Re: Consequences of wiping MFT?

[R.Wieser]

Cory,

> What are the consequences of my using an eraser type program
> to wipe the MFT file?

Bad idea: You would lose access to all your files.

MFT stands for Master File Table. It contains the information where all the
files on your disk are. Comparable to the chapter index in a book.

> Will it slow down access to my programs or data?

:-) Yes.

> Will it again 'renew' itself?

Possibly, but only as a result of writing new files to the than "empty"
disk.

> I'm no tech, so don't waste your time with any big tech
> explanations. I'm just trying to protect my privacy a bit more.

By erasing the MFT you will make sure that most noone, *including yourself*
will be able to access those files anymore.

(I say "most noone", as the files are still there, and a recovery program
could possible recover them).

Regards,
Rudy Wieser

[Shadow]

On Fri, 18 Feb 2022 13:30:11 -0600, co...@NotGmail.Net wrote:

>I'm using Windows XP Pro 32 bit.
>
>I have been using 'eraser' programs for some time, but never allowed
>erasing the MFT file. My questions are:

>
>What are the consequences of my using an eraser type program to wipe
>the MFT file?
>

>Will it affect any of my programs or data files?

>
>Will it slow down access to my programs or data?
>

>Will it again 'renew' itself?
>

>I'm no tech, so don't waste your time with any big tech explanations.
>I'm just trying to protect my privacy a bit more.

You can check your journal(command line):

fsutil usn queryjournal c:

And delete it:

fsutil usn deletejournal /d /n c:

And use specialized programs like this one:

<https://privazer.com/en/download-shellbag-analyzer-shellbag-cleaner.php>

.... to delete forensic stuff Windows hides in the registry.

You can even defrag your MBR with something like UltraDefrag:

<https://sourceforge.net/projects/ultradefrag/files/stable-release/7.1.4/>

(I do all of that fairly regularly with no ill effects).

But NEVER try to delete your MBR.
HTH
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
Google Fuchsia - 2021

[Paul]

You should at least know what the $USN journal does,
before deleting it.

If the file system is shut down dirty, if the file system
is corrupted, reading back the last entries added to the
journal, helps the file system remove fragments of files
that were not committed. It's part of "repair" to the file
system.

In addition, it supports the operation of the Search Indexer
(and, even for third party programs such as Everything.exe,
it needs it too).

Potentially, it allows File Explorer windows to be dynamically
updated... without pressing F5.

I suspect the size seen listed in JKDefrag for the file,
is not correct. The journal has a first_used and first_free
pointer, the pointer separation might be on the order of
32 megabytes. When it claims the journal is 15GB in extent,
that's the magnitude of the pointers, not their delta.
It's the delta between those, which is the active region.

You could try dumping the journal, and check for yourself
what quantity of information is there.

But the $USN is what makes NTFS a better file system than
FAT32. As FAT32 doesn't have the same repair capabilities
as NTFS does.

Paul

[Paul]

On 2/18/2022 2:30 PM, co...@NotGmail.Net wrote:
> I'm using Windows XP Pro 32 bit.
>
> I have been using 'eraser' programs for some time, but never allowed
> erasing the MFT file. My questions are:
>
> What are the consequences of my using an eraser type program to wipe
> the MFT file?
>
> Will it affect any of my programs or data files?
>
> Will it slow down access to my programs or data?
>
> Will it again 'renew' itself?
>
> I'm no tech, so don't waste your time with any big tech explanations.
> I'm just trying to protect my privacy a bit more.
>

This sounds like Heidi Eraser.

https://en.wikipedia.org/wiki/Eraser_(software)

https://eraser.heidi.ie

*******

Maybe it's a language issue, but I really doubt Heidi
erases the whole $MFT.

Processing the $MFT is like using dental floss. You
"clean between the teeth" for best health, OK ?

File 1000 "AnnualReport.txt" Present=Yes
LBA 5000-5007

File 1001 "SecretSauce.txt" Present=Yes <=== these are slots in the $MFT
LBA 5008-5015

FIle 1002 "BoringDiary.txt" Present-Yes
LBA 5016-5023

OK, now we'll delete the file "SecretSauce.txt"

del secretsauce.txt

File 1001 "SecretSauce.txt" Present=No
LBA 5008-5015

Notice two things. LBA 5008-5015 still exist.
With Photorec, I could recover them (maybe...) .

If I do a 1024 byte read of the $MFT, I will see

binarygarbage...SecretSauce.txt...binarygarbage

The filename is *still* present. In other words, Windows has
done the least work possible. It flipped the Present byte.
All the rest of the details are available to the police department.

Using Recuva, I can flip the Present indicator back on.
Voila, file is recovered, sauce recipe is exposed for all
to see.

