| Author | Message | ||
     Stefan Fleischmann |
WinHex allows filling all sectors of a hard drive with zero bytes, any hex value pattern or even random data, optionally even more than once. This irreversibly deletes all data on that drive and thus effectively prevents it from being recovered. For shredding confidential data. You may also securely erase only unused space and slack space on a drive, which contain traces of previously existing files, by using the disk tools menu commands. | ||
| Anonymous |
Is there any reference study explaining under which conditions (hard disk size/model/age/...) it is no longer possible to recovery any deleted (by software tool only) content? I am only aware of the Gutmann article from 1996 claiming the opposite. http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/ Any help on this would be very welcome, because allowing to save enormous costs related to IT. | ||
| Ken Crotty |
When you say that Winhex can overwrite unused space on a drive, please clarify this use for the following conditions: 1) NTFS MFT record data area 2) any kind of Windows paging (swap) file, active or not. Also, for fragmented files, will a file overwirte follow the fragment chain? What about slack space in the last cluster? | ||
| Stefan Fleischmann (Admin) |
1) The master file table ($Mft) is the most important system file, the core of NTFS, and cannot be considered unused disk space. 2) An existing swap file doesn't count as unused disk space either. 3) The command File Manager | Delete Irreversibly will indeed follow a fragmented chain. Slack space in the last cluster is not touched by this function. This one only erases files, not slack space. | ||
| Ken Crotty |
Can there be a display option to locate and display $MFT records such that certain $MFT record data areas might be overwritten? Alternate color background, for example. With NTFS, any file smaller than the max size of the MFT data area will be stored in the $MFT record. To ignore this area is to permit an incomplete erasure. | ||
| Stefan Fleischmann (Admin) |
Small files are stored directly in the master file table, yes. To locate the $Mft record of a specific small file, use Tools | Disk Tools | List File Clusters. You would like WinHex to display $Mft record fields in a different color? BTW, one can often find traces of such small files in the NTFS system file $LogFile, too. For some reason, NTFS keeps additional records of the contents of such files. $LogFile is not part of the actual file itself and doesn't count as unused space either, and thus constitutes a possible security leak. Could you please explain what you mean by your last sentence. | ||
| Ken Crotty |
Could you please explain what you mean by your last sentence: It would be nice if Winhex helped locate the $MFT files on a disk, and used alternating color backgrounds to help separate each $MFT record. | ||
| Ken Crotty |
To ignore this area is to permit an incomplete erasure: You responded that the $MFT "cannot be considered unused disk space." $MFT records from deleted files may still contain the data. These should be included in any wiping process. | ||
| Stefan Fleischmann (Admin) |
Separating the records is no problem, I think, since each $Mft file record is exactly two sectors long (at least on my drives). How should WinHex help locate small files that are stored directly in the $Mft? It does this for every file individually already. Should WinHex be able to create a list of all such files? > To ignore this area is to permit > an incomplete erasure I will think about modifying the initialization procedure appropriately. I agree it would be useful to initialize $Mft records that are not currently "active". The current implementation is correct, however, as a cluster allocated to the $Mft by definition is "in use", and not free. Please note that the command File Manager | Delete Irreversibly always securely erases the file contents, regardless of where the file contents is stored, in clusters or in an $Mft record. Considering the above-mentioned behavior of the $LogFile, I'm afraid 100% security is impossible to reach on an NTFS drive. | ||
| Monique Bardot |
Stefan, I am interested in writing MFT entries on an NTFS drive, for files that no longer exist. I erased the files, but can not erase the filename in the MFT. Can I simply overwrite the MFT data, or will that corrupt the MFT? Thanks, | ||
| Stefan Fleischmann (Admin) |
You may overwrite most, but not all of an unsed $Mft entry, yes, without corrupting the $Mft. You may also use the latest WinHex 10.6 Beta version, which offers to clear all unused $Mft entries on a drive when initializing free drive space. | ||
| Martin Frey Username: martinfrey Registered: N/A |
I have X-Ways security. Any chance it will work in Vista (home premium) in the near future (particularly wiping unused MFT entries)? Martin | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
No, I don't think so. | ||
| Martin Frey Username: martinfrey Registered: N/A |
Shame! Will any other product wipe MFT in Vista? | ||
| Martin Frey Username: martinfrey Registered: N/A |
To Dan: I'll give rmd a go - but can't get through your private email spam wall! |