Secure delete (eraser, python) and Photorec Topic is solved

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
luxylux
Posts: 2
Joined: 13 Dec 2023, 13:51

Secure delete (eraser, python) and Photorec

#1 Post by luxylux »

Hey folks,

Using Win11 and tools like photorec, 010 editor, eraser, and Python scripts.

I'm trying to figure out what's going on with secure deletion. To make sure I have a handle on securely deleting specific documents on my drives, I ran some tests yesterday. I created empty partitions, dropped some files there, and then used Python to rename files, fill/overwrite them with random binary data, checked with 010 at the datablock location to confirm the random rewriting, and then erased them.

Here's the thing: Photorec can still recover some of these files, and the same goes for eraser. Sometimes, even with 3 passes, it can recover files on a partition with no cache and an empty recycle bin.

The only foolproof method seems to be doing a full single pass across the entire partition (MFT, data blocks included). But when I do a simple directory pass, searching for binary signatures with 010, I can't find them at the data location of the files, and yet, photorec can still recover some.

It's bugging me because I'm not a fan of multipass; I don't believe in it. But clearly, I'm missing something about how photorec works. It search for binary signatures and data patterns but am I missing something regarding NTFS journals or MFT, is photorec looking on other partitions for entries and datablocks ? Because I simply don't understand how it can happen on fresh partition once I overwritten a whole directory, each file have been overwritten the binary sequences are randomized from top to bottom, no signature, zero.

If you have any idea, it would help, I stress about it cause I dont like excessively overwriting my drives, I just want to know I can rely on the tools I have when I want to get rid of a specific document without having to use containers, encrypt or wipe the whole freespace for a single file. It's time-consuming, and it shortens the lifespan of drives.


Thanks for reading me.
Carl.
Top
recuperation
Posts: 2737
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Secure delete (eraser, python) and Photorec

#2 Post by recuperation »

Read

https://www.cgsecurity.org/wiki/PhotoRe ... oRec_works

and

chapter 11 of the manual titled "RECOVERING DELETED FILES USING PHOTOREC".

As Photorec provides you with location information for every file found you should take that information into account.
Top
luxylux
Posts: 2
Joined: 13 Dec 2023, 13:51

Re: Secure delete (eraser, python) and Photorec

#3 Post by luxylux »

Thanx mate.

I checked it all out. So it uses this file-carving technique with signatures. It seems that all the data blocks didn't really get overwritten with my python scripts.

Seems like Windows and Python's low-level operations don't quite vibe. Too bad because Python is easier than writing C/asm but for efficient data overwrite I'll stay away from python.
I tried an old axx file shredder, and it passed the tests.

Carl.
Top
Locked

Return to “File recovery”