Help! Need some advice on file name wiping

Discussion in 'Computer Security' started by jake, May 3, 2005.

  1. jake

    jake Guest

    Hi all,

    If I'm in the wrong group, my apologies.

    I have been attempting to wipe some files from my hard drive. I'm
    pretty sure that the files themselves are gone but not the file names.
    In some of these files the name reveals some of the content of the
    file.

    I have run several wipe programs:

    Eraser v5.7
    Clean Disk Security v7.3
    Wipe Disk v2.1
    Object Wipe v1.2 (Trial Version)
    BC Wipe v2.28

    As I said, they appear to overide the file itself, but when I use a
    simple program like Disk Investigator v1.31 I can search and find the
    names of the files. Calling up their cluster clearly reveals the
    names of the files.

    In short, how do I get rid of the file names? I don't want to keep
    running these long wipe programs if they don't clear all the data.

    I'm running Winows XP Home Edition.

    Any help GREATLY appreciated.

    Thanks, Jake
     
    jake, May 3, 2005
    #1
    1. Advertising

  2. jake

    nemo_outis Guest

    jake <> wrote in
    news::

    > Hi all,
    >
    > If I'm in the wrong group, my apologies.
    >
    > I have been attempting to wipe some files from my hard drive. I'm
    > pretty sure that the files themselves are gone but not the file names.
    > In some of these files the name reveals some of the content of the
    > file.
    >
    > I have run several wipe programs:
    >
    > Eraser v5.7
    > Clean Disk Security v7.3
    > Wipe Disk v2.1
    > Object Wipe v1.2 (Trial Version)
    > BC Wipe v2.28
    >
    > As I said, they appear to overide the file itself, but when I use a
    > simple program like Disk Investigator v1.31 I can search and find the
    > names of the files. Calling up their cluster clearly reveals the
    > names of the files.
    >
    > In short, how do I get rid of the file names? I don't want to keep
    > running these long wipe programs if they don't clear all the data.
    >
    > I'm running Winows XP Home Edition.
    >
    > Any help GREATLY appreciated.
    >
    > Thanks, Jake
    >
    >
    >


    First of all it makes a great difference whether the file system is FAT
    or NTFS. It's harder with NTFS (which uses a MFT) to scrub names of
    erased files. I presume you're using NTFS.

    However, I use BCwipe (version 3.06.04 - latest) and it has no problem
    whatsoever erasing NTFS (and FAT) file names. Can't be recovered with
    Encase, File Scavenger, etc. Others may work as well but I haven't
    tried them in a very long while.

    Regards,
     
    nemo_outis, May 3, 2005
    #2
    1. Advertising

  3. jake

    jake Guest

    On 03 May 2005 14:31:07 GMT, "nemo_outis" <> wrote:

    >jake <> wrote in
    >news::
    >
    >> Hi all,
    >>
    >> If I'm in the wrong group, my apologies.
    >>
    >> I have been attempting to wipe some files from my hard drive. I'm
    >> pretty sure that the files themselves are gone but not the file names.
    >> In some of these files the name reveals some of the content of the
    >> file.
    >>
    >> I have run several wipe programs:
    >>
    >> Eraser v5.7
    >> Clean Disk Security v7.3
    >> Wipe Disk v2.1
    >> Object Wipe v1.2 (Trial Version)
    >> BC Wipe v2.28
    >>
    >> As I said, they appear to overide the file itself, but when I use a
    >> simple program like Disk Investigator v1.31 I can search and find the
    >> names of the files. Calling up their cluster clearly reveals the
    >> names of the files.
    >>
    >> In short, how do I get rid of the file names? I don't want to keep
    >> running these long wipe programs if they don't clear all the data.
    >>
    >> I'm running Winows XP Home Edition.
    >>
    >> Any help GREATLY appreciated.
    >>
    >> Thanks, Jake
    >>
    >>
    >>

    >
    >First of all it makes a great difference whether the file system is FAT
    >or NTFS. It's harder with NTFS (which uses a MFT) to scrub names of
    >erased files. I presume you're using NTFS.
    >
    >However, I use BCwipe (version 3.06.04 - latest) and it has no problem
    >whatsoever erasing NTFS (and FAT) file names. Can't be recovered with
    >Encase, File Scavenger, etc. Others may work as well but I haven't
    >tried them in a very long while.
    >
    >Regards,
    >
    >

    Thanks for the response. Yes, the files are NTFS

    I've seen BC3 advertised that it removes the file names but didn't
    have any first hand knowledge. A few others say they also remove them
    but when I tried them and later looked at the clusters the file names
    were still there.