File 1001 "SecretSauce.txt" Present=Yes <=== Recuva this byte
LBA 5008-5015

*******

How can the "eraser" concept help this ?

del secretsauce.txt

File 1001 "SecretSauce.txt" Present=No
LBA 5008-5015

Heidi can overwrite LBA 5008-5015, as long as
a check of the file system, reveals no operation
has already used them. That is "normal" erasing
and takes time. If you're deleting a 100GB TrueCrypt
container, that could take half an hour. That's why
Windows does not implement a Secure Erase of that nature.
No user would put up with waiting half an hour for
all the LBAs to be zeroed out.

But Heidi can also deny the existence of SecretSauce.txt, like this.
You can clean the slot, of intelligent information. I can set the
filename field to NUL.

File 1001 "" Present=No
LBA 0-0

And that is "Cleaning the slot", nor "Erasing". You are
cleaning slot 1001, to prevent recovery of the
filename (which might be incriminating).

If nfi.exe lists the file system, in all cases
it would only display this. It does not display
the contents of slot 1001, because Present=No.
WE can tell from the numbering, that something could be there.

nfi C:

File 1000 "AnnualReport.txt" Present=Yes
LBA 5000-5007

FIle 1002 "BoringDiary.txt" Present-Yes
LBA 5016-5023

But that is not an honest appraisal, as we don't
know what slot 1001 looks like. Does it look
like the way Windows left it ? We know the name
of the file. We know where it used to live.
If I scan with HxD, I can easily spot "SecretSauce.txt".

File 1001 "SecretSauce.txt" Present=No
LBA 5008-5015

*******

This will also do a superficial cleaning of C:

https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete

sdelete64 -z C:

That tool functions as a whitespace cleaner.

On pass 1, what does it do ?

File 1001 "SecretSauce.txt" Present=No
LBA 5008-5015 <=== overwrites with zeroes

On pass 2, what does it do ?

File 1001 "" Present=No <=== cleans the unused $MFT slot
LBA 0-0

Is it the equivalent of Heidi Eraser ? Absolutely not.

Heidi Eraser does a more thorough job.

If you do your own forensic analysis, you'll find that the file
system "leaks like a sieve". When I tested sdelete.exe, I must have
got 200 hits of my "secret data" in a scan.

Heidi Eraser was designed by people who regularly verified the
effectiveness of their tool, by doing those scans. That's why
the development cycle for it was so long.

Heidi is most effective, if you start using it right after
Windows is installed.

Whereas sdelete could be applied to a "mature" disk drive,
and sweep out about 99% of the objectionable material. But it
leaves enough, for the police department. You cannot trust
your future health, to sdelete.

You "clean the teeth" of the $MFT (overwrite slot 1001).
You do not erase the entire $MFT, as then none of the files
can be easily found. The files can be recovered using Photorec,
but with 100,000 "fragments" in the list, you'll make no sense of it.

There are also things you can do to the disk contents, to make
it even harder for a Photorec analysis to work. But doing so is
pointless really. If you want to thoroughly clean a disk drive
of everything, it goes like this. On my 1TB hard drive, this does
1TB of writes. Diskpart.exe is a tool in Windows itself.

Administrator Command Prompt

diskpart

list disk
select disk 2
list partition # This step helps you verify you're erasing the right disk
clean all # Zeroes out the entire disk 2, from Sector 0 to Sector End
exit

And that takes less time, than doing some other crazy shit.

I do that to disk drives, any time I need forensic detection capability.
Where is a program writing ? If you zero out a disk before starting an
experiment, it makes it easier to spot the writes using HxD hex editor.
For example, if I want to know where RAID metadata is stored, that
helps me find it.

Any chimpanzee can physically erase an entire disk. It takes
skill and practice to "clean" disks, leaving the intended files
"AnnualReport.txt" and "BoringDiary.txt" intact.

Can a forensics person tell you've been "cleaning" ? Yes.
But they won't know what you've removed.

HTH,
Paul

[Shadow]

On Sat, 19 Feb 2022 00:30:41 -0500, Paul <nos...@needed.invalid>
wrote:

I've been deleting the journal for almost 5 years so far(batch
file). No ill effects. And I have indexing turned off.
My explorer window auto-updates(when I'm re-encoding a video I
can see the file grow).
I use "Index your files" when I need to find something. Took
less than a minute to index half a million files/folders. And I can
delete the index when I'm done.
<http://www.indexyourfiles.com/index.html>
(Seems he dropped the 32 bit v5.0 freeware version.)

Disclaimer: I clone my disk once a month. And do frequent data
backups. If something does go south, I won't lose much.