1. Forum
  2. Usenet
  3. ALT.COMP.OS.WINDOWS-10

  • Re: Straange directory and files

    From MajorLanGod@21:1/5 to All on Thu May 25 22:08:43 2023
    Since my other thread on this topic got hijacked I'm starting over. That
    post told of a weird directory that appeared on one of my drives, with
    1,319 files with random names, no date, and all the same size.

    Well, another one appeared today, but I believe I have found the culprit. I
    use Eraser to scrub a drive when I want to make sure something has been completely eradicated. I ran it again yesterday, and sure enough, another strange directory showed up. So I think I have found the culprit. I will
    keep an eye out the next time I run Eraser to make sure, but I am glad I
    have found the source.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From VanguardLH@21:1/5 to MajorLanGod on Thu May 25 23:00:23 2023
    MajorLanGod <lonelydad58@gmail.com> wrote:

    Since my other thread on this topic got hijacked I'm starting over.
    That post told of a weird directory that appeared on one of my
    drives, with 1,319 files with random names, no date, and all the same
    size.

    Well, another one appeared today, but I believe I have found the
    culprit. I use Eraser to scrub a drive when I want to make sure
    something has been completely eradicated. I ran it again yesterday,
    and sure enough, another strange directory showed up. So I think I
    have found the culprit. I will keep an eye out the next time I run
    Eraser to make sure, but I am glad I
    have found the source.

    Without clarification, I'm assuming "Eraser" means "Heidi Eraser".
    There are lots of erase-deleted-file utilities.

    VeraCrypt (aka TrueCrypt) let you add a fake partition. If you were
    forced to give the password to the encrypted container (file that
    becomes a drive when mounted), you could give the password to the bogus partition with placeholder files to sate the opponents need to get
    inside your encrypted container. The real protected data was in another partition in the encrypted container that was accessed using a different password, but it looked like garbage data in the sectors in the mounted
    drive that were really in the hidden alternate partition. It was to
    obfuscate what you really wanted to protect.

    Heidi Eraser has a similar function. If you do a wipe of sectors using whatever algorithm, the data left in the wiped sectors would not be all
    zeroes (never used) nor remnant data typical of content that would've
    actually been stored there. It could be detected that parts of the
    drive had been erased. To obfuscate the wipe action, Eraser will insert
    dummy data into those sectors, and which are assigned to dummy files.

    https://eraser.heidi.ie/eraser-settings/

    Replace erased files with the following files to allow plausible
    deniability specifies a list of files to use to replace the erased
    filesą space on the drive after deleting to give the impression that
    no files were erased, except other files which were deleted before
    (hence plausible deniability.)

    Did you enable that option? Rather than overwrite the "erased" sectors
    with random data, you list a set of files with coherent content, so it
    looks like the content is legit in those sectors. It is unclear if new
    fake files are created to point at those sectors, or if just the content
    of the replacement files is written to those sectors (but no files are
    created to point at those sectors).

    I haven't used Heidi Eraser for many years. The info above is what I
    found on how to use the software. To find other users of Heidi Eraser,
    check out their forum:

    https://eraser.heidi.ie/forum/

    If "Eraser" means some other sector-wipe tool, you'll have to be more
    explicit than just saying "Eraser".

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul@21:1/5 to MajorLanGod on Fri May 26 00:53:13 2023
    On 5/25/2023 6:08 PM, MajorLanGod wrote:
    Since my other thread on this topic got hijacked I'm starting over. That
    post told of a weird directory that appeared on one of my drives, with
    1,319 files with random names, no date, and all the same size.

    Well, another one appeared today, but I believe I have found the culprit. I use Eraser to scrub a drive when I want to make sure something has been completely eradicated. I ran it again yesterday, and sure enough, another strange directory showed up. So I think I have found the culprit. I will
    keep an eye out the next time I run Eraser to make sure, but I am glad I
    have found the source.


    This appears related to "Free Space Erasure", which erases the white space
    on a partition. Google did not find this article for me earlier.

    https://eraser.heidi.ie/forum/threads/eraser-creates-a-lot-of-big-files-during-unused-space-erasure.18689/

    "there's a new folder named 4x8NmCn!UQgiKR1C+] with a lot of files having the same size 216MB"

    *******

    Here is another tool, that can erase white space.

    https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete

    sdelete64.exe -z c: # White space cleaning

    In a test, I salted a disk (NTFS FS) with a pattern, then used sdelete64 and
    I could still detect a bit of the pattern later (maybe a hundred chunks).
    Heidi should be better at this sort of thing. I still find
    sdelete64 is good for prepping .vhd containers for compaction
    operations (if you zero out white space, the .vhd does not need
    to waste storage space to record the zeroed region).

    Using unique patterns, you can attempt to "hide" materials on a
    partition, use your favorite cleaner, then scan with HxD to see
    if the cleaning worked or not. This has the ability to scan at
    the sector level (do a Run As Administrator on the executable,
    and then the disk opening menu will work).

    https://mh-nexus.de/en/hxd/

    Paul

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Frank Slootweg@21:1/5 to MajorLanGod on Wed Jun 7 19:07:04 2023
    MajorLanGod <lonelydad58@gmail.com> wrote:
    Since my other thread on this topic got hijacked I'm starting over. That
    post told of a weird directory that appeared on one of my drives, with
    1,319 files with random names, no date, and all the same size.

    Well, another one appeared today, but I believe I have found the culprit. I use Eraser to scrub a drive when I want to make sure something has been completely eradicated. I ran it again yesterday, and sure enough, another strange directory showed up. So I think I have found the culprit. I will
    keep an eye out the next time I run Eraser to make sure, but I am glad I
    have found the source.

    FWIW, I find the "no date" bit a bit strange. AFAIK, a file cannot
    have "no date". Perhaps the date is strange or all fields are zero or
    something, but probably some tool - i.e. for example DIR instead of
    File Explorer - will probably show some kind of date which might have
    led you to the cause sooner.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)