    Maybe I'll give them a try.

    Jake
     
    jake, May 4, 2005
    #3
  4. jake

    nemo_outis Guest

    jake <> wrote in news:as9g7116e5eu5cug1k0hobf41cc4mr593s@
    4ax.com:

    >>

    > Thanks for the response. Yes, the files are NTFS
    >
    > I've seen BC3 advertised that it removes the file names but didn't
    > have any first hand knowledge. A few others say they also remove them
    > but when I tried them and later looked at the clusters the file names
    > were still there.
    >
    > Maybe I'll give them a try.
    >
    > Jake
    >



    Cyberscrub (version 3.5) also totally blitzes MFT entries. There's a new
    version 4 out (called Privacy Suite) but I haven't tried it. Arguably
    Cyberscrub is slightly better than BCwipe since it erases dates and
    attributes as well as the file names.

    Regards,
     
    nemo_outis, May 4, 2005
    #4
  5. jake

    johns Guest

    Have you tried Window Washer?

    johns
     
    johns, May 4, 2005
    #5
  6. jake

    nemo_outis Guest

    "johns" <> wrote in news:d59rq5$agv$1
    @news.fsr.net:

    > Have you tried Window Washer?
    >
    > johns



    Window Washer does a good job of erasing the body of files but is useless
    against MFT entries. WW's main claim to fame (as with similar products) is
    its dtabase of *where* to erase.

    Regards,
     
    nemo_outis, May 4, 2005
    #6
  7. jake

    jake Guest

    On 03 May 2005 14:31:07 GMT, "nemo_outis" <> wrote:

    >jake <> wrote in
    >news::
    >
    >> Hi all,
    >>
    >> If I'm in the wrong group, my apologies.
    >>
    >> I have been attempting to wipe some files from my hard drive. I'm
    >> pretty sure that the files themselves are gone but not the file names.
    >> In some of these files the name reveals some of the content of the
    >> file.
    >>
    >> I have run several wipe programs:
    >>
    >> Eraser v5.7
    >> Clean Disk Security v7.3
    >> Wipe Disk v2.1
    >> Object Wipe v1.2 (Trial Version)
    >> BC Wipe v2.28
    >>
    >> As I said, they appear to overide the file itself, but when I use a
    >> simple program like Disk Investigator v1.31 I can search and find the
    >> names of the files. Calling up their cluster clearly reveals the
    >> names of the files.
    >>
    >> In short, how do I get rid of the file names? I don't want to keep
    >> running these long wipe programs if they don't clear all the data.
    >>
    >> I'm running Winows XP Home Edition.
    >>
    >> Any help GREATLY appreciated.
    >>
    >> Thanks, Jake
    >>
    >>
    >>

    >
    >First of all it makes a great difference whether the file system is FAT
    >or NTFS. It's harder with NTFS (which uses a MFT) to scrub names of
    >erased files. I presume you're using NTFS.
    >
    >However, I use BCwipe (version 3.06.04 - latest) and it has no problem
    >whatsoever erasing NTFS (and FAT) file names. Can't be recovered with
    >Encase, File Scavenger, etc. Others may work as well but I haven't
    >tried them in a very long while.
    >
    >Regards,
    >
    >


    Drat, I ran last yesterday through last night the trial version of BC
    3.06.4 which according to their web site is a fully functional
    version.

    I used 7 wipes for all 4 categories ( it took 20 hours):

    System Awap File
    Files Slack
    Free Space
    MFT Records

    I just scanned the files using a simple program like Disk Investigator
    and the files appear to be wiped EXCEPT the file names.

    In short, I'm back where I started.

    I don't see any settings that I could have changed to do it any
    different.

    As I said, I'm running Windows XP with SP2 installed, and the files
    are type NTFS.

    Any suggestions welcome!

