallocated space at the same time?

If by "unallocated data" you mean sectors made available when a file is
deleted, then yes, you were just given the name of one such program.
It's free. I use it. It works. Serach on "drive wiping utility for
windows 7" for more.

NB that the NSA standard for wiping a drive is seven passes minimum. A
"pass" consists of writing random data into the deleted sectors.

If by "unallocated data" you mean unpartitioned space, then
a) create a partition in that space;
b) use Ccleaner or other drive wiping utility to wipe it;
c) delete the partition.

2. Assuming that 1 can be done, how about a program to erase all of
the data in a logical or physical sector range that isn't
allocated?

Not sure what you mean. "Logical sector range" sounds like a partition
to me. If that's what you mean, see above. "Physical sector range"
either means the same as "logical sector range", or else you are
referring to "low level format", the sectors created by the disk
manufacturer. Formatting a disk entails creating a file system, that is,
a method of tracking and allocating these physical sectors to partitions
("drives", "volumes", etc), fo9lders ("directories"), and files.

3. How about a program that does 1 or 2 for SSDs?

AFAIK, you can use disk wiping programs on SSDs.

The goals are:
A. Be able to erase all of the unallocated space without
Windows deciding that the backup used for System Restore isn't
really needed, and therefore the System Restore stuff can be
deleted.
?????

B. Files can be made by automatic programs during the time that
the unallocated space is being erased.

????

HTH

 

[Fokke Nauta]

On 10/08/2013 22:58, Scott wrote:

Thanks for the responses, guys. I am not allowed to mention whether
or not I am an international spy

I wondered if anyone could recommend a particular program. I am happy
to experiment but thought I would ask first in case there is anything
particularly good or bad.

OK, if you want to spend money, this is a good one:
http://www.whitecanyon.com/whitecanyon-home-consumer

Cheers,
Fokke

 

[Wolf K]

What did you do with the drive after it was "bricked"?

If you weren't sure that the drive was erased before it was bricked
you should have physically destroyed the drive.

My current procedures are still:
1. write random 2 times, 3 times if SSD
2. assign or change access passwords to random values.
3. take apart the drive and run the platters between the poles
of a somewhat dangerous magnet.
4. break the larger chips up so no more than 1/4 of each
chip in a piece.
5. sand down the platters.
6. run CD's through a cross cut shredder

For additional fun, one should add:
7. melt the platters (to ensure the entire platter gets hot enough
to destroy magnetically stored data.)
8. heat the chips to a similar temperature.
9. burn CD pieces.

(Best to use "Terminator 2" rules or more severe.)

ROTFL

 

[Gene E. Bloch]

How likely is it that the recipient of your old computer or your new
partner wants to go to great, difficult lengths, to explore what has
been deleted? And how likely is it that either of those people would
have the technical skills to do so?

Don't forget that Hell hath no fury like a woman scorned.

But wait, there's more - i.e., the above doesn't even being to cover all
the possibilities...

 

[Gene E. Bloch]

What did you do with the drive after it was "bricked"?

If you weren't sure that the drive was erased before it was bricked
you should have physically destroyed the drive.

My current procedures are still:
1. write random 2 times, 3 times if SSD
2. assign or change access passwords to random values.
3. take apart the drive and run the platters between the poles
of a somewhat dangerous magnet.
4. break the larger chips up so no more than 1/4 of each
chip in a piece.
5. sand down the platters.
6. run CD's through a cross cut shredder

For additional fun, one should add:
7. melt the platters (to ensure the entire platter gets hot enough
to destroy magnetically stored data.)
8. heat the chips to a similar temperature.
9. burn CD pieces.

(Best to use "Terminator 2" rules or more severe.)

Preferring the easy way, I'd just take the drive to any nearby steel
plant and drop it into a convenient cauldron, in lieu of your entire
sequence.

I would definitely suggest that you do it yourself, unless you have a
*very* trusted friend working there.

 

[Gene E. Bloch]

Preferring the easy way, I'd just take the drive to any nearby steel
plant and drop it into a convenient cauldron, in lieu of your entire
sequence.

I would definitely suggest that you do it yourself, unless you have a
*very* trusted friend working there.

To be explicit - I mean only cauldrons full of molten iron or steel.
Empty or cold cauldrons (cauldra?) need not apply.

 

[Paul]

I tried downloading this. First attempt installed an Amazon toolbar
after I said I did not want this. Second attempt tried to install
music sharing software. Looks like a scam to me!

The best I could do via Wikipedia (in terms of an evidence trail),
got me to the author's site.

http://eraser.heidi.ie/download.php

Build Name Version Release Date Downloads
Eraser 6.0.10.2620 6.0.10.2620 23/5/2012 10:30am 1113138

Clicking the link, starts a download from Sourceforge. No toolbar.
This is what my browser says did the download.

http://hivelocity.dl.sourceforge.net/project/eraser/Eraser 6/6.0.10/Eraser 6.0.10.2620.exe

It sounds like you went looking on CNET or something. Try tracing
to a download site, starting from the author's page.

Note that, just because you see a page hosted on Sourceforge,
some disreputable developers actually place off-site links
on their page. I caught one of those the other day. When that
happens, it means Sourceforge did not scan for viruses. I always
check the download link info in Firefox downloads, as a quick check
I didn't get suckered. In this case, you can see
hivelocity.dl.sourceforge.net did the downloading,
part of sourceforge.net domain.

