Evidence Eliminator v's Encase
Silas
option of Evidence Eliminator on a file to wipe 9 times, in effect an
attempt to shred the file. I then ran Encase and found that the file
still existed on my hard drive. Encase reported that the file was
deleted but the name, date, logical size of file, physical size of file,
and starting cluster still existed. My questions are:
1. Can such a file now be recovered using Encase?
2. Why has Evidence Eliminator failed to remove all traces of deleted
files it has claimed it can remove?
3. Is Evidence Eliminator on the above basis a total failure?
Comments would be appreciated.
nemo
Evidence Eliminator is a shoddy piece of bloatware marketed by
assholes who make spammers blush!
Regards,
Silas
I am aware of the spam operation that Evidence Eliminator uses but from
my initial findings they also are selling software that does not appear
to work as it claims. I do not think that Evidence Eliminator should be
making such claims if their software is leaving users still vulnerable
who think their files are erased but infact they are not.
fs...@fsdf.com
>>>option of Evidence Eliminator on a file to wipe 9 times,
Use BC Wipe instead. It's free ( http://www.jetico.com/ ).
Having any program called "evidence eliminator" on your computer
will not look good to any wife, police, judge, or jury if it
ever comes to that.
I recommend you eliminate it from your system forthwith!
Gerard Morentzy
source piece of software that is seconf to none is ERASER by Sami
Tolvanen/Garret Trant.
http://www.heidi.ie/eraser/
Gerard
<fs...@fsdf.com> wrote in message
news:Qn5sd.204396$SM5....@news.easynews.com...
fs...@fsdf.com
I use BC Wipe v2.28, which is fully freeware.
I'm sure it's available on some legacy sites. Just
Google for it. I like it.
> A truly free and open source piece of software that is
>seconf to none is ERASER by Sami Tolvanen/Garret Trant.
> http://www.heidi.ie/eraser/
Thanks for the tip, I'll check it out.
WinTerMiNator
What you describe means that Evidence Eliminator has wiped the file, but not
his entry in MFT. One can still have informations about what the file was
(size, date...) but cannot recover it.
If you want to completey wipe any trace of the past existence of a file, you
should use Eraser (as a former poster told) to wipe free space on HDD, and
activate the MFT cleaning option.
Regards,
--
Michel Nallino aka WinTerMiNator
http://www.winterminator.fr.st (Internet et sécurité)
http://www.gnupgwin.fr.st (GnuPG pour Windows)
Adresse e-mail invalide; pour me contacter:
http://www.cerbermail.com/?vdU5HHs5WG
long gone
On Sat, 04 Dec 2004 12:09:49 -0500In-Reply-To:
<41b0d6e1$1...@mk-nntp-2.news.uk.tiscali.com>, "Roger Parks"
<Completelyb...@Privacy.net> wrote:
> > 1. Can such a file now be recovered using Encase?
>
>Don't know about Encase; but the data/file can be recovered by hand. you
>would have to reassign a filetype to the recovered raw data - something
>most easily done with .txt files. Presuming that Encase searches for
>file "signatures", I'd imagine it can recover them handily. Depends upon
>how long the OS keeps this info.
>
> > 2. Why has Evidence Eliminator failed to remove all traces of deleted
> > files it has claimed it can remove?
>
>I'm guessing that you have NTFS. It has cleaned the MFT and the data to
>which that referred. It failed to clean the journelling metadata which
>is maintained in a separate little "file table" by the I/O driver.
>
> > 3. Is Evidence Eliminator on the above basis a total failure?
>
>Yes. Absolute failure.
>
> > Comments would be appreciated.
>
>Inspired by BlueJay's testing, I ran some deletion/cleaning tests
>of every freeware "deletion/cleaning" proggy that I could find -
>followed by physical disk scanning.
>
>IMHO:
>
>1. Eraser is fine (best) for deleting primary data and MFT. I.E. for
>"secure" deletes. Possibly all you need for FATxx
>2. But for NTFS, you must additionally clean out the metadata that
>Eraser misses. So periodically, I run two programs; each making a single
>pass: Russinovich Secure delete, followed by Restoration 2.1. After
>running Restoration, delete the file records as well.
>3. I run these (and AV/AT/ defragmentation) from a second little
>os/partition (2k) on the HD. A second OS allows complete access to the
>primary OS for cleaning, file deletion, and especially AV/AT scans - as
>"stealth" viruses and rootkits can't hide :-)
>4. Based on my tests, FAT32 did not create residual metadata (shouldn't
>- as it is not journelling) - though it certainly creates some
>transitory pieces of the files in I/O buffers 'til the write is
>successfully completed.
>
>So rebuilding your box using FAT32 and using Eraser for all deletions
>(including those deletions that you effect from RunOnce or Autoexec.bat
>before system startup) should put you in much better shape. 'Til then,
>consider doing these periodic cleanings.
Roger Parks
> Did you try the Steganous erase program? Regards, LongGone
>
No - at the time I believed it to be payware (I was looking for freeware).
A few thoughts:
- IF - Steganous erase is a deletion utility, then it seems extremely
unlikely that it will get the metadata on an NTFS volume. Reason is that
for it (or anything else) to succeed at doing that, it would have to either:
1. Interrogate both the MFT AND the I/O driver's internal database;
overwrite data; then overwrite the entries in the directory and
database. Probably the driver's database is unavailable to anything -
even a kernel-level driver. Just ain't gonna happen.
or
2. Interrogate and delete the MFT entry, then "wipe" the freespace
(thereby not having to locate it specifically). A thorough "wipe"
consumes a lot of time (minutes), so nobody will do this as part of a
deletion routine. (though Nemo Outis's idea of filling up the partition
with filler files would reduce that time).
So, IMHO, one can NOT rely upon -any- deletion utility to keep their
NTFS volumes clean. You're gonna have to wipe!
2. IF Steganous erase is a wipe utility, then it could well be effective
- but then it certainly would brag about its ability to get the
metadata, as that is both important and rare. If it doesn't
indicate that it does this vital function, then I'd guess it doesn't.
3. IMHO, Eraser is great --for deletions only--!. (I use the
command-line version within a script to "erase" numerous logs, .dats,
and other things at boot up and shut down.) But Eraser does NOT get the
metadata.
4. I looked at my original summary of these tests and realize that the
PGP erasing utility (6.5.8. ckt) ALSO got the metadata. So you have a
choice of it or Russinovich to get the metadata through a wipe. I chose
Russinovich because it has a command-line option, and you can construct
a script that'll wipe, defrag, and virus scan your OS overnight.
5. Restoration doesn't get the metadata, but it cleans out the MFT
beautifully - NO suggestive names left behind.