0

Say I have a file which is 5 megabytes. If I delete it (and delete it from recycle bin) and run "cipher /w:C:" on my drive, it should be unrecoverrable.

What about its entry in the MFT? I think the entry for the file will be marked as free but what are the chances that the entry will be overwritten within a certain amount of time (say if after I securely delete that file, I browse some webpages, which creates files in the cache.. will those cache files get entered in the MFT and overwrite the deleted file)?

useraccount001
  • 13
  • 2
  • 2
    This hints at an [XY Problem](https://meta.stackexchange.com/q/66377) if you want all trace of it gone, then see https://superuser.com/questions/254054/how-to-reset-an-ntfs-mft-for-no-tracks-of-deleted-files-names-to-be-found-there – Tetsujin May 30 '21 at 19:00
  • In Wednesday (26th) I have recovered errorneously deleted files from 32-Gb NTFS-formatted flash-drive. I have recovered everything which recovers without errors. And there were 4-5 years old files which were recovered successfully and had no inner problems. Average usage for flash-drive - storing XLSX and DOCX copies, ~2000 files with ~10-30% files renewed per month. – Akina May 30 '21 at 20:02
  • Really - the entries in MFT are stored for very long period (if the folders were not deleted), a lot of years needed the entry to be overwritten. Rather than file body if it is not fit into the entry. – Akina May 30 '21 at 20:09

2 Answers2

1

If you delete the file from the recycle bin, it will be quickly overwritten on an averagely active machine. That is the disk space will be overwritten in a day or some days. So for all practical purposes (90%) the deleted file is gone because any surviving table entry will point to useless contents.

John
  • 46,167
  • 4
  • 33
  • 54
  • 1
    but the file entry in the MFT may not be gone – useraccount001 May 30 '21 at 18:44
  • That wasn't the question though. Cipher itself will overwrite the unused space. tbh, though, to all practical purposes, whatever survives in the mft is pretty useless, just a reference to something now gone. – Tetsujin May 30 '21 at 18:45
  • 1
    The entry may or may not be around but the contents are likely different so useless. – John May 30 '21 at 18:45
  • 1
    @Tetsujin Yes but the file name will still be there won't it? – useraccount001 May 30 '21 at 18:56
  • @John But the file name will still be there in the MFT ithink. So it reveals that that file was there. – useraccount001 May 30 '21 at 18:57
  • Why don't you just encrypt the drive if you're that worried? Your rather closing the stable door after the horse has bolted. – Tetsujin May 30 '21 at 18:58
  • But the file name will still be there in the MFT ithink. So it reveals that that file was there <-- I am not sure if that is true. Once a file is deleted, Windows starts using the space for something else. So it seems impractical you can recover a deleted file after some time has passed (a day plus or minus). – John May 30 '21 at 19:01
  • @John, I don't believe that that is the case, unless the disk is quite full. Most filesystems implement a degree of "sparseness" spacing files out, so that they are less likely to produce fragments when the file grows. that means they are unlikely to overwrite the space just freed in a timely manner. Additionally, there are many types of adversary out there that could advance their campaign based on knowledge that a file with a known name existed on a system at one time, even if the content is now gone. $5-wrench decryption is not an imaginary vulnerability in many parts of the world. – Frank Thomas May 30 '21 at 19:46
0

NTFS is still a proprietary file system and as far as i know, there is no information available on any kind of reliable retention mechanism for the MFT.

Overwriting the free space in no way assures you the MFT entry will be gone. Secure wiping with a tool like Recuva will therefor NOT remove entries from the MFT, but there are other tools that will allow you to do this.

CCleaner, for example, has an option to wipe free space based on the MFT. It will rewrite the free space and delete the MFT entry, but very slowly. Many other tools are available, you can google for them and find the one that fits your needs.

Silbee
  • 965
  • 5
  • 11