Evidence Eliminator v Encase

Discussion in 'Computer Security' started by Silas, Dec 3, 2004.

  1. Silas

    Silas Guest

    I got both these software and tested them out. I used the Safe Delete
    option of Evidence Eliminator on a file to wipe 9 times, in effect an
    attempt to shred the file. I then ran Encase and found that the file
    still existed on my hard drive. Encase reported that the file was
    deleted but the name, date, logical size of file, physical size of file,
    and starting cluster still existed. My questions are:

    1. Can such a file now be recovered using Encase?
    2. Why has Evidence Eliminator failed to remove all traces of deleted
    files it has claimed it can remove?
    3. Is Evidence Eliminator on the above basis a total failure?

    Comments would be appreciated.
    Silas, Dec 3, 2004
    #1
    1. Advertising

  2. "Silas" <> wrote ...
    > I got both these software and tested them out. I used the Safe Delete
    > option of Evidence Eliminator on a file to wipe 9 times, in effect an
    > attempt to shred the file. I then ran Encase and found that the file
    > still existed on my hard drive. Encase reported that the file was
    > deleted but the name, date, logical size of file, physical size of file,
    > and starting cluster still existed. My questions are:
    >
    > 1. Can such a file now be recovered using Encase?
    > 2. Why has Evidence Eliminator failed to remove all traces of deleted
    > files it has claimed it can remove?
    > 3. Is Evidence Eliminator on the above basis a total failure?


    I have no working knowledge of either application however if one purports to
    securely erase a file yet remnants remain regardless of which remnants then
    I would be concerned. You would be the best one to test if Encase can
    actually recover fragments and based on this be able decide if EE is a total
    failure.
    Use.Netuser.de, Dec 3, 2004
    #2
    1. Advertising

  3. Silas

    Ant Guest

    "Silas" wrote:
    > I got both these software and tested them out. I used the Safe Delete
    > option of Evidence Eliminator on a file to wipe 9 times, in effect an
    > attempt to shred the file. I then ran Encase and found that the file
    > still existed on my hard drive. Encase reported that the file was
    > deleted but the name, date, logical size of file, physical size of file,
    > and starting cluster still existed.


    It's reporting the contents of the deleted directory entry. However,
    the file data may have been overwritten.

    > My questions are:
    >
    > 1. Can such a file now be recovered using Encase?


    Have you tried?

    > 2. Why has Evidence Eliminator failed to remove all traces of deleted
    > files it has claimed it can remove?


    Because they are liars.

    > 3. Is Evidence Eliminator on the above basis a total failure?


    You're obviously unaware of the history of these people. I would not
    trust their claims, or ever use their software.

    Consumer Warning: Robin Hood Software and Evidence Eliminator:
    http://www.discord.org/~lippard/evidence-eliminator-sucks.com/

    The Evidence Eliminator Documents:
    http://www.radsoft.net/resources/software/reviews/ee/
    Ant, Dec 4, 2004
    #3
  4. Silas

    donnie Guest

    On Fri, 03 Dec 2004 21:05:47 +0000, Silas <>
    wrote:

    >I got both these software and tested them out. I used the Safe Delete
    >option of Evidence Eliminator on a file to wipe 9 times, in effect an
    >attempt to shred the file. I then ran Encase and found that the file
    >still existed on my hard drive. Encase reported that the file was
    >deleted but the name, date, logical size of file, physical size of file,
    > and starting cluster still existed. My questions are:
    >
    >1. Can such a file now be recovered using Encase?
    >2. Why has Evidence Eliminator failed to remove all traces of deleted
    >files it has claimed it can remove?
    >3. Is Evidence Eliminator on the above basis a total failure?
    >
    >Comments would be appreciated.

    ########################
    Some years ago, there was a major argument about EE on usenet. Some
    people said that it wiped their hard drives and that it was a terrible
    program. Then someone from the company tried to defend the product
    but every time he posted, he stuck his foot in his mouth and seemed to
    make things worse. He really should have just let the thread die. I
    never used any of those programs but after following that thread, I
    wasn't about to try EE.
    Anyway, if you say that the file is still there after using EE, I
    would agree that it's a failure.
    donnie
    donnie, Dec 4, 2004
    #4
  5. Silas

    Pete Guest

    On 2004-12-04, donnie <> wrote:
    > On Fri, 03 Dec 2004 21:05:47 +0000, Silas <>
    > wrote:
    >
    >>I got both these software and tested them out. I used the Safe Delete
    >>option of Evidence Eliminator on a file to wipe 9 times, in effect an
    >>attempt to shred the file. I then ran Encase and found that the file
    >>still existed on my hard drive. Encase reported that the file was
    >>deleted but the name, date, logical size of file, physical size of file,
    >> and starting cluster still existed. My questions are:


    <snip>

    >>3. Is Evidence Eliminator on the above basis a total failure?


