how to completely "Clean" my hard drive?.

techie

SuupaOtaku
Jul 24, 2008
568
4
In my opinion any program that runs within Windows is a crap shoot as to whether you're data will truly be unavailable to future forensic analysis. BCWipe is a well regarded tool in this category, as long as you understand that sometimes it's impossible to control where the OS puts your data.

I would like to post to thank you but will also make your case quite definitely on this statement.

Just for the sake of our previous discussion above I undertook a little test for the past 17 hours.

If you would care to lend me your comments on the following...

---

1) I installed CCleaner (freeware application which supposedly does a disk wipe when instructed of all empty space as well as frees all cache and temp files.) A program which you can get from one of my previously listed links and sources of information above.

2) I also installed the demo version free of charge of GetDataBack for NTFS and already had a free version of WinHex on the system.

3) I ran CCleaner to clear any and all data per default settings once.
I then ran it to Wipe Empty Disk Space once...
this took approx. 2 hours for 11.5 GB on drives C and D.

4) I noticed during the runtime that I got a warning of low diskpace on D when coming close to the end of the wipe thus deducing that CCleaner does the overwrite by not writing directly to sectors/clusters but by creating stray files and filling the space with 0's.

5) Upon completion, I opened D using GetDataBack and confirmed this by finding an excess amount of files randomly named with ZZ..ZZZZ....Z patterns in directories wit the same naming structure.

6) I then found a file of interest, which I more or less assumed I would.
Namely, bootex.log from 2009-04-05 which still was recoverable in both GetDataBack and WinHex.

I have not turned off TimeStamp in XP Professional and yet the content of Bootex.log contained references to a file which had not been on my system for more than approx. one week. Mind you it is now 2010-06-21 and the file timestamps are all around hours during 2009-04-05.

7) When looking at the overwrite patterns in the files generated by CCleaner you find in GetDataBack that all is 0's, whereas in WinHex it is a mix of characters and in some cases including references to file headers and file names showing that CCLeaner writes these files in numerical order... ranges spotted being from file 0 to file 8 with misc. extentions.


----
My conclusion on this test is therefore that CCLeaner although given a good reference does not in fact wipe a whole previously deleted file space.

Of course, having been through hell week in surgery this week I forgot to run a check to compare the differences between $MFT, MFT and $MFTMirr, as $MFTMirr is a backup generated by NTFS/MS of the Main File Table and may still contain data indexing files previously deleted.

This should however not matter for the sake of overwriting files, though it does relate to the evidence factor proving a certain file was on your system.
----

Now, also, I have turned off System Restore for the disk but this data is still contained on the disk in spite of the facts a) I dont use it and b) I have never downloaded any episodes of NCIS to this disk so that must have been done by the previous owner of the hardware.


8) Now for the truly interesting part.

I proceeding in backing up my data I wanted to keep from disk D and then dumped it all except some 3-4 GB worth just for testing.

As you say, don't trust any application running under windows and I must agree completely.

I ran HDDGURU's Low Level Format tool (freely available from http://hddguru.com) for a period of some good 6 hours to clear out disk D of 80.2 GB

It is a Seagate SATA-1 disk which has served as nothing but file storage for the past 6 months.

9) I double checked with GetDataBack for NTFS that no data was recoverable... Checked and OK, the disk comes up as all zeros

10) I double checked with WinHex 12.7 that no data was recoverable... Checked and OK, the disk comes up as all zeros

and now for the whopper....

11) I double clicked My Computer and opened the drive D: and low and behold....

After running LLF with one overpass, windows still accesses the data without any major issues. Some files fail, nut most of the data is still there.

I in fact just sent my self an email attaching some of the supposedly low level formatted data to let my boss at work take a look at this as well.

Today I will go and pick up one of a the newest 1 TB SATA 3 HDD's to test and see if this happens on the newer disks too, since the SATA-1 I have is a first gen disk.

---

Does someone care to comment on this scenario what I just did on my own system? It sure would be interesting to hear the input on this one.

The png attachments you are looking at display the above mentioned D-drive AFTER using LLF Low Level Format Tools from HDDGuru.com
 

Ceewan

Famished
Jul 23, 2008
9,152
17,034
In my opinion any program that runs within Windows is a crap shoot as to whether you're data will truly be unavailable to future forensic analysis. BCWipe is a well regarded tool in this category, as long as you understand that sometimes it's impossible to control where the OS puts your data.

I know a few people that like BestCrypt, but the smart money is usually on Truecrypt, (or even PGP), for one reason and one reason only. TrueCrypt/PGP, is/are Open Source and BestCrypt is not. That is my only knock on BestCrypt, Jetico is very respectable company in the software security industry.

