Secure wiping insecure?

SafetyFirst, I have used WinHex 14.9 to confirm that Privacy Suite operates as expected and does in fact destroy both the names (of existing or previously deleted) files as well as the contents of the files themselves. I can’t explain what you are observing.

May I ask, however, the procedures you are using with WinHex to find the names of erased files? In particular, are you sure that you are using the WinHex function “Take New Volume Snapshot” after the erase operation has completed? If not, WinHex will display the same view of the drive as before the erase operation – and, in this circumstance, the names of the erased files will obviously be “present”.

Whether you erase with a 1-pass method or a 35-pass method will make no difference with respect to the information reported by WinHex.

Do you have the trial version of Privacy Suite? My understanding is that the trial version has all of the functionality of the full, paid version – but, possibly this may not be the case. You might wish to check with CyberScrub on this point.

 

If your goal is to "sanitize your HD" then why don't you simply nuke the whole thing with DBAN? ( http://dban.sourceforge.net/ ). Just offload whatever you want to keep to removable media, nuke the HD, re-install the OS and put the stuff you kept back on?

It would certainly be more simple than what you've already gone through. Pete

 

In case some don't know, the above mentioned program, "CyberScrub Privacy Suite" is the exact same thing as East-Tech Eraser 2008. They license the program for U.S. users as "CyberScrub". Never could figure that out. HOWEVER, there are good reasons to buy the CyberScrub version. If you download the trial program first (works with no restrictions for 15 days) you immediately get a coupon code that makes the program $39.95 versus $49.95.

Just a tip.

 

SafetyFirst, I conducted another test of Privacy Suite 5.0 today by simply deleting a file on an NTFS partition (via Windows Explorer), and then running the “Erase Beyond Recovery” process with “Scramble deleted files and folders properties” enabled. As expected, the MFT record that contained the file name was destroyed, according to my examination using WinHex.

 

Are there any erasing differences between this and Eraser? Why should I choose CyberScrub over Eraser?

 

N8chavez, this Comparison Chart highlights some of the differences between Privacy Suite and Eraser.

Many users have reported (sometimes horrendous) problems with Eraser and wiping free disk space. For myself, I have never had an issue in this regard with Privacy Suite over several years of use. Additionally, Privacy Suite is the only product of which I am aware that optionally wipes “shadow copies” in Windows Vista. (Eraser doesn’t even claim to be compatible with Vista.)

Notwithstanding these points, however, most file/disk wiping utilities have far more features in common than they have differences.

 

Just to clarify.....'Privacy Suite' is the same program as 'East-Tech Eraser 2008' - not the Tolvanen/Heidi program "Eraser" .

 

On the face of it - at least as far as Eraser is concerned - the "Comparison Chart" seems to be a little off:

Eraser does erase filenames (sorry, I've seen it too many times to count right here on this computer); it does clear the paging/swap file at shutdown if you set it to do so (Edit, Preferences, General tab); it does (if you set it to do so) create a log file of erase/wipe operations; it does have an automated Task Scheduler (if you set it up); it does have password protection if you choose to use it (at least on version 5.84, that I use).

And, yes, there was (past-tense) a serious problem with the "Only first and last 2KB" (Option 5 on the "Preferences"/"Erasing"/"Files" tab - yeah don't use that one!).

I'm sure they just didn't look at the program that closely while they were busy touting their own. (They could have tried a little harder to, though, so as to not look like they're putting out false advertising).

Erased is Erased, AFAIC - and Eraser is free (although I've donated to it, as I do to all the good software that's freeware or shareware that I use here).

Have a good one - I've got another 12-hour shift to pull later today. Pete

 

I agree completely with Spy1's post above. ERASER can, in fact, do most everything these others can do, albeit with slightly more manual setup. But honestly, many of the plug-ins you use with CyberScrub aren't auto-detected,; they are shown and added to the list but when you click "next" you're expected to find the path yourself. So, marketing is marketing and security is security. ERASER is a great tool and, as Spy1 said, it's free.

 

I have used Evidence Eliminator for years now and would use nothing else. Lots of nonsense talked about it being a rogue app etc and that it does not work etc - all rubbish!

