When a file is deleted from the hard drive and the free space it used to occupy is securely overwritten (wiped), recovery tools can still usually find the file was there and show its name. As far as I understand this is because some data about old files is left in MFT area. How to eliminate this?
Asked
Active
Viewed 4.3k times
4
-
possible duplicate of Is there a program to truly delete all deleted files? – Ƭᴇcʜιᴇ007 Mar 07 '11 at 04:00
-
1I've found CCleaner to offer "Wipe MFT Free Space" option, but haven't tested this yet... And I am pretty sceptical about it to help... – Ivan Mar 10 '11 at 14:00
-
I believe that option will do exactly what you are looking for. – u1686_grawity Mar 24 '11 at 17:15
-
This BCwipe worked for me, I mentioned it here: https://superuser.com/a/1585146/470974 – Chris Sep 13 '20 at 17:31
9 Answers
4
The free software "PriVazer" has an option to securely delete file names on MFT and it doesn`t take that long! Another free prog. is "MooO Anti recovery". This also has an option to securely erase old "deleted" file names.
-
Please read How do I recommend software for some tips as to how you should go about recommending software. You should provide at least a link, some additional information about the software itself, and how it can be used to solve the problem in the question. – DavidPostill Jan 22 '18 at 17:42
-
1Surely all you have to do is check out the free software I mentioned. Is that so difficult?? – Jul 08 '19 at 15:40
-
1It is not that difficult to get this free software. "PriVazer" is an excellent programme! – Jul 08 '19 at 15:48
3
I've used the program PrivaZer for several years now, and it's a great program for completely cleaning and deleting unwanted files from the hard drive - including the MFT entries. It deletes all the temp. files, cleans the disk fragments and deletes any cookies. Great program!
Ted
- 31
3
I've used the MFT wipe free space with CCleaner. (It does take forever, up to several days.)
Before running wipe, I could easily get a full list of previously deleted files with Recuva, despite the files being several years old and overwritten multiple times beyond recovery. This is because Recuva takes the list of files from MFT. https://www.piriform.com/docs/recuva/technical-information/how-recuva-works (Unless you run the deepscan, which actually goes through the disk, seeing what's in there. This also takes forever, however.)
After running MFT wipe free space with CCleaner, Recuva finds nothing. Not without deepscan anyways. Therefore, I'm fairly certain CCleaner also takes MFT into account whilst wiping.
End Anti-Semitic Hate
- 8,328
YellowPeak
- 31
3
First, check how many files Recuva reports that can be recovered. Say it is 1001.
Open a command window and create a temporary directory. Change to that directory.
MKDIR C:\TempReco
CD C:\TempReco
Create at least 1001 files in this directory using the command below with proper parameters.
FOR /L %i in (1,1,1001) do echo willdelete>file%i.tmp
When this completes, delete the files with either from command window or by locating with Windows Explorer. Then, empty the Recycle Bin.
When you check again with Recuva, it will only show filenames you have just deleted.
Burhan
- 31
-
2In case Windows does not clean unused space when storing a new name in an MFT record, you may want to use a longer name in the 'file%i.tmp' template, like 'atleastfirst80charactersofdeletednamesshouldbecleared%i.tmp'. – Burhan Oct 07 '15 at 14:30
2
The Most Reliable way to do this is also the simplest
- copy your files to a second hard drive
- wipe the source drive using something like DBAN and reformat
- transfer the data back.
This has to be done with a file level copy utility like robocopy since using imaging software will copy the entire partition MFT and all.
Of course this is only practical for non system disks while it is theoretically possible to do this with a OS drive you need to ensure that your using a tool capable of copying hidden and system files along with the ACL's. You will also need to perform additional steps in the recovery console to rebuild the boot sector, MBR and BCD from scratch to ensure that the system will see the new partition as bootable. Its mostly a crap shoot and you would be better off just doing a clean reinstall of your OS
Mike Loeven
- 79
-
1might wanna use something like winrar in Store mode to backup to a single file, that way when you delete backup you won't have inflated MFT. – colin lamarre Jan 16 '19 at 15:43
1
Short answer, it is not possible.
The MFT is a complex dynamic table file at the heart of the NTFS. To change one small part of it, corrupts the whole drive.
MS isn't telling how it is structured, and no one is going to risk putting out a application on a trial and error basis, that 'cleans' the file names, if there is any chance it will destroy the system.
(Oh yes, insert negative comments about MS exposing peoples data here.)
So depending on the pros and cons, you may want to restart with a fresh install, and then use less sensitive file names and use secure deletion at the recycling bin. Use TrueCrypt containers to keep files separate from programs. Perhaps FDE (Full Disk Encryption) is a option if it is that important.
To make things clear to others, it is not what Ccleaner and the others do, drive wiping the MTF and defragging it and all the rest doesn't clean the MFT names. They overwrite the file spaces in the MTF, but the names remain. It is the deletion of the FILE NAMES ONLY that the OP is asking about. (File names that can only be seen with specialized file recovery applications)
David
- 19
1
I think Paragon Hard Disk Manager Suite (Pro?) can help you do this by shrinking the MFT:
As the
$MFTgrows, it will occupy the increasing amount of space in the MFT Zone, and the current size of$MFTis totally unrelated to the size of the MFT Zone.
When one executes the "Compact MFT" (also may be called “Shrink MFT” in some editions) operation, the$MFTitself will be shrinked, but the MFT Zone will remain intact - just a block of reserved free space.
It can shrink the MFT, which means deleted file records won't be there anymore.
user541686
- 23,918
1
Revo Uninstaller freeware wipes the MFT almost completely. Tested on formated WD 500GB with AVG PC tuneup utility to view the MFT size before Revo Unistaller and after Revo Unistaller. MFT almost completely gone while before it was enormous.
http://www.revouninstaller.com/revo_uninstaller_free_download.html
Go to Tools --> Tracks Cleaner --> Evidence Remover --> select drive and run it.
wordblender
- 11
-1
This Windows built-in does it nicely, though takes a while. Both MFT and drivespace on C:
CIPHER /W:C:
/W Removes data from available unused disk space on the entire volume. If this option is chosen, all other options are ignored. The directory specified can be anywhere in a local volume. If it is a mount point or points to a directory in another volume, the data on that volume will be removed.
-
1Hi Jonathan, we prefer complete answers here. I have edited it to show you what could have been done here. This gives the readers some confidence that this is a valid answer. Please keep this in mind. – Rohit Gupta Sep 12 '23 at 13:51
-
I think it does not touch the MFT, see .. "The cipher /w command does not work for files that are smaller than 1 KB" .. This refers to resident files and suggests MFT entries are not overwritten. – Joep van Steen Sep 12 '23 at 15:05
-
Not all files that are smaller than 1KB are resident in the MFT record. First, the MFT record size is not necessarily 1KB (it can be larger when the NTFS volume was prepared); then the MFT record starts at least by a "basic attributes" entry which consumes some bytes and which is always resident; it may be then followed by a resident entry for MFT extension (if there are too many attributes than can fit the MFT record itself, e.g. for security attributes). Small files (or ADS) will be resident only if there remains some space. NTFS has priorities for which attributes will be resident. – verdy_p Feb 05 '24 at 10:11