|
EE can be set to wipe the contents of files without deleting the file itself. It seems to fill the file with garbled binary gook. This is the method EE seems to prefer even if you tell it to delete the entire folder plus the files inside. In my version, I cannot get it to wipe the file by reducing the file size to zero length. I do have the latest version. Does anyone else experience the same? Please don't answer unless you have checked with File Recovery and recovered these files and examined them. Since writing the above, I have found that the program was acting weirdly because of an impending Redmond crash. I have done further tests and EE does do the file wiping exactly as it is supposed to do - however, it has a fatal flaw, that in my opinion puts it out of the running as a serious security tool. See more on this HERE . (Choose the Evidence Eliminator link.) I also have found that WindowWasher fills the file length with rubbish, too. However, it falls down on the job of disguising erased file names. It always leaves one - sometimes two, file names intact. This fact alone should discard any idea you might have of using WindowWasher as a security program. The first pic shows the recovered output in Notepad. The second shows the trashed file names in DirSnoop. In addition, I found that Scorch, the popular swap file overwriter, wipes the file and leaves it filled with meaningless binary slop. If Scorch is used on normal files, it does leave the complete file name and size intact.)
But let's get back now to Evidence Eliminator. My choosing text files for this test is more appropriate because Disk Investigator allows us to peek directly into the file and ascertain if EE really did overwrite the data beyond recognition. With some format other than text, the uninitiated - like myself, would not know what they were seeing if we peeked in with a hex editor. However, Disk Investigator has a neat little feature that allows you to peek into a file after it converts it to text, which is what these files were to start with. So, if EE flubs the dub and leaves info in there, we can catch it with Disk Investigator. First, lets erase some text files with EE and then peek into them with Disk Investigator. Here is what we see in File Recovery after erasing some text files with EE.
As is plainly evident, the file sizes are more than zero, which shows that EE wiped the contents, not the file itself. Notice also that File Recovery says the chances of recovering them is GOOD. Clearly visible are some temp files which are left over from EE's machinations. What is egregigiously wrong here is that EE has left the file names of the erased files intact. Now, let's use File Recovery's OBJECT | SAVE TO... menu to save these "erased" files to another directory and open them with Notepad.
Well, it looks like EE filled the file with garbage. But is there any useful info in there. Let's use Disk Investigator to peek into some text files to acquaint ourselves with it. Choose an unerased text file and use the VIEW menu option at the bottom of Disk Investigator, not the top menu item. (See pic below)
Now click the VIEW menu at the bottom of Disk Investigator for the next view as to what is really in the file. Make sure you select TEXT at the top left of the new window. Notice in the pic below that the text of the file is the narrow column on the right of the window. That is what is in the file.
We can plainly see that this is indeed a text file. Now if EE did fill the files with random garbage and left some of the original text inside, we should be able to see it. Choose one of the files wiped by EE. Open Disk Inspector and peek inside. Here's what you'll see.
As you can see, when scrolling through the right hand column, nothing but random garbage is seen. If any text were left over, it would be immediately obvious. It seems EE did not leave any "smoking gun" behind. 'Nuff said? Go back to menu on HOME page. - END - |