It does everything you need. If you believe files need to be overwritten more than once in order for them to be securely erease than there is no other application that will reolve the issue of unsecurely deleted files having had their space taken by other files - see my post earlier. (personally, I think one overwritr is enough)

Also, on a safe shutdown or restart, it can randomise the info for every file re its creation date access date etc - this is vital else it is possible to tell what and when you have been doing.

I wont be replying to the inevitable follow up posts slaiting EE / me for suggesting the use of this app.

Up to everyone else what they use, but no single app covers what EE does - and none can securely underwrite files other than EE.

 

I agree that the “comparison chart” created by CyberScrub is (obviously) motivated by marketing interests, and may be out-of-date with respect to how Eraser differs from Privacy Suite.

Fortunately, there exist a number of good erase utilities on the market, and a user should employ the one that best fits her or his needs and requirements. Each one has a few advantages that another lacks, but on balance they are more alike than different.

 

I finally managed to register EE. The fifth reinstallation wouldn't accept copy/pasting registration keys either, but this time miraculously I was able to type them into the registration fields.

So far, so good. Like with WinHex, I was surprised with what EE found too. URLs I visited last year using Opera, that should have been gone long time ago, were shown by EE. I was thinking to myself "Where the hell is it picking them from!?" After every browsing session I run CCleaner and CleanCache thereafter. For added security, I give Window Washer a shot. I run MRU Blaster and then shutdown my PC. I supposed this was enough to clean internet tracks. Not so. EE somehow found old URLs.

I am glad ChrisP is happy with EE, because I read some scary things about EE corrupting hard drives.

BTW, my XP doesn't have Scandisk. Where can I download it from? Is ScanDisk Pro a different program with similar name or just another version of Microsoft's Scandisk?

 

SafetyFirst, to clarify, are you saying that Evidence Eliminator 6.0 was able to identify and destroy URL references that Eraser, Privacy Suite, CleanCache, Window Washer and BCWipe missed? Does Evidence Eliminator provide a log file that indicates the where those URL references were stored?

Second, did you find that Evidence Eliminator destroyed the name of a file stored on an NTFS volume during an erase operation, in addition to destroying the file contents? Did you independently confirm this observation using WinHex?

Third, how was your experience interacting with the technical support at Robin Hood Software?

Thank you.

 

I know, that's what's bothering me a lot in this thread - no hard evidence (screenshots, logs, etc.) being presented of anything supposedly being "missed" or "not wiped".

I also have questions in my mind about whether or not any of the items "found" (either by WinHex or other programs mentioned) were actually "erased"/"over-written" properly (IOW, selected for erasure/over-writing) by the other programs in question by the original poster.

Too many variables (erasure/over-writing programs used correctly to start with? Consistent procedures used?) here. Pete

 

Spy1, it seems to me that there are two interconnected but yet separate issues here:

1. Does the erase utility properly identify all of the folders (and registry keys) that might contain “privacy traces,” depending upon the operating system and the set of applications installed on the PC?

2. Does the erase utility properly destroy the (2a) contents and (2b) the name of all files in each folder that might contain “privacy traces,” so that neither the file contents nor the file name can be recovered?​

The issue of items being “missed” applies to question 1; whereas, the issue of items being “not wiped” applies to question 2.

Testing question 1 is difficult, since logically there is always the theoretical possibility that the erase utility failed to identify a location that may contain “privacy traces.” This question is also “ambiguous,” in the sense that the definition of what constitutes a “privacy trace” differs for each individual. For example, some users consider the list of Most Recently Used files to reside in this category, while others do not.

Testing question 2, however, is “easy”: use WinHex to examine a file (and the Master File Table) before and after the erase option, to see if the contents (and name) of the file are properly destroyed.

I do agree with your point that an empirical justification of the claims (or failures) of an erase utility should be explored and documented.

 

I think this entire discussion along with many others regarding security and leaving traces of activity on your computer has to be solved using a more proactive approach to the whole issue. Clearly, many people have taken a lot of time and effort to see what erasure app works best and does not leave any tracks laying about in unknown corners of Windows. Why not invest in a new system HD; save your important docs and files to a DVD or tape B/U and install the new drive and do a new install. Then install something like Returnil along with the rest of your apps and run Returnil whenever you don't want to leave any traces lurking about to come back and bite you someday. Problem solved. Returnil works as advertised. Use it and no worries about this cleaner and that cleaner and if is it getting everything or not. Yes, I know doing a fresh install and getting all the apps and everything else in place as you had it is a big pain. But if you want to be secure you have little choice. As far as the old drive? Save the hours of wiping it 35 times. Wipe it once and then take a propane torch to the platers. Even the NSA is not going to be able to resurrect anything from it after that.