CCleaner is a nice program. It is free, relatively small and wipes a lot of private data quickly from easy view. I do not know how effiecent it is compared to the more popular programs myself but running more than one program is never a bad idea when you are trying to be thorough.
 

porkar

New Member
Apr 2, 2007
177
6
It seems, 'burn, bash and bury' is the most reliable method.
 

Sakunyuusha

New Member
Jan 27, 2008
1,855
3
If you don't intend to re-use the disk, the most obvious answer is physical destruction, yes.

If you intend to re-use the disk, you'll have to research the options, test them out, see what works.
 

porkar

New Member
Apr 2, 2007
177
6
Can the snoops 'bug' your chat conversations, or read your emails?
 

Ceewan

Famished
Jul 23, 2008
9,152
17,034
Can the snoops 'bug' your chat conversations, or read your emails?

Unless your transmissions are secure it is possible someone else can "listen" in on you. That does not mean they are, just that it is feasable. Emails are very insecure as they contain http header information for others to see.

http://www.johnru.com/active-whois/trace-email.html

But as far as intercepting emails....I am not sure. Anything is possible I suppose. Again PGP is a very workable solution here. If the information is encrypted it does no one any good to intercept what they can not read.
 

RyuKaze

龍風
Jun 22, 2010
83
4
Can the snoops 'bug' your chat conversations, or read your emails?

It's impossible to take data packets from a stream unless you are either between the two communicating devices (i.e. physically connected between you and the server), or if there is a program/service running on either end which either copies or redirects the stream to another destination.

As for the original topic, there are already many good suggestions on software and other methods; but, the only 100% sure way to make data unrecoverable is physical destruction. (As guy has already suggested, a sledgehammer and bonfire will do nicely.) :evil:

It really depends on the level of recovery you wish to circumvent - If it's just from family, friends etc. CCleaner is more than sufficient. If you are trying to secure it from more tenacious and 'resourceful' people, then DBaN and other Boot-up applications will be your best bet.

To be honest, I'm wondering what you need these programs for...What do you have to hide!? :thief:
 

Ceewan

Famished
Jul 23, 2008
9,152
17,034
It's impossible to take data packets from a stream unless you are either between the two communicating devices (i.e. physically connected between you and the server), or if there is a program/service running on either end which either copies or redirects the stream to another destination.

This has been known to happen, (the reason secure connection protocols were invented in the first place, I would presume). But otherwise I would have to agree with you 100%.
 

porkar

New Member
Apr 2, 2007
177
6
If you want to change to a new OS, e.g. Windows 7, how do you know all traces of the previous OS have been removed?
 

Rollyco

Team Tomoe
Oct 4, 2007
3,562
34
See post #4 of this thread.
 

porkar

New Member
Apr 2, 2007
177
6
I tried to download it but I don't have the program, which should I use?
 

Rollyco

Team Tomoe
Oct 4, 2007
3,562
34
It's right there bro. Post #4. First link.
 

Rollyco

Team Tomoe
Oct 4, 2007
3,562
34
I have no idea what that means, you're going to have to be more specific as to what you tried and what the results were.
 

RyuKaze

龍風
Jun 22, 2010
83
4
I tried to download it but I don't have the program, which should I use?

The file is an .ISO - Which needs to be written (or burned) to a CD-R in order to work (It isn't an executable which runs from your OS.) You will need to use a program such as Nero, Alcohol, Roxio, NTI DVD etc. (If you have a CD-R, CD-RW etc. you would normally have a program which accompanied it.)

It doesn't work on my system.
I have no idea what that means, you're going to have to be more specific as to what you tried and what the results were.

From what I can make out, they haven't burned the image to a disc and booted from it - But I could be entirely wrong.
 

Rollyco

Team Tomoe
Oct 4, 2007
3,562
34
Oh I see what he meant. Yes, you need to burn the .ISO to a blank CD-R or CD-RW, and then boot the computer from that disc.

There are a lot of programs that can burn .ISO but I recommend ImgBurn.
 

porkar

New Member
Apr 2, 2007
177
6
The file is an .ISO - Which needs to be written (or burned) to a CD-R in order to work (It isn't an executable which runs from your OS.) ....

OK, thanks, that is what I am looking for.
 

kaorimamiya

New Member
Jun 14, 2007
10
0
If you want to completely erase your disk use Active@Kill Disk Hard Drive Eraser go to the killdisk.com site and download. There is a free version that overwrites your entire disk with zeros or you can buy the "delux" version that overwrites to your own spec. Multiple passes DoD Gutman etc. I think it cost about $40. All you need to produce a bootable disk are provided at the site.:perfectplan:
 

Ceewan

Famished
Jul 23, 2008
9,152
17,034
a free open source program beats a $40 closed source program anyday of the week in my book.