I've been doing some research on countering af tools. I've specifically worked with the two wiping utilities Eraser 5.8
SDelete appears to change the file name to !ZZZ(different number of Z's).ZZZ and the extension to ZZZ. I was also able to find the original file name, ext, and MACE values.
I need to take a more methodical approach to doing this research, so the info above may not be reliable yet.
Is anyone else doing similar research with wiping utilities? Possibly with wipe, srm, dban, or commercial tools?
Check out the following related paper from the grugq at the Blackhat archives called 'the art of deflining' found at
http//
This may help.
You can also look at the NIST guidelines on the subject.
deleted
Today i wrote a tool (on unix / linux ) which tries to reach the same.
I made the following choices
1) Create as many small (512 bytes, the smallest size of a harddisk-sector) files to exhaust the inodes / meta-data structures. Remove this files again.
2) Create several big files (currently it's set to 2 MB, which was fine for my memory drive) to exhaust the free datablocks with random data. This random data is multiplied to reach the 2MB size.
Running an examination on a small filesystem of 32MB and analyse this using theSleuthKit and Autopsy browser, i couldn't find any of my old data back, not in inodes information, nor in datablocks.
I was wondering if any of you had some comments on this.
The tool is written in Perl and can be found here
http//
Thank you.