 

Hey I recently installed Returnil after doing a reinstall and wiping my hard drive with R-Wipe. I used Restoration immediately after running R-Wipe. There were no traces of folder names or anything like that left when I ran restoration. Just a bunch of funny looking symbols and a few random letters and numbers. My experiments with Eraser have achieved the same results. I have conducted these experiments after running Restoration to clean up everything so I can see exactly what was going on. I did separate experiments with both R-Wipe and Eraser. I wiped individual files first and nothing identifiable was left. I then cleaned everything up with Restoration and downloaded a bunch of rapidshare files.....pics and vids. There was nothing left after wiping these either, that I could read. Nothing. So I have no idea what is going on when someone claims that the names of files are left behind.

But I am sooooo happy with Returnil that I just don't know what to say. I try out new programs, download rapidshare files of music and movies just to see if I want them. and I have programs that I use sometimes to download youtube vids and to convert video files etc... I install them just long enough to use them and then restart my computer, and they disappear in a puff of smoke.......right back into the nothingness from whence they came.....kind of a Zen thing I guess, haha!. Any vids, art, or music that I want to keep, I put on an external hard drive or DVD. I could not be happier. I do want to try another program that I have read about here....starts with an I...I can't remember but it creates an archive to restore everything back to an original state.

 

Here I post a screenshot of Disk Investigator search results for files called DVD Copy Tools and Essential Net Tools that were downloaded using eMule and then erased by right-clicking and choosing Eraser's erase function with 35 overwrites:

http://[IMG]http://i27.tinypic.com/fvkbuq.jpg[/IMG]

The filenames are incomplete but still recognizable.

 

Using virtualization is certainly one way to address privacy issues. VMware offers a free Browser Appliance that may be of interest to readers of this thread. Additionally, with VMware Workstation, you can restore an image of your fully functional PC (e.g., from ShadowProtect Desktop by StorageCraft) to a virtual machine (VM), avoiding the problem of “doing a fresh install and getting all the apps and everything else in place as you had”. When done using the VM, you can simply erase it, if you wish.

 

The logic of the argument seems to be: “If a file undelete tool can’t recover a file wiped by an erase utility, then the erase utility must be functioning properly.” The conclusion might be correct, but the outcome is indeterminate. The undelete tool might fail to recover the “erased” file because of its own limitations, or because the wiped file (and file name) has actually been destroyed. The test doesn’t distinguish between these two possibilities, unfortunately.

A much better procedure is to use a disk editor (such as WinHex) to view the actual disk sectors (and $MFT record) occupied by a file before and after the erase operation. This provides very compelling evidence that an erase is (or is not) working properly.

 

SafetyFirst, your experiment casts substantial doubt on the claim that Eraser destroys file names when wiping files on a NTFS volume. I recommend that you post your findings on the Heidi Computers’ forum, and see what that community has to say about the issue.

 

Okay. I didn't realize that WinHex was different than Restorarion. To say I am a nooby at all of this is is the understatement of the year. I would like to try this experiment again with WinHex, but if it is too complex, I will probably be unable to figure it out. But I would certainly be interested to know.

 

OK, guys, would somebody please tell me what I am doing wrong? There must be something I am missing but I can't figure it out.

I decided to perform a test for seven diferent erasing utilities to make sure which one does its job properly and which one doesn't.

I copied a .wmv file seven times and named it accordingly:

- VideoFileDestructionTest for BCWipe
- VideoFileDestructionTest for Clean Disk Security
- VideoFileDestructionTest for CyberScrub
- VideoFileDestructionTest for Eraser
- VideoFileDestructionTest for Evidence Eliminator
- VideoFileDestructionTest for WindowWasher
- VideoFileDestructionTest for WinHex

I did so to be able to check out later which filenames could be retrieved after erasing.