    Jake
     
    jake, May 5, 2005
    #7
  8. jake

    nemo_outis Guest

    jake <> wrote in news:ivjk71dm4dqllllvjlg88fmb4t7khg46jk@
    4ax.com:

    > On 03 May 2005 14:31:07 GMT, "nemo_outis" <> wrote:
    >
    >>jake <> wrote in
    >>news::
    >>
    >>> Hi all,
    >>>
    >>> If I'm in the wrong group, my apologies.
    >>>
    >>> I have been attempting to wipe some files from my hard drive. I'm
    >>> pretty sure that the files themselves are gone but not the file names.
    >>> In some of these files the name reveals some of the content of the
    >>> file.
    >>>
    >>> I have run several wipe programs:
    >>>
    >>> Eraser v5.7
    >>> Clean Disk Security v7.3
    >>> Wipe Disk v2.1
    >>> Object Wipe v1.2 (Trial Version)
    >>> BC Wipe v2.28
    >>>
    >>> As I said, they appear to overide the file itself, but when I use a
    >>> simple program like Disk Investigator v1.31 I can search and find the
    >>> names of the files. Calling up their cluster clearly reveals the
    >>> names of the files.
    >>>
    >>> In short, how do I get rid of the file names? I don't want to keep
    >>> running these long wipe programs if they don't clear all the data.
    >>>
    >>> I'm running Winows XP Home Edition.
    >>>
    >>> Any help GREATLY appreciated.
    >>>
    >>> Thanks, Jake
    >>>
    >>>
    >>>

    >>
    >>First of all it makes a great difference whether the file system is FAT
    >>or NTFS. It's harder with NTFS (which uses a MFT) to scrub names of
    >>erased files. I presume you're using NTFS.
    >>
    >>However, I use BCwipe (version 3.06.04 - latest) and it has no problem
    >>whatsoever erasing NTFS (and FAT) file names. Can't be recovered with
    >>Encase, File Scavenger, etc. Others may work as well but I haven't
    >>tried them in a very long while.
    >>
    >>Regards,
    >>
    >>

    >
    > Drat, I ran last yesterday through last night the trial version of BC
    > 3.06.4 which according to their web site is a fully functional
    > version.
    >
    > I used 7 wipes for all 4 categories ( it took 20 hours):
    >
    > System Awap File
    > Files Slack
    > Free Space
    > MFT Records
    >
    > I just scanned the files using a simple program like Disk Investigator
    > and the files appear to be wiped EXCEPT the file names.
    >
    > In short, I'm back where I started.
    >
    > I don't see any settings that I could have changed to do it any
    > different.
    >
    > As I said, I'm running Windows XP with SP2 installed, and the files
    > are type NTFS.
    >
    > Any suggestions welcome!
    >
    > Jake
    >




    I don't know what the heck you're doing since BCWipe does remove file names
    from the MFT. Incidentally, Disk Investigator does NOT show the names of
    erased files on NTFS volumes in directory mode!

    Regards,
     
    nemo_outis, May 5, 2005
    #8
  9. jake

    jake Guest

    On 04 May 2005 13:42:01 GMT, "nemo_outis" <> wrote:

    >"johns" <> wrote in news:d59rq5$agv$1
    >@news.fsr.net:
    >
    >> Have you tried Window Washer?
    >>
    >> johns

    >
    >
    >Window Washer does a good job of erasing the body of files but is useless
    >against MFT entries. WW's main claim to fame (as with similar products) is
    >its dtabase of *where* to erase.
    >
    >Regards,



    Beats me too. I'm not disagreeing with you that it doesn't, it just
    did not do it for me.

    When I look use Disk Investigator, using the disk view (not the
    directory view) and do a search for a file I know has been deleted,
    the search turns up the file name.

    As an example, a file I deleted a long time ago comes up using the
    search criteria of .mpg. This file is:

    17. SC2(SamanthaFox-BadAudio).mpg(504,719)

    When I go to sector 504,719 I can see the file name as shown in the
    line above. If this were a binary group I would post the image of the
    sector showing that information.

    I am at a loss. I looked at Cyberscrub 3.5 and essentially they claim
    the same abilities as BC Wipe.

    Thanks for your reply. It is appreciated.

    Jake
     
    jake, May 5, 2005
    #9
  10. jake

    nemo_outis Guest

    jake <> wrote in
    news::

    >
    >
    > Beats me too. I'm not disagreeing with you that it doesn't, it just
    > did not do it for me.
    >
    > When I look use Disk Investigator, using the disk view (not the
    > directory view) and do a search for a file I know has been deleted,
    > the search turns up the file name.
    >
    > As an example, a file I deleted a long time ago comes up using the
    > search criteria of .mpg. This file is:
    >
    > 17. SC2(SamanthaFox-BadAudio).mpg(504,719)
    >
    > When I go to sector 504,719 I can see the file name as shown in the
    > line above. If this were a binary group I would post the image of the
    > sector showing that information.
    >
    > I am at a loss. I looked at Cyberscrub 3.5 and essentially they claim
    > the same abilities as BC Wipe.
    >
    > Thanks for your reply. It is appreciated.
    >
    > Jake
    >



    I suggest you do a slightly more structured test. Create a file (say, in
    some particular directory) and fill it with a known but unusual character
    string (e.g., rumplestiltskin). Because of unique aspects of the MFT (it
    stores small files - 1 cluster, typically 4K - in the MFT) I suggest you
    also create a larger file (bigger than 4K) and repeatedly fill it with he
    string. Note the file cluster(s) and the corresponding MFT clusters.

