Does the MFT cleanup/bleach function in Speed disk Norton Utilities v15 really work?? I ran the recovery of deleted files and it found 55,000 + files eligible for recovery before I stopped it. Ran the MFT bleach/cleanup/elimination of deleted records – which ran in a second or less. Booted my laptop. Ran the recovery of deleted files and it found 55,000 + files before I stopped it again. So I’m saying the MFT bleach/cleanup/elimination of deleted records DOES NOT WORK? Has anyone tried this and found that it does work?
Hi,
you must "turn on" the Bleach feature before running it.
Did you checked that checkbox previously?
Yes I did. Also after the first bleach action(box was checked) I ran another product to zero out(hex 0's) free space and ran the recovery of deleted files a second time. The second time came up with the same number of files eligible to be recovered before I cancelled it.
Can you please give us some extra info:
- Which Windows OS and Service Pack do you use?
- What is your current security product on the machine?
- In which format is your partiotion formatted (FAT32, NTFS)?
- How big the partion is?
Thanks.
Windows 7 Professional (x64) Service Pack 1
Norton 360 Premier Edition
NTFS
309 GB
Maybe it's a stupid question, but did you restarted the PC after the bleaching?
As on the picture you can see, a reboot is required to clean the Master File Table records.
Yes I did reboot. Can you look at any log files to see/verify steps taken? Run in a debug mode?
What was the other program you used that also didn't work?
Dave
Dave -
The other program is Migo Digital Shredder 4 Premium. I believe that worked as it ran for 12 hours and the disk activity light was on that whole time and you can hear disk activity. It end normally with no error messages.
The reason why I'm saying that is that does the Recover deleted files function search the MFT for deleted files and when you attempt to recover one of those deleted files it can't recover it as the actual data is over written? To me it looks like the delete of the actual MFT record of the deleted file is never BLEACHED and when you run the recover function again you get the record showing up in the MFT. BTW - I used the DEEP SCAN in the recover function - as the quick scan comes up with zero files found.
Norton Utilities 15's Bleaching function works this way: it do not writes 0s to every free segment on the HDD, it simply overwrites the free space with blank data files, this way recovering any data is impossible with standard recovery methods (like with software recovery tools).
Why you can stil see files? It is because you did checked the files via Deep Scan. There's almost 0% chance to restore any of those files NU15 can see. If anything can be recoverd it will just some random bytes... Nobody will be able to read them.
Oh - i was thinking that the bleaching function would bleach/eliminate the ACTUAL MFT record of a deleted file. And then if another product was used to over write free space then any sapce allocated to the deleted file would be over written - hence ALL DATA INCLUDING THE ACTUAL MFT RECORD/ENTRY OF A DELETED FILE WOULD BE ELIMINATED/DELETED.
In windows the file name is actually seperate from the actual data of the file. The file takes up a space on the hard drive and the name of that file is really just a record in the master fat table (MFT).
For instance, if you make a text file in notepad and name it A.txt and save one characture inside it like 1, if you view the properties of the text file you will see that it's size is 1byte. (1 characture is one byte)
Now if you reame that file to abcdefghijklmnopqrstuvwxyz.txt you will see that the file size is still only 1byte.
That shows you that the filename is seperate from the file, otherwise the size of the file would have increased by 25bytes.
So that shows you for any file, it is really 2 parts. The actual file is the data and the name is a record in the MFT.
When you overwrite a file, it overwrites the data part on the hard drive and makes the contents of the file unrecoverable.
But the record is still in the MFT so the name of the file may be visible but the data of the file is unrecoverable.
Usually this isn't a concern unless the name of the file gives away what you may or may not have had on the system at one time.
In order to remove the file name, the record in the MFT has to be "scrambled". Because of windows limitations and the fact that this table holds all the records for every file name on the system, it can't be overwritten or erased, all that can be done is "scramble" the record. When that is done you may or may not still see "gibberish" names in the recovery wizzard.
You may notice random names in the recovery wizzard but the actual files are unrecoverable.
If you see file names that are still "Green" and recoverable, it's usually due to the location of the files.
Windows is unable to lock certain folders in use. The only way I have gotten around that is by trying to wipe the free space right after a reboot (before opening any programs), or by thoroughly defragmenting the drive to move the physical location of those folders and then wiping the free space of the former location.
It's actually very difficult to wipe data off a system, thats why it is so easy for people to recover sensitive data from one.
The only true and reliable way to do it is from "outside" of windows when nothing is in use and when you can use something that does not have to "respect" windows folder and user permissions.
It's not an easy task but it's nice to have the recovery wizzard to give you an idea on what is still there.
Dave
Ok - some of that info I got during some of my computer forensics courses. I try the defrag and than free space wipe after a MFT bleach'
CCleaner has an interesting way to get rid of the entries in the MFT. They keep producing dummy files that will eventually overwrite the unused names.
I been using CCleaner for years but I never tried wiping free space with it.
I installed norton utilities 15 on my test system a couple hours ago and got the results I expected, in XP a lot of files were untouched in the "documents and settings" folder and the program folder.
I been using a free program called "eraser" for may years. For some reason I can't recall I didn't like the new version 6 but I just installed that on my test system to give it another try.
All my systems dual boot and I have always had much better results wiping free space from the other OS so nothing is locked or in use. I also used to run some tools from a PE disk.
One of the problems with the MFT is that there isn't really a way to "compress" it. It just grows and grows and windows never provided a way to remove all the old entries and rebuild it to make it smaller. Like what happens when you optimize the registry or compress email folders. There is a program that claims to be able to do it but I never got around to testing it.
I'll try ccleaner as soon as eraser is done. It might take a while.
Dave
What is eraser you mentioned? Is that like a wipe of free space? Can you run the norton disk defrag from a windows 7 professional boot disk? Any documention on this?
Thanks
Here is Eraser
I doubt you can run speed disk from a windows 7 disk. Chances are there are too many system files and registry entries needed. I'm not really sure what can be run from the windows 7 recovery disk in the first place. I never tried much.
I do however have a couple windows PE disks that I can run certain "portable" apps from. One I use a lot is "defraggler portable" and that is a disk defragmenter.
I can't recall if I ever tried ccleaner portable or not, but both of those are freeware too.
Making a XP based PE disk is fairly straight forward using something like UBC4win (an improved Bart PE).
There are some plugins availible for eraser if it's not already included.
Making a Vista or Windows 7 PE disk is not so easy. I done it a couple times but I really don't understand it very well.
Red is by far the expert here in that.
Dave