*******

Someone pointed this out to me the other day. You can try it
if you like:

Go to CNET. The "easy" "big ass" download button, downloads
a stub loader with "toolbar" installing capability. You don't
want that. Their download is around 900K, which is a hint it
is not the "real" program.

http://download.cnet.com/Eraser/3000-2092_4-10231814.html

Look for "Direct Download Link" in small blue text, with underline.
This is the download link listed in Firefox downloads afterward.

http://software-files-a.cnet.com/s/...723be9ea4b100&fileName=Eraser+6.0.10.2620.exe

When I run fciv on that, it has the same checksum as the
one on Sourceforge. It's a large file, and it's not the
smaller file used to "give the toolbars".

*******

From the "Readme.html" on Sourceforge for that release.

Eraser 6.0.10 has been released today.
....

Download Eraser 6.0.10 from SourceForge

* SHA-1: f6c4003ef93bd226a37ef9a86dae4aa21cdbc8d7
* RIPEMD-160: 9f8460ed61ad3394819688226ff35abc2061ec91
* SHA-256: a09787812790b59ec3d36120788ae9f80b7bdda1e2d7a17a46d811232
4632737
* SHA-512: 0490255dadcd42e6a40b0d6e6e89b6975ce435c609b418a539189e132
71717243091f0ad0ad720ed7e89f62353d384bf1ca3de3488efb3ce80
b46f157cf8346a
* Whirlpool: 90d8618981c9fb90cfee1089d7f1b54813c7d257c839ae9eb578981d0
7e0815662d601b60c26a9b08479d64d9d531e951e6ec549e6e7300247
9fa2dad0cdf907

When I do fciv -sha1 "Eraser 6.0.10.2620.exe" on the Sourceforge
copy I downloaded (9,110,456 bytes), I get

f6c4003ef93bd226a37ef9a86dae4aa21cdbc8d7 eraser 6.0.10.2620.exe

If I load that hash into virustotal.com (saves on having
to upload the file), I get:

https://www.virustotal.com/en/file/...9f80b7bdda1e2d7a17a46d8112324632737/analysis/

Copyright 2008-2010 The Eraser Project
Publisher Joel Low - Open Source Developer
Version 6.0.10.2620
Original name Eraser Setup Bootstrapper

There's no information on what packer is used. It is
not an INNO installer setup. So I'd have to take that over
to a Linux VM, and run the installer under WINE, just for
an opportunity to see the files. That's part of my process
for avoiding toolbars. (If 7ZIP won't open it as an archive,
it's probably packed.)

My track record to date: "Zero Toolbars".

Still waiting for my toolbar

Since I have no intention of installing that, my
analysis stops there. If you run the real thing,
and have troubles, post back and I'll load it up
for a look. Virustotal contained no "PUP" warnings,
so my "spider sense isn't tingling". But before
I run a packed installer in Windows, I generally
do a test run in WINE first.

Just because 44 virus scanners say a file is clean,
doesn't mean a damn thing. There could still be
something nasty hiding in there, perhaps triggered
by a particular date, that erases your entire hard
drive. Just so you know, the risk is never exactly
equal to zero. But with even a modicum of care,
you can be "Zero Toolbars" too.

I've had downloads, where a WINE run revealed a $PLUGINS
folder, and that's generally a sign toolbars are present.
Some freeware authors do that for their "legit copy",
and they put as much work into making a "bomber installer",
as they do in the actual program they're giving away.
Watching their bomber mess up my WINE installation,
gives away the details.

Paul

 

[Ken Blake]

Don't forget that Hell hath no fury like a woman scorned.

Fury? Is that the same as technical skill?

 

[Mark F]

If you are concerned about security you won't get it by erasing an SSD
drive. There are numerous articles on the net about SSD's being a very
poor choice for security.

I know that no number of passes ensures actually clearing any
particular page on an SSD, but writing just a bit more than the
total space on the device does work with some devices. 3 passes
of the user view of the space works for most devices. Using
random data ensures something always gets written. Also,
since the programs that I use all eventually have all of the space
that the program thinks it is erasing allocated at the same time,
I know that at least that much space has been erased. 3 passes,
which is almost always more than 2.5 times that actual space,
so the wear leveling stuff will cause almost all of the actual
space to be cleared, but I don't count on all of the actual
cells on the device to have been erased even 1 time.
Anything that I care about is encrypted on the computer and
never gets to the device, let alone the actual flash memory,
in the clear.

 

[Paul]

I don't recommend doing a Secure Erase unless you are going to toss
the drive. Parted Magic has the Secure Erase feature and I tried it on
2 old drives. You get a warning that if you proceed that it may brick
your drive. Pay attention to the warning as it did brick one drive but
spared the other. I forget the message but it said I had a partition
bug and could not be repaired. Tried eveything but the drive was
toast. No problem as I was going to toss it anyway, but be warned
Secure Erase can brick your drive.

Jim

Did you read the details of how Secure Erase works on a
hard drive ? Maybe you've mis-interpreted the symptoms.

Secure Erase is a "posted" command. That means, if you
switch off the power on a hard drive, where Secure Erase
is currently running, the disk "remembers" it was in the
middle of a Secure Erase. This is unlike, most any other
command the drive works on. A Secure Erase might take, say,
half an hour, and you could kill the power on the computer
before it finishes.

When you turn on the power, the disk drive ignores you,
and goes back to working on the Secure Erase. It picks
up where it left off.

If you again kill the power, it will remember the new
location it got to, and pick up there the next time.

It does mean, before declaring a drive "dead", you need to
wait an hour or two with the power applied to it. Just to
make sure it isn't still working on the command internally.
Then, power off, power on, boot up, and test it again.

It should come back to life, after sufficient time has
passed, with power applied to the drive.

Paul