    <snip>

    > Anyway, if you say that the file is still there after using EE, I
    > would agree that it's a failure.


    There was talk, IIRC, in that 'debate' about EE only pretending to
    wipe files if the program wasn't registered. I can't be certain from the
    OP's post if the program was registered or not, as 'got both these software'
    (sic) is a bit ambiguous to say the least.

    Regards,

    Pete.

    --
    I do not trouble myself to be understood. I see that the elementary laws never apologise.
    Pete, Dec 4, 2004
    #5
  6. Silas

    cacophony Guest

    Silas wrote:

    > I got both these software and tested them out. I used the Safe Delete
    > option of Evidence Eliminator on a file to wipe 9 times, in effect an
    > attempt to shred the file. I then ran Encase and found that the file
    > still existed on my hard drive. Encase reported that the file was
    > deleted but the name, date, logical size of file, physical size of file,
    > and starting cluster still existed. My questions are:
    >
    > 1. Can such a file now be recovered using Encase?
    > 2. Why has Evidence Eliminator failed to remove all traces of deleted
    > files it has claimed it can remove?
    > 3. Is Evidence Eliminator on the above basis a total failure?
    >
    > Comments would be appreciated.


    1. Use a different program. PGP has a good file wiper, and a nuumber of
    other seful utilities, too

    2. Wipe 27 times. That's the max number of times, IIRC, that it will
    actually make a difference.
    cacophony, Dec 4, 2004
    #6
  7. Silas

    A Morris Guest

    Pete <> wrote in message news:<LKcsd.15$>...
    > On 2004-12-04, donnie <> wrote:
    > > On Fri, 03 Dec 2004 21:05:47 +0000, Silas <>
    > > wrote:
    > >
    > >>I got both these software and tested them out. I used the Safe Delete
    > >>option of Evidence Eliminator on a file to wipe 9 times, in effect an
    > >>attempt to shred the file. I then ran Encase and found that the file
    > >>still existed on my hard drive. Encase reported that the file was
    > >>deleted but the name, date, logical size of file, physical size of file,
    > >> and starting cluster still existed. My questions are:

    >
    > <snip>
    >
    > >>3. Is Evidence Eliminator on the above basis a total failure?


    Rather the opposite.

    You have wiped a files contents, but have not cleared the directory
    entries associated with it.

    I would suggest consulting the manual of the software for instructions
    on how to complete the deletion process.

    BTW, the two links above claiming to offer criticizms of EE are
    closely linked to EE's competition (in fact one, RADSOFT is itself a
    direct competitor). The theory behind such sites seems to be, that if
    one pens a site containing enough ridiculous lies about a product,
    then the uninitiated or those with simply nothing better to do, will
    post the links all over USENET and lead to sales of one's own product
    instead.
    A Morris, Dec 4, 2004
    #7
  8. Silas

    Pete Guest

    On 2004-12-04, cacophony <> wrote:
    > Silas wrote:
    >
    >> 1. Can such a file now be recovered using Encase?
    >> 2. Why has Evidence Eliminator failed to remove all traces of deleted
    >> files it has claimed it can remove?
    >> 3. Is Evidence Eliminator on the above basis a total failure?
    >>
    >> Comments would be appreciated.

    >
    > 1. Use a different program. PGP has a good file wiper, and a nuumber of
    > other seful utilities, too
    >
    > 2. Wipe 27 times. That's the max number of times, IIRC, that it will
    > actually make a difference.


    Nice to see the PGP flag being waved again. It's a great application. But 27
    wipes *all* the time is going to put a lot of stress on the drive heads
    isn't it ? Maybe reduce the overall life span of the drive ?

    I'd save that for the shopping list you *really* didn't want anyone to see.

    I just can't get over why someone would buy a product called 'Evidence
    Eliminator' (I'm not referring to you cacophony).

    What kind of 'evidence' are these people trying to eliminate ffs ?

    Confidential company data, ok. Password or other security information, ok.
    Personal emails, ok. Is there anything else I missed ?

    PGP or 'shred' on many Gnu/Linux systems can do that, totally for free. Why
    buy off spammers ?

    Regards,

    Pete.

    --
    "Dammit Jim, I'm a sig file not an actor !"
    Pete, Dec 4, 2004
    #8
  9. Silas

    donnie Guest

    On Sat, 04 Dec 2004 06:24:43 GMT, Pete <> wrote:

    >There was talk, IIRC, in that 'debate' about EE only pretending to
    >wipe files if the program wasn't registered. I can't be certain from the
    >OP's post if the program was registered or not, as 'got both these software'
    >(sic) is a bit ambiguous to say the least.
    >
    >Regards,
    >
    >Pete.

