This is pretty long and verbose and I apologize for that, but I thought you might be interested in a test
of Eraser I performed.
The latest PortableApps version of Heidi.ie's Eraser (v5.82) was subjected to a test in order to determine
it's effectiveness as a secure file eraser. The test was performed using a simple, reproducible formula.
Five text files, labeled consecutively TEST1, TEST2, TEST3, TEST4, and TEST5 were created. Each of these files
contained a different random 20-character alphanumeric string that was repeated 10 times in the text file.
These files were created on a laptop and uploaded to the test computer via a Western Digital 120GB Passport.
(example string: dMFO8p1qBSdEVhIRcL5m)
The files would be uploaded to the computer from the Passport individually for each test. The test file
would be placed in the C:\ drive of the test computer. The test file would be opened in Notepad, so that
the test's file string could be copied to the Clipboard. Then, Eraser would be run and the file would be dragged and
dropped into the Eraser task area. The file would then be erased according to the preferences of the test.
After the file was erased, a program called "Disk Investigator" would be opened. Disk Investigator is a forensic tool
similar to a powerful hex editor that can be used to recover deleted data and most importantly: search throughout
a hard disk for a specific string. In the "Search" box of Disk Investigator, the string that had been copied from the test
file to the Clipboard earlier was pasted. Disk Investigator then searched the C:\ drive to find the string in question, and if the string was found it was stopped and the result recorded.
(Disk Investigator can be found at http://www.theabsolute.net/sware/dskinv.html.)
By this test method, if Disk Investigator fails to find any of the random strings after using Eraser then
these files can be considered to be unrecoverable and securely erased. If strings are found by Disk Investigator
after using Eraser, then the ability of Eraser to securely erase files is called into question
Environment:
Eraser's default File Erasing settings:
Overwrite Cluster Tip Area: Yes
Overwrite File Names: Yes
Overwrite Alternate Data Streams: Yes
Computer Info:
The test computer was an HP Pavilion running Windows XP SP2 with an Intel Pentium 4 processor, 504MB of RAM and a 32.3GB hard drive. The computer was not connected to the Internet, and the user was logged in as an Administrator. The hard drive was not in any significant state of defragmentation. It had no significant utilities running while these tests were being performed, and there are no backup or data restore utilities installed or running, including System Restore.
----
Tests:
First Test:
Erasing Method: 'Only first and last 2KB'
Passes: 1
Strings found: Yes
Conclusion: This file was not satisfactorily deleted.
Second Test:
Erasing Method: 'Pseudorandom Data'
Passes: 1
Strings found: Yes
Conclusion: This file was not satisfactorily deleted.
Third Test:
Erasing Method: 'US DoD 5220.22-M (8-306. / E)'
Passes: 3
Strings found: Yes
Conclusion: This file was not satisfactorily deleted.
Fourth Test:
Erasing Method: 'US DoD 5220.22-M (8-306. / E, C and E)'
Passes: 7
Strings found: Yes
Conclusion: This file was not satisfactorily deleted.
Fifth Test:
Erasing Method: 'Guttmann'
Passes: 35
Strings found: Yes
Conclusion: This file was not satisfactorily deleted.
*The numbers of instances of strings being found for each search were typically in the high twentys, whereas there were only ten instances of each alphanumeric string in each text file. Also, Disk Investigator typically found the strings when it was about 8% or 9% through the scan.
----
Conclusion:
The finding of these strings after Eraser had deleted the files in question is no different than the contents of a sensitive document being found after deletion by Eraser. While complete recovery of a document deleted by Eraser may not be easy, there is a great risk that sensitive information may still be present after Eraser is used.
I cannot postulate why these strings have been retained by the hard disk even after Eraser was used to delete them. Disk Investigator scanned only the hard drive, not the RAM, and I cannot picture a scenario like this happening because of cached data in the pagefile. In the tests, the file was deleted IMMEDIATELY after it was copied to the hard drive from the Passport, so there really was little time for any pre-existing programs to have created a copy of the file if such programs
were installed.
Anyone is welcome to do this same test themselves, and probably should if they are concerned. I encourage someone else to see if the same thing occurs on their computers(or even external storage media) in order to determine if this is a singular problem or an important security risk.
