Erasers vs Recovery Tools

I'm trying my best to understand every ones replies on the last thread. After discussing this eraser thing with one of my friends - he decided to do his own experiment with this friends. This was a much more thorough experiment than what I did. I couldnt go there and watch because it was conducted in Korea!!

They set up 7 Test Computers :

• 10 GB Harddisk
• Freshly Formatted XP Pro SP2 ( nlited - no caching enabled. )

Erasers Used : Cyberscrub, R-Wipe, XPprivacy Pro, Privacy Guardian, East-Tech Eraser, Heidi Eraser, Window Washer.

Recovery Tools Used : Data Recovery Wizard Professional, Recover My Files, D.A.R.T. XP Data Recovery, Stellar Phoenix.

• All softwares were Paid Versions.
• All 7 computers had a unique eraser but all recovery tools were tested on all 7 computers.
• At no time was two recovery tools installed at the same time.
• Highest available erasing method ( except for Gutmann 35 pass) was selected

Before doing anything Wipe Free Space feature was performed whenever it was available on a particular Eraser. The rest was simple.

1. They downloaded a video file and an executable file on each of the 7 computers.
2. They played the video and checked the exe was installable.
3. They then securely deleted both files from each of the computers with their respective erasers.
4. They then tested the recovery tool.
5. Different files were downloaded for each of the recovery tool.

Result : Every single time, the recovery tools managed to recover the securely deleted files. The video was still playable and the exe was still installable.

Any insight into this? Did they do something wrong? These guys are not interested in bashing any softwares. They just want to find a secure and efficient eraser that they feel safe to use!! Me too!!

 

You can pay for the product or use a freebie and still the end result is the same.If those tests are correct I won't be paying for one any time soon!

 

Short answer, based on my experience with some of these packages..., your friend (or friend's friend) doesn't know what he's doing, but I'm not about to devote any of my time to figuring out their missteps.

Blue

 

Who to believe?? I have seen other people in various places say that they have performed similar experiements and wipe utilities were successful. This is actuially the first time that I have seen someone post that they were not. I will have to perform a similar test myself to believe one way or another.

 

Well as I said in the previous thread if I get time this weekend I will have a little play, although this sort of stuff is low on my priorities so it will likely be a bit here and a bit there, and I am only going to test against the program I currently use to delete files, Heidi's Eraser
As for the first "bit" I have run the aforementioned Restoration on my box. It showed a lot of files, this was no surprise to me however since I have never run a free space erase on this box, many files and folders are created and deleted when things are installed, a lot of temp files are moved around in swap files etc, anyway, my main interest was to see if I could see any files or folders that I knew I had erased and therefore knew by name......there were none.
I will create / download some files later and erase them to see what happens.

 

I'm looking forward to your results tradetime.

 

When these test were run did you also:

Disable System Restore feature in Windows XP?

Securely Erase the Temporary Internet Files Folder?

Securely Erase the Temp Files Folder in the User Directory?

Could you also try CCleaner with the Secure Erase Features on?
Thanks.

 

Another bit of play, I saved a video file to my desktop checked that it was ok, played properly etc, then I erased it with Eraser, following that I ran Restoration again it revealed quite a few files, most of which once resided in a temp folder in documents and settings, and the bulk of the remainder seem to be log files from Comodo firewall.
Anyway, no where amongst the files Restoration offered to recover was my video file, so I offered it the file name to search for anything related to said file, and nothing, nada, not a sausage.
I also tried a recovery tool I have used before caaled PC Inspector File Recovery, again nothing.

 

Hi all.

We would be very grateful to anyone who would like to forensically test Eraser for us on the Eraser forum.

We hope to make Eraser the most secure overwriting software available so if anyone would like to show us where we are missing something then please let us know !

If you are interested in helping and think you have found a weakness in Eraser please join the Eraser forum and PM me.

Thanks.

 

It's ok. Wasnt asking you personaly to do anything.

tradetime, you used heidi eraser, right?

 

Actually, when you post asking for assistance, that is precisely what you're doing. It may be to post information, comment, or perhaps someone will run a confirmatory test, but don't lose sight that you're explicitly requesting a person's personal involvement.