    ##########################
    Yes. I remember that too but I can't confirm that to be the case.
    donnie.
    donnie, Dec 4, 2004
    #9
  10. Silas

    donnie Guest

    On Sat, 04 Dec 2004 16:20:35 GMT, cacophony <>
    wrote:

    >1. Use a different program. PGP has a good file wiper, and a nuumber of
    >other seful utilities, too
    >
    >2. Wipe 27 times. That's the max number of times, IIRC, that it will
    >actually make a difference.

    ########################
    27 times? Doesn't the DOD recommend 7?
    donnie.
    donnie, Dec 4, 2004
    #10
  11. Silas

    Ant Guest

    "A Morris" wrote:

    > BTW, the two links above claiming to offer criticizms of EE are
    > closely linked to EE's competition (in fact one, RADSOFT is itself a
    > direct competitor). The theory behind such sites seems to be, that if
    > one pens a site containing enough ridiculous lies about a product,
    > then the uninitiated or those with simply nothing better to do, will
    > post the links all over USENET and lead to sales of one's own product
    > instead.


    Are you new to Usenet? This is exactly what the pushers of EE have
    done. If you were around when EE affiliates were spamming it in every
    group you'd know why the company is so loathed. Their marketing
    practices stink. Scaremongering and spamming are the key words here.

    While Radsoft is a competitor, they give a good analysis of EE, not
    all of it bad. Read all the links from that page. It is quite obvious
    that EE cannot do a proper job of securely erasing information on an
    NT based operating system. In fact I doubt that any software could,
    while the OS is running, given that it would have to deal with NTFS
    at sub-driver level, and also the swap file.

    I have nothing to do with either link, and am far from uninitiated.
    I've been programming computers at both a low and high level since the
    mid 1970s. I know snake oil when I see it.
    Ant, Dec 4, 2004
    #11
  12. On Sat, 04 Dec 2004 02:20:41 +0000, donnie wrote:

    > Some years ago, there was a major argument about EE on usenet. Some


    <http://evidence-eliminator-sucks.com/>

    --
    Jeffrey D. Silverman |
    Website | http://www.newtnotes.com

    Drop "PANTS" to reply by email
    Jeffrey Silverman, Dec 7, 2004
    #12
  13. On Tue, 07 Dec 2004 11:30:28 -0500, Jeffrey Silverman wrote:

    > On Sat, 04 Dec 2004 02:20:41 +0000, donnie wrote:
    >
    >> Some years ago, there was a major argument about EE on usenet. Some

    >
    > <http://evidence-eliminator-sucks.com/>


    Ooops, better version:
    <http://ee-sucks.tripod.com/>

    --
    Jeffrey D. Silverman |
    Website | http://www.newtnotes.com

    Drop "PANTS" to reply by email
    Jeffrey Silverman, Dec 7, 2004
    #13
  14. Silas

    Guest

    Evidence Eliminator has overwritten all the data in the file, so the
    file contents are unrecoverable. When EE safely deletes a file on a
    FAT partition, the filename is not eliminated, only the file body. To
    delete the filenames, you need to enable 'High performance mode'
    and perform a safe shutdown or safe restart.
    On NTFS volumes, EE does erase filenames by renaming them to
    'EE---Temp.tmp'.
    , Dec 10, 2004
    #14
  15. Silas

    winged Guest

    donnie wrote:
    > On Sat, 04 Dec 2004 16:20:35 GMT, cacophony <>
    > wrote:
    >
    >
    >>1. Use a different program. PGP has a good file wiper, and a nuumber of
    >>other seful utilities, too
    >>
    >>2. Wipe 27 times. That's the max number of times, IIRC, that it will
    >>actually make a difference.

    >
    > ########################
    > 27 times? Doesn't the DOD recommend 7?
    > donnie.


    DOD recommends grinding the HDD platters into dust, placing dust in a
    trash can (metal), spraying dust with alcohol or gasoline then lighting
    the combination to release magnetic orientation of the particles. That
    pretty much prevents data compromise from disk source. It depends on
    the level of surety desired.
    Winged
    winged, Dec 10, 2004
    #15
  16. Silas

    Jason Bosaw Guest

    I'm currently using EnCase 4.20. During the training I attended in
    Sterling, VA, Evidence Eliminator was mentioned by Guidance Software
    personnel. According to the training staff, EE is rarely effective for
    novice users. They explained that more advanced users, who now how to adjust
    the configuration of the application, could get EE to make things difficult
    on an EnCase investigator.[<---Answer to Question #2] I checked out the
    Evidence Eliminator site and found the software to run $149. The EnCase
    software runs $2,495.00 not including some optional hardware and training.
    At first, I can't see why one would spend in the range of $2600 to see if EE
    actually works. Regardless of my own wonderings, EnCase works differently
    than Windows in that it reads data bit-for-bit on the media being analyzed.
    If it's there it's there and it will read it.[<---Answer to Question #1]
    According to EE's site, it's supposed to overwrite written bits with 00 or
    FF to wipe. I haven't used or experimented with EE. I am yet to run into it
    as an obstacle in an investigation. EnCase also has a wipe tool and it's
    found to be not totally effective too.
    Regards,
    Jason