All wiping procedures were done through right-click context menu (with exception of WinHex which doesn't have such a shell extension - wiping was executed from within the program: File Tools - Wipe Securely)


Wiping methods:


BCWipe: Delete with wiping - DoD 7 pass

Clean Disk Security: Erase fully - Gutmann 35 pass

CyberScrub Privacy Suite: Erase beyond recovery - Schneier 7 pass

Eraser: Erase - Gutmann 35 pass

Evidence Eliminator: Evidence Eliminator Safe Delete - 3 pass zero-reverse-random (0-1-rand) which is actually 9 overwrites

Window Washer: Shred (Wash with bleach) - Gutmann 35 pass

WinHex: Wipe securely - 3 pass simple pseudo-random numbers


After having confirmed erasure for each program, these files disappeared from the folder Test Files Where I had put them. The only exception was CyberScrub Privacy Suite who asked me to restart computer to complete the erasing.

After restarting CyberScrub showed me the following window asking me if I want to erase this file:


Name: CUVBDMEKDMCGCHHHMKTLJFMTKIUBNUKOLOTVASP.TRN
Type: TRN File
Size: 0 Byte
Attribute:Archive
Created: 2003/5/24 10:27:24PM
Modified: 2003/5/24 10:27:24PM
Accessed: 2008/5/7 5:24:00
Full path: D:/MY DOCUMENTS/TEST FILES/CUVBDMEKDMCGCHHHMKTLJFMTKIUBNUKOLOTVASP.TRN

My understanding of this is that file properties had been scrambled before erasing. I confirmed the erasure and got this:

The following files are protected against secure overwriting and could not be erased even after restarting: D:/ My Documents/Test files/CUVBDME...
You may try to delete these files by clicking the "Try to Delete" button and then manually wipe the free disk space, or contact your system administrator to change permissions for these files.

After having clicked the "Try to Delete" button:

All protected files have been successfully deleted. Please note they have not been securely erased, so if you want to ensure no data can be recovered from them, please wipe the free disk space on the disk drive(s) where they are located.


However, I then ran WinHex and Disk Investigator to see what's been left behind.

This is the screenshot of DI's search results for VideoFileDestructionTest:

http://i30.tinypic.com/2vb4dw2.jpg

Now I don't understand anything any more. To add to confusion, the only file name that doesn't show up here is VideoFileDestructionTest for Eraser!?

Just to remind, this screenshot was taken after each of the files had been erased and after restarting the computer!

 

SafetyFirst, it isn’t clear what is occurring on your PC. A few thoughts and observations, however, that may help…

• The only reason that Privacy Suite would ask you to reboot the PC is because it has detected that one or more of the files-to-be-erased is locked and can’t be accessed while Windows is actively running. In this scenario, the tool automatically schedules the locked files to be erased at the next system startup. (And, the fact that none of the other erase tools you tested detected and acted upon this condition is a potentially worrisome comment upon their operation.)
  
• The fact that Privacy Suite displays a file name of “CUVBDMEKDMCGCHHHMKTLJFMTKIUBNUKOLOTVASP.TRN” in the window following start-up strongly suggests that it is renaming the file, in order to destroy the file name as well as the file contents.
  
• Activate the log capabililty in Privacy Suite, so that you can see exactly what files it is erasing and when.
  
• For some reason, it seems that your test files are locked by your system. When you attempt to erase the test files, be sure that none of them are in use by any application on your PC – so that none of them will be locked.
  
• In what folder did you place the .WMV files? Was it “D:\My Documents\Test Files”? Be sure that the folder used for the test is a regular, non-system folder to ensure that none of the file is locked by the system.
  
• For this test, a simple 1-pass overwrite is no better or worse than a more comprehensive multi-pass overwrite.
  
• I recommend that you use a simple .TXT file for your test rather than a .WMV file, since you can easily view the contents of a text file in a disk editor (such as WinHex). For testing purposes, be sure the file is greater than 4KB in size, so that the file contents is stored outside of the $MFT record itself.
  
• I recommend that you use WinHex rather than Disk Investigator to look at your files before and after the erase. We know that WinHex is an exceptionally professional and reliable tool; whereas, Disk Investigator is no longer supported by its author (according to PC World). Thus, try using WinHex to view the actual disk sectors that the test file occupies, as well as the $MFT record that contains the name of the file.

Please report back on your progress, including screen shots and/or log files, and let us known what you discover.

 

I would be interested to see what kind of succesds you have with R-Wipe. They have a free trial if you want to give it a whirl. Both R-Wipe and Eraser worked for me......on my C Drive.