    Then delete the files using BCWipe (or Cyberscrub or whatever) and *then*
    see if you can recover either the contents or the name with Disk
    Investigator (etc.).

    Regards,
     
    nemo_outis, May 5, 2005
    #10
  11. jake

    jake Guest

    On 05 May 2005 20:56:13 GMT, "nemo_outis" <> wrote:

    >jake <> wrote in
    >news::
    >
    >>
    >>
    >> Beats me too. I'm not disagreeing with you that it doesn't, it just
    >> did not do it for me.
    >>
    >> When I look use Disk Investigator, using the disk view (not the
    >> directory view) and do a search for a file I know has been deleted,
    >> the search turns up the file name.
    >>
    >> As an example, a file I deleted a long time ago comes up using the
    >> search criteria of .mpg. This file is:
    >>
    >> 17. SC2(SamanthaFox-BadAudio).mpg(504,719)
    >>
    >> When I go to sector 504,719 I can see the file name as shown in the
    >> line above. If this were a binary group I would post the image of the
    >> sector showing that information.
    >>
    >> I am at a loss. I looked at Cyberscrub 3.5 and essentially they claim
    >> the same abilities as BC Wipe.
    >>
    >> Thanks for your reply. It is appreciated.
    >>
    >> Jake
    >>

    >
    >
    >I suggest you do a slightly more structured test. Create a file (say, in
    >some particular directory) and fill it with a known but unusual character
    >string (e.g., rumplestiltskin). Because of unique aspects of the MFT (it
    >stores small files - 1 cluster, typically 4K - in the MFT) I suggest you
    >also create a larger file (bigger than 4K) and repeatedly fill it with he
    >string. Note the file cluster(s) and the corresponding MFT clusters.
    >
    >Then delete the files using BCWipe (or Cyberscrub or whatever) and *then*
    >see if you can recover either the contents or the name with Disk
    >Investigator (etc.).
    >
    >Regards,
    >

    Tried it. Created 1 file, 1600 bytes, another 13,000 bytes.

    Deleted one with BC and one with Cyberscrub.

    Then did a search with Disk Investigator.

    Found the names of both.

    DAMN. This is getting very frustrating.

    Cyberscrub Pro trial edition has a feature called Scramble. I am not
    quite sure what this means but it appears to be what I want.

    Here's what the Help file has to say about Scramble:

    Scramble files and folders properties
    This option is particularly useful when you want to remove any file
    attribute that may reveal the identity of the erased files and folders
    (name, data, size, etc.). When this option is enabled, the files and
    folders properties are destroyed (scrambled). Using this method may
    slow down the erase process, especially on larger hard drives
    containing large amounts of information (files/folders). However, this
    is the only method that ensures that the files and folders properties
    are properly destroyed and cannot be recovered.

    Scramble alternate data streams (on NTFS drives only)
    The NTFS file system provides applications the ability to create
    alternate data streams for each stored file/folder. Although these
    streams are not visible to the average users, they can be easily found
    on the disk even after the actual file that they belong to are
    deleted. The streams contain any kind of sensitive information since
    they have the same format as normal files do. Enabling this option
    will ensure Windows NT/2000/XP users that all alternate data streams
    attached to a file will be destroyed and cannot be restored.
     
    jake, May 6, 2005
    #11
  12. jake

    Arthur T. Guest

    In Message-ID:<>,
    jake <> wrote:

    >On 05 May 2005 20:56:13 GMT, "nemo_outis" <> wrote:
    >
    >>jake <> wrote in
    >>news::
    >>

    <snip>
    >>> As an example, a file I deleted a long time ago comes up using the
    >>> search criteria of .mpg. This file is:
    >>>
    >>> 17. SC2(SamanthaFox-BadAudio).mpg(504,719)
    >>>
    >>> When I go to sector 504,719 I can see the file name as shown in the
    >>> line above. If this were a binary group I would post the image of the
    >>> sector showing that information.