Your first reaction on seeing the result you mentioned should have been "time for a serious reality check". That reality check should have uncovered example well executed studies such as the following readily available sources:

• Secure File Deletion: Fact or Fiction?
• Evaluating Commercial Counter-Forensic Tools (note: direct pdf file download)

There are many other more dated sources available as well and should immediately give you pause on what your friends noted. Clearly, it's very possible to pull small amounts of residual information if desired. However, being able to readily recover large video or executable files that had supposedly been securely deleted simply strains credulity.

Blue

 

That is correct, yes, and the system was XP in that case. Attached is a screen of a W2k setup, Eraser has just been run on this one overnight as a freespace wipe can take some time. Restoration was then run following it, only one file was found, a system file, and that was deleted by windows a minute or so before the program was run.

I should perhaps add, having read Blue's post above, that since I am not involved in any sort of criminal activity my use of file erasing technology is to defeat the guy in the street who at best is more clued up in computers than I (sadly that is probably most, ho hum), not to defeat a criminal forensics lab, so I would not say that this tool is capable of defeating their resources. Also you have to be aware that such teams do not necessarily need to recover entire hdd's or even complete files they just need to recover sufficiant data to stand as evidence in court, the amount that they recover may be of little use for any other purpose, and in any case their equipment is sufficiantly expensive that if a thief after my information has invested in it then he is welcome to what he can find.

 

Yeah, actually I meant except you.

Yeah. One of the reasons I was interested in this was cause somebody I knew did get arrested some time ago. He seemed very paranoid in terms of security and his privacy. He told me once he ran a series of wipe tools on a daily basis. But they still managed to recover data from his computer. So I was just wondering about a really safe and secure tool out there.

 

tradetime,

Don't read too much into my post - potential suppression of evidence and maintaining privacy basically are the same activities practiced for different ends and could involve anything from computer files to hardcopy records.

If you think about how a standard criminal investigation involving computers proceeds, examination of storage media typically begin with a replication of the media using a product such as EnCase, which captures the standard readable surface of the medium - it will be a bit for bit replication of the complete surface including "empty", slack, and unallocated space - followed by very detailed (often automated pattern based) examination of the replica. If a cluster is overwritten with zeroes, it will recover zeroes.

Virtually all of the esoteric things that people tend to worry about (say the need for multiple overwrites, etc.) apply to older technology in which information densities were much smaller, mechanical slop for read/write head positioning was much greater, and the shear volume of information one would need to process was an order or two of magnitude smaller.

Blue

 

Thanks for sharing, but you get all comers on a public site (fortunately or unfortunately as the case may be - and yes, my initial response to you was probably a bit on the too aggressive side).

Some of the tools you mentioned above are fine. The thing to keep in mind is that a complete and comprehensive disk sweep takes a fair amount of time for reasonably sized partitions. It's really not something one would practice on a daily basis. Further, due to the generation of temporary copies, information being stored in the MFT records, and so on, it is only through execution of one of these multihour sweep operations (empty space + slack space + zero unused MFT records) - see here for some comment regarding time needed for a clean sweep using DBAN - that cleanliness of the medium could be assured.

Blue

 

Ah ok, fair enough, I think what I have demonstrated is that a program such as Heidi's Eraser is more than adequate for disposing of general files that you may need to, of which you consider a sensitive nature, essentially I'd say Erase the file, and schedule free space wiping on a regular basis. That will defeat anyone snooping on your computer, beyond that, what law enforcement can do is of no consequence to me, I mean lets face it they have the ability to find files on your computer, even if they never were there in the first place

 

Yeah, unfortunately.

People in his field tend to use small harddisks. They keep specialized computers for their "work". Its a very limiting lifestyle and they are paranoid and dedicated enough. But in the end, even all that wasnt good enough. I was just merely interested in which side had the upper hand. That thread was informative.

 

Hey I downloaded Restoration and it did find some stuff. I wiped my free space about a month ago, so that was pretty recent. But about 90% or more of what it found said "unknown".

I assume you are suppose to check "include used clusters by other files" and "include even if the size is zero" when you run it. Anyway, what a great little program. Thanks for recommending it!