PS: I have done less intensive testing with other file shredders (Omziff's file shredder, Spybot S&D's file shredder, and dsDel) and I have noticed the same thing. This was both on a Toshiba laptop running Vista AND the test computer used in the above tests.
PPS: I did another test where I created a text file in the C:\ drive with the single string "LOLCHEESEBURGERSALSOCATS". After using Eraser with the Pseudorandom 1-pass erasing method on
the file, I restarted the computer and then proceeded to run Disk Investigator. In little time, DI found the string.
While an interesting test, what's your point in posting this here? You're better off posting in the Eraser forum. This software is not developed here. Are you saying your results are different for the installed versus portable version of the software? If not, then you need to take this up with the Eraser devs.
I have posted this at Heidi.ie's forum, I just thought that any PortableApps users who actually use this app might be interested in if it works.
Ironically the maker of this freeware 'Disk Investigator' also offers a secure deletion software....which isn't quite so free.
>secure deletion software....which isn't quite so free.
Otto Sykora
Basel, Switzerland
however, I can remember that when the wipe function of the known pgp software was tested, some strange results came up too.
Wipe under windows was always a trouble, since often all what one thinks happens , happens only in the buffers and will not be done directly on the disk in question.
Someone used the standard 8 times wipe and overwrite, but found still rests of files on the disk.
Otto Sykora
Basel, Switzerland
Why not just write it down on some paper? Do you know what windowes does with stuff on the clipboard? (I don't so I wouldn't put something there that i didn't want to find on the disk)
trf197
Good point about the clipboard. I don't have any idea what happens to that data either. I would assume it has a good chance of being cached to disk at some point.
the idea of having few random chars is nice but some more simpler text, but longer should be used for such tests.
Then it is essential to make such test on a partition which does not contain the swapfile!
The use of clipboard is not useful in such case too, it will also use its own spaces accessible only to the operating system.
I took new empty partition with no system or anything at all on it.
Placed the file with not previously used text string on that partition.
Used the eraser to wipe it out. , in fact I used on the 7x wipe, since I know that magnetic disk has to be overwritten at least 8x to withstand real forensic analysis.
There were no traces found with any 'quick' and simple software running under windows. Also the mentioned di did not find anything.
However doing similar test on the partition containing the swap file, traces were found, but it was not easy to find where they hide, probably in the swap or so.
The wiping under windows was always not simple. I think in present versions there exist some internal commands avoid all happening in buffers only, similar to the linux command 'sync'.
I do not know this command so far however and if the authors of wipe software found their own way, ok, but many years wipe under windows was just promiss of software manufacturers, but not reality.
If someone could tell me how the 'sync' command is done under windows?
One more thing: it is important to see if the found text strings are in the same place where the originals of the files were or if the findings are in other places, e.g. from clipboard or swap etc.
Otto Sykora
Basel, Switzerland
Joel from Eraser's devteam replied to my inquiry there, and explained that the data retention is because of the NTFS formatting, which uses a journal system that creates copies of data to help prevent data loss. The only way to circumvent this is to use the command "fsutil usn deletejournal C:" to disable journaling on your disk or to use a FAT file system.
this is in addition to all above, did not think abt that, since many experiments I did earlier were on fat partitions which also had difficulties sometimes.
But the the delete of journal, well those commands are not found in any ...for dummies book.
But it makes sense alltogether. It is also the problem many antivirus software were fighting some years ago, when they were able to clean the visible part fine, but all the malware still on the disk etc.
Also the sysbeackup of the partitions used today will cause similar problems, and still the buffer for disk write ops too.
Otto Sykora
Basel, Switzerland
I don't understand this tech stuff and I am new to portable Apps My understanding is you can use portable Apps on a thumb drive and save text documens and emails on the thumb drive then if you want to access these saved files you can plug the thumb drive into any computer to access the information and from what I have read it will not leave any trace on the host computer
If this is so why would anyone be worried about what was left on the computers hard drive surley the the sensertive information is on the thumb drive and not on any hard drive
Perhaps I have read the wrong information and if I use my thumb drive that has portable Apps installed and plug the thumb drive into say my works computer and access informaton on it traces of my activity are left on the hard drive of my works computer
which is mostly used not for explicitly wipe traces from portable apps, but traces of other events on a computer.
As you can see it is not so simple as it is 'sold' often.
Also portable apps will left some traces, thought not any personal infos on the host.
Otto Sykora
Basel, Switzerland