Can anyone recommend a tool for MFT cleanup? I want to in my MFT restore the entries for files which once existed but have been deleted to a "pristine" state, with zeroed out entries.
+1
A:
Mmm. The question is wrong. I mean on an in-use volume that the entries left-over in the MFT, from files which once existed but now are gone, those entries are cleaned up.
It sounds a lot like you're asking for a program that will zero-out parts of the MFT that don't currently represent actual files. I'm going to go out on a limb here and say that no company is going to touch that one even with a stick.
- NTFS is poorly documented at best
- NTFS is a moving target, and the MFT is one of those "hands off" areas that are subject to change without notice
- Overwriting presumably unused areas of this block offers zero benefit to the average user
- Zeroing out the "free" space means zapping every bit that you don't think microsoft is using for anything important, a tenuous prospect at best.
- A mistake in this operation (which is surprisingly likely) means losing files at best, losing the whole filesystem at worst
In other words, the project would be expensive and time consuming to build, would be riddled with uncertainty about its safety, and would not offer enough (any?) benefit to customer to convince them to use it.
I can't imagine such a thing exists, nor do I expect that it ever will.
tylerl
2009-04-21 08:06:37
There are enough paranoid people around that there's always a market for this type of software.
snowcrash09
2009-04-21 19:33:29
+2
A:
This paper by Hal Berghel and David Hoelzer lists a whole bunch of products which claim to securely erase files. MFT cleaning is a feature of some of them. The paper concludes that only one product, Evidence Eliminator, actually does cleanup the MFT properly.
PGP Corp responds here to criticism of its own product, PGP Shred. Apparently it has an advanced option, "Wipe NTFS Internal Data Structures" which will clean the MFT, although this option is not enabled by default.
I've used PGP Shred myself so to some extent I can recommend it, but I confess I've never checked whether the MFT wiping feature actually works as described.
Clearly vendors sometimes overstate the abilities of their software, so your mileage may vary. If it's really important to you that the MFT entries are properly wiped, you may want to run disk forensics tools over your disk post-wipe - some ideas on how to do this are in the Berghel and Hoelzer paper.
snowcrash09
2009-04-21 19:32:51
I've been checking with File Scavenger, which shows up 10k deleted files. This is after an MFT defrag! if FS shows up 0 files, then I'll be happy enough it worked. I'll try the utilities you've mentioned here - if one works, you get the accept.
Blank Xavier
2009-04-21 20:45:26
Sorry for the delay. I didn't have time to check out the software before the bounty expired. I've just tried PGP - important note, it can't blank the MFT on the boot partition.
Blank Xavier
2009-05-03 07:51:55
Problem kinda solved; I wrote a little program which simply loops creating new empty files. Created 100k files. This totally over-wrote all the lingering MFT entries. Of course, when you delete your empty files, you're left with your dummy MFT entries. But at least you know what they are when you see them.
Blank Xavier
2009-05-04 16:55:14
That's a novel approach - avoids mucking about with the MFT directly. Did none of the other tools actually work as advertised?
snowcrash09
2009-05-04 18:01:29