    "Silas" <> wrote in message
    news:41b0d52c$...
    > I got both these software and tested them out. I used the Safe Delete
    > option of Evidence Eliminator on a file to wipe 9 times, in effect an
    > attempt to shred the file. I then ran Encase and found that the file
    > still existed on my hard drive. Encase reported that the file was
    > deleted but the name, date, logical size of file, physical size of file,
    > and starting cluster still existed. My questions are:
    >
    > 1. Can such a file now be recovered using Encase?
    > 2. Why has Evidence Eliminator failed to remove all traces of deleted
    > files it has claimed it can remove?
    > 3. Is Evidence Eliminator on the above basis a total failure?
    >
    > Comments would be appreciated.
    Jason Bosaw, Dec 10, 2004
    #16
  17. Silas

    nemo outis Guest

    In article <o_aud.16$>, "Jason Bosaw" <> wrote:
    >I'm currently using EnCase 4.20. During the training I attended in
    >Sterling, VA, Evidence Eliminator was mentioned by Guidance Software
    >personnel. According to the training staff, EE is rarely effective for
    >novice users. They explained that more advanced users, who now how to adjust
    >the configuration of the application, could get EE to make things difficult
    >on an EnCase investigator.[<---Answer to Question #2] I checked out the
    >Evidence Eliminator site and found the software to run $149. The EnCase
    >software runs $2,495.00 not including some optional hardware and training.
    >At first, I can't see why one would spend in the range of $2600 to see if EE
    >actually works. Regardless of my own wonderings, EnCase works differently
    >than Windows in that it reads data bit-for-bit on the media being analyzed.
    >If it's there it's there and it will read it.[<---Answer to Question #1]
    >According to EE's site, it's supposed to overwrite written bits with 00 or
    >FF to wipe. I haven't used or experimented with EE. I am yet to run into it
    >as an obstacle in an investigation. EnCase also has a wipe tool and it's
    >found to be not totally effective too.
    >Regards,
    >Jason



    Version 4.17b of Encase is widely available as warez.

    Regards,
    nemo outis, Dec 10, 2004
    #17
  18. Silas

    nemo outis Guest

    In article , nemo (nemo outis) wrote:
    >In article <o_aud.16$>, "Jason Bosaw"
    > <> wrote:
    >>I'm currently using EnCase 4.20. During the training I attended in
    >>Sterling, VA, Evidence Eliminator was mentioned by Guidance Software
    >>personnel. According to the training staff, EE is rarely effective for
    >>novice users. They explained that more advanced users, who now how to adjust
    >>the configuration of the application, could get EE to make things difficult
    >>on an EnCase investigator.[<---Answer to Question #2] I checked out the
    >>Evidence Eliminator site and found the software to run $149. The EnCase
    >>software runs $2,495.00 not including some optional hardware and training.
    >>At first, I can't see why one would spend in the range of $2600 to see if EE
    >>actually works. Regardless of my own wonderings, EnCase works differently
    >>than Windows in that it reads data bit-for-bit on the media being analyzed.
    >>If it's there it's there and it will read it.[<---Answer to Question #1]
    >>According to EE's site, it's supposed to overwrite written bits with 00 or
    >>FF to wipe. I haven't used or experimented with EE. I am yet to run into it
    >>as an obstacle in an investigation. EnCase also has a wipe tool and it's
    >>found to be not totally effective too.
    >>Regards,
    >>Jason

    >
    >
    >Version 4.17b of Encase is widely available as warez.
    >
    >Regards,
    >



    Encase 4.20 just now posted in alt.binaries.warez.win95-apps

    Regards,
    nemo outis, Dec 11, 2004
    #18
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill Crocker

    Re: Evidence Eliminator... NOT AN AD, I promise

    Bill Crocker, Jun 22, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    1,665
    Richard
    Jun 30, 2003
  2. Silas

    Evidence Eliminator v's Encase

    Silas, Dec 3, 2004, in forum: Computer Information
    Replies:
    1
    Views:
    748
    derek / nul
    Dec 4, 2004
  3. Replies:
    1
    Views:
    500
    Serpico
    Oct 5, 2006
  4. StaLaG

    A alternative to Evidence Eliminator ?

    StaLaG, Dec 14, 2006, in forum: Computer Security
    Replies:
    9
    Views:
    2,542
    macarro
    Dec 18, 2006
  5. David Pinzone

    Evidence Eliminator and 407 DFX warning

    David Pinzone, Dec 13, 2005, in forum: Computer Support
    Replies:
    13
    Views:
    705
    Noel Paton
    Dec 14, 2005
Loading...

Share This Page