DonationCoder.com Forum
Other Software => Developer's Corner => Topic started by: kyrathaba on January 26, 2011, 10:10 AM
-
I'm working on a C# project involving file encryption/decryption. One of the features I've implemented is the option to "securely delete" the original file after it's been encrypted (such that only the encrypted version remains, and the original cannot be recovered by file recovery utilities). Now, I don't really want to post my code. What I'd like to know is if you guys can recommend some trustworthy/safe free file recovery utilities against which I can test my "secure deletion". Obviously, if any of those utilities can recover a file that my program has "securely deleted", then my code still needs work...
Here are a few I've Googled:
Disc Investigator
Recuva
Undelete Plus
Restoration
TestDisk
FILERECOVERY® 2011 for Windows
File Scavenger® - Data Recovery Utility
Data Recovery Wizard Free Edition
-
I have personally used File Scavenger in the past (with great results).
-
I can vouch for Recuva.
-
The one i always hear recommended is: http://www.runtime.org/
-
The one i always hear recommended is: http://www.runtime.org/-mouser
That's my favorite!
-
R-Studio (http://www.r-studio.com/) is pretty hardcore and should probably be on your list.
- Oshyan
-
Was about to say R-Studio but will just add that demo only work with <64kb files. But you can get a forensic report to be used in a court, always useful.
-
The demo of R-Studio will at least show you the files it finds and thinks it can recover, even though you can only *verify* recovery of files smaller than 64kb.
- Oshyan
-
Yes, wrong to say it only work with <64kb. I guess test must be so fool proof that there are zero signs of anything. If signs detected disk can be send off to some recovery genius and then who knows. Scanning is as paid version so that should do.
-
So far, I've tested against:
(1) Pareto Data Recovery
(2) Softonic File Scavenger
PDR couldn't find the "securely deleted" text file 'unrecoverable22.txt' at all.
SFS found it, but it found the version my code had overwritten the original as, namely a zero-length file with file attributes showing creation/modified dates in year 2036, as shown below (in other words, what it found in no way resembles the original file). Rather it found the truncated, false-attributes file my code creates before calling File.Delete():
(http://i91.photobucket.com/albums/k311/kyrathaba/Screen%20Captures/scavenger.png)
So, thus far, I'm pleased with how my code is holding up...
-
Just wondering, are you only relying on what 'files' the programs report they find or do you also look at the sectors where the file was located to see if any original file data remains?
-
@4wd: I'm relying on the programs' reports. How do I look at the sectors?
-
If you could get your program to report the initial sectors occupied by the original file then you could look at them afterwards using a disk editor, eg. WinHex (http://www.winhex.com/disk-editor.html).
That's the only way I can think of barring a complete drive scan using Runtimes' software or R-Studio...but that will take a very long time unless you've set up a small seperate partition/drive to test on.
-
What is the file doesn't get written to entirely contiguous areas on the hard drive?
-
You should also randomize the filename as part of your utility.
Yeah WinHex will allow you to view sectors. It's been awhile since I've trained on WinHex / X-ways Forensic. Once you know the starting point of where the file exists on a hard drive, each file fragment will "point" to the beginning position of the next sequential fragment and so on. So if a file is non-contiguous, then the program would need to "traverse" to find all the fragments, like how the operating system does it. If it is securely deleted, overwritten multiple times, then there are problems in traversing and reading prior data content of file fragments.
-
As pat said, the various peices of the file will sequentially link to each other until the end of the file is reached.
If you can get your program to report the sectors read as it goes then you can have a look after erasing with a hex editor - HxD (http://mh-nexus.de/en/hxd/) is good, lightweight and free.
FWIW, the program I use for 'shredding', overwrites any sector used by the original file with pseudo-random data, (full sector write, not just the part the file used), the ADS and changes the file name/size/timestamp/attributes multiple times.
-
Thanks for the info, guys.
-
You can try also Back2Life (http://www.grandutils.com/Back2Life/): the evaluation mode is fully functional.
-
@Mark0: thank you!
-
Vote for Back2Life.