Output Of Various Eraser/Shredder Programs



I chose to use seven text files for this test
showing the output of some eraser/shredders.

File erasers/shredders tested:

BCWipe
Evidence Eliminator
Scorch

BCWipe Output:
- Completely randomizes the file name -
- Creates gibberish file names with each pass -
- Leaves zero file length. -
- Will also scramble file names left by previous erasers
- Schduled wiping - plus wipes registry MRU tracks

bcwipe file names random


Note below are the file lengths zeroed.

bc wipe zero file length

Interesting Point: Examine the difference between using the
wiping options tab set to "Wipe empty directory
entries (on FAT drives)" versus it unchecked:

Directory Entries Wiping:
(Directory entry is a reserved space on a disk,
where the filesystem stores names and attributes
of files. Any file that has been 'deleted' by Windows,
can get its name restored by unerasing utilities.
BCWipe shreds directory entries so that the
information cannot be recovered.)

Try MOVING some files from a directory, leaving
only a single UNMOVED file. Now check with the
freebie tools or DirSnoop.

You will see that all the MOVED files are
recoverable. Now, wipe the last remaining file
with the 'Directory Entries Wiping' checked.
It will render all those MOVED files unrecoverable.

Testing Scorch

(First example uses the "nodel" (no delete)
command in the batch file.)

Batch file:
cd c:\windows\command scorch [d:\aaa\*.txt] /two /noinvert /nodel exit

The above batch file results in this output:
- Fills the entire 32K cluster with random binary garbage -
- Leaves ALL original file names intact in Windows -

Here is a view in File Explorer AFTER Scorching the files
with the "nodel" command, which tells Scorch to only wipe
the inside of the file with binary junk, and not to delete it.

(Notice in the capture below that after wiping, all the
filenames are viewable. You will also notice the 32K cluster
size for each file, since Scorch wipes the entire 32K cluster
size allocated for a file under the FAT 32 system, and not
just the original file length.)

scorch files in windows

Now let's use the delete command in the batch file and see
what happens.

File names are not viewable in Windows. However, using
DirSnoop, we see the file names of the erased files are still
intact, except the dropped first letter.

file names still visible in Windows

There is another change, though. Scorch, when using
the "del" command in the batch file, now zeroes out
the sizes, rather than wiping and filling the file with
binary junk.

scorch view using

Note: Since Scorch is used primarily for wiping the Windows
swap file, it really doesn't matter whether or not it destroys
the file name, since you do not want to delete the swap file
and it's file name as much as clean out what is in it. What
is important is that we see when run with the "nodel"
command, Scorch does indeed wipe all clusters and fill them with
binary junk.

  Evidence Eliminator Output #1:
Using Custom Files Tab: Eliminate All Files On This List

Using this setting deletes a file in the target directory
and reduces the size to zero.

(This setting is a clumsy setting, it does not accept wild cards.
You must put in a path and a name of each file you wish destroyed
in any given directory.)

EE does wipe the file from Windows Explorer, but unfortunately,
when viewed with DirSnoop, all names are intact.

dirsnoop view of ee delete

Evidence Eliminator Output #2:
Custom Files Contents:
Eliminates contents of all files on this list, without deleting the files.

(As in the first example, EE does not allow wild cards here,either.)

It is clear from opening the shredded file with Notepad that the file is unreadable.

EE -garbled file guts viewed in notepad

EE does wipe the file, filling it with binary junk and leaving the
original size and name intact in Windows Explorer. Just as it was
supposed to do. However, again it leaves the original file name
viewable in DirSnoop. For a program that bellows and yells how
it offers total security against forensic file recovery, this is a joke.

dirsnoop view of erased files

Evidence Eliminator Output #3
Custom Files Contents:
Eliminates all contents of these folders, including sub folders

As can be seen, EE wiped the files and the entire cluster of each
file. When "recovering" the files, and viewing them with Notepad,
they contain only binary gibberish.

But once again, EE makes a mockery of the truth in advertising
about being able to hide EVERYTHING from forensic analysis -
especially when it leaves the damn file name of the shredded files
TOTALLY intact. That is ridiculous!

(Let me state again that I have been an EE owner/user since their
first days. I am appalled by my own sloppiness at not having done
some testing before this. Once more, see the sad truth in the capture below.)

dirsnoop view of ee dir wipe

I don't think I have to go through every menu function that EE has.
I think it is clear from these three that EE is a loser as far as hiding
the file names of erased/shredded files.

But I do want to do one more test. I want to see what EE does
with it's Save Recycle wipe. That's the one where, supposedly,
it erases the contents of the Recycle Bin in a safe manner. Let's see.

I deleted - with the delete key, seven text files. Then I used EE's
Safe Recycle to wipe them from the Recycle Bin.

view of recycle with files

Here's the result.

dirsnoop view of erased recycle bin

It wiped the entire cluster of each file. This time, though,
it did not leave the entire file name behind when viewed
with DirSnoop. But it did leave the correct extension,
which still sucks, but not as badly.

This one fault - as far as I'm concerned, invalidates EE
as a serious file shredder/eraser. It also shows what liars
it's marketing people are.

Go back to menu on HOME page.

- END -

Copyright: bluejay@cotse.net
January, 2003