    <snip>
    >>> Jake
    >>>

    >>
    >>
    >>I suggest you do a slightly more structured test. Create a file (say, in
    >>some particular directory) and fill it with a known but unusual character
    >>string (e.g., rumplestiltskin). Because of unique aspects of the MFT (it
    >>stores small files - 1 cluster, typically 4K - in the MFT) I suggest you
    >>also create a larger file (bigger than 4K) and repeatedly fill it with he
    >>string. Note the file cluster(s) and the corresponding MFT clusters.
    >>
    >>Then delete the files using BCWipe (or Cyberscrub or whatever) and *then*
    >>see if you can recover either the contents or the name with Disk
    >>Investigator (etc.).
    >>
    >>Regards,
    >>

    >Tried it. Created 1 file, 1600 bytes, another 13,000 bytes.
    >
    >Deleted one with BC and one with Cyberscrub.
    >
    >Then did a search with Disk Investigator.
    >
    >Found the names of both.
    >


    May I suggest another test?

    Create a file. *Before* you scrub, search for its name. See
    if it shows up in multiple places. Is it possible you're finding
    the name in the list of recently referenced files (or some such)
    rather than in the directory?

    --
    Arthur T. - ar23hur "at" speakeasy "dot" net
    Looking for a good MVS systems programmer position
     
    Arthur T., May 6, 2005
    #12
  13. jake

    Tommy Guest

    jake wrote:

    > Hi all,
    >
    > If I'm in the wrong group, my apologies.
    >
    > I have been attempting to wipe some files from my hard drive. I'm
    > pretty sure that the files themselves are gone but not the file names.
    > In some of these files the name reveals some of the content of the
    > file.
    >
    > I have run several wipe programs:
    >
    > Eraser v5.7
    > Clean Disk Security v7.3
    > Wipe Disk v2.1
    > Object Wipe v1.2 (Trial Version)
    > BC Wipe v2.28
    >
    > As I said, they appear to overide the file itself, but when I use a
    > simple program like Disk Investigator v1.31 I can search and find the
    > names of the files. Calling up their cluster clearly reveals the
    > names of the files.
    >
    > In short, how do I get rid of the file names? I don't want to keep
    > running these long wipe programs if they don't clear all the data.
    >
    > I'm running Winows XP Home Edition.
    >
    > Any help GREATLY appreciated.
    >
    > Thanks, Jake


    http://dban.sourceforge.net/
     
    Tommy, May 16, 2005
    #13
  14. jake

    nemo_outis Guest

    Tommy <> wrote in news:2038670.5HhZmsLRcD@FreeBSD:

    > http://dban.sourceforge.net/




    If your security needs are mild to moderate, then mess about with file
    erasing. Personally, I think it's a fool's game.

    If your needs are serious then utterly *destroy* any old disk that has ever
    held plaintext and use a full OTFE file encryption system in future.

    The cost of new HDs is less than $1/gigabyte - doing anything less than
    destroying the old and replacing it a with a new fully-encrypted HD is
    false economy.

    Regards,

    PS The preferred solution is a fully encrypted disk/partion hosting the
    OS (e.g., DCPP, Winmagic, Safeboot, Safeguard, Winmagic, PGP Wwhole disk,
    etc.) with truecrypt (or equivalent, such as bestcrypt) holding data.
    Nesting the schemes provides additional protection in case one algorithm,
    manufacturer, etc. is compromised or is buggy.

    Regards,

    PS Full OTFE HD encryption of the OS partition/disk is essential,
    especially (if one can have an "especially" following an "essential") if
    the OS is Windoze which leaks like mad (as do many applications run under
    it).

    PPS I recommend encrypting *all* data, not just sensitive data, to avoid
    disclosing even its extent, etc.
     
    nemo_outis, May 16, 2005
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ftran999

    need advice on wiping hard drive

    ftran999, Sep 15, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    2,012
  2. hubcap

    file wiping

    hubcap, May 14, 2005, in forum: Computer Security
    Replies:
    4
    Views:
    501
    DavidPostill
    May 15, 2005
  3. Need Windows OEM disc after wiping HD

    , Sep 11, 2006, in forum: Computer Support
    Replies:
    5
    Views:
    424
    Ron Martell
    Sep 11, 2006
  4. thsman

    Secure file wiping question

    thsman, Dec 17, 2007, in forum: Computer Support
    Replies:
    12
    Views:
    1,335
  5. Trevor
    Replies:
    0
    Views:
    461
    Trevor
    Dec 30, 2007
Loading...

Share This Page