Secure delete (eraser, python) and Photorec
Posted: 13 Dec 2023, 14:35
Hey folks,
Using Win11 and tools like photorec, 010 editor, eraser, and Python scripts.
I'm trying to figure out what's going on with secure deletion. To make sure I have a handle on securely deleting specific documents on my drives, I ran some tests yesterday. I created empty partitions, dropped some files there, and then used Python to rename files, fill/overwrite them with random binary data, checked with 010 at the datablock location to confirm the random rewriting, and then erased them.
Here's the thing: Photorec can still recover some of these files, and the same goes for eraser. Sometimes, even with 3 passes, it can recover files on a partition with no cache and an empty recycle bin.
The only foolproof method seems to be doing a full single pass across the entire partition (MFT, data blocks included). But when I do a simple directory pass, searching for binary signatures with 010, I can't find them at the data location of the files, and yet, photorec can still recover some.
It's bugging me because I'm not a fan of multipass; I don't believe in it. But clearly, I'm missing something about how photorec works. It search for binary signatures and data patterns but am I missing something regarding NTFS journals or MFT, is photorec looking on other partitions for entries and datablocks ? Because I simply don't understand how it can happen on fresh partition once I overwritten a whole directory, each file have been overwritten the binary sequences are randomized from top to bottom, no signature, zero.
If you have any idea, it would help, I stress about it cause I dont like excessively overwriting my drives, I just want to know I can rely on the tools I have when I want to get rid of a specific document without having to use containers, encrypt or wipe the whole freespace for a single file. It's time-consuming, and it shortens the lifespan of drives.
Thanks for reading me.
Carl.
Using Win11 and tools like photorec, 010 editor, eraser, and Python scripts.
I'm trying to figure out what's going on with secure deletion. To make sure I have a handle on securely deleting specific documents on my drives, I ran some tests yesterday. I created empty partitions, dropped some files there, and then used Python to rename files, fill/overwrite them with random binary data, checked with 010 at the datablock location to confirm the random rewriting, and then erased them.
Here's the thing: Photorec can still recover some of these files, and the same goes for eraser. Sometimes, even with 3 passes, it can recover files on a partition with no cache and an empty recycle bin.
The only foolproof method seems to be doing a full single pass across the entire partition (MFT, data blocks included). But when I do a simple directory pass, searching for binary signatures with 010, I can't find them at the data location of the files, and yet, photorec can still recover some.
It's bugging me because I'm not a fan of multipass; I don't believe in it. But clearly, I'm missing something about how photorec works. It search for binary signatures and data patterns but am I missing something regarding NTFS journals or MFT, is photorec looking on other partitions for entries and datablocks ? Because I simply don't understand how it can happen on fresh partition once I overwritten a whole directory, each file have been overwritten the binary sequences are randomized from top to bottom, no signature, zero.
If you have any idea, it would help, I stress about it cause I dont like excessively overwriting my drives, I just want to know I can rely on the tools I have when I want to get rid of a specific document without having to use containers, encrypt or wipe the whole freespace for a single file. It's time-consuming, and it shortens the lifespan of drives.
Thanks for reading me.
Carl.