PDA

View Full Version : Need a M.F.T search/secure delete program



spy1
2005-11-22, 17:33
Patrick,

As you know, a lot of stuff winds up in the M.F.T that isn't addressed by any "cleaner" program currently on the market.

I believe we need a program that displays the M.F.T in a very understandable, clear fashion and that allows one to select items from that and securely erase them.

Doable? Pete

Tommie
2006-04-21, 01:22
It would be cool if this could automaticly extend orphaned files under ntfs.
and also clear freespace.

GastX
2008-04-05, 19:29
I believe we need a program that displays the M.F.T in a very understandable, clear fashion and that allows one to select items from that and securely erase them.

We need a program to clean, automatically or not, all the obsolete entries in the MFT. For small files, the data IS stored in the MFT and I do not want to un-erase files I deleted 5 years ago like I did recently. For big files, the data is gone for sure after some defrag but is still there for tiny files.

PepiMK
2008-04-07, 13:13
Hmmmm... what an old post I must have missed the first two times :oops:

Well... "cleaning the MFT" is such a nice, short (but complete) description of a task that it's difficult to believe how complicated that would be I guess ;)

The MFT is a NTFS (filesystem) thing. Take a look at Linux - how long has it taken until NTFS write support has been available as non-beta there? Granted, it has been quite stable (have even used it to safe data where Windows couldn't read anything at all) for a long time as well, but due to the possibly destructive character of such a thing.

Also, this could not take place while Windows is running (Windows drivers and another app accessing the MFT simultanously would cause immediate out-of-sync problems).
Some googling showed that a few deframentation programs can defragment the MFT during boot time (one of them has "destroyed" an hard disk of mine, possibly MFT-wise - it readable by Linux only afterwards, see above, so I'm not giving any recommendations here ;) ). Of course, that wouldn't be "final", just cause some "accidental" overwriting of deleted stuff due to rearrangement.

So, displaying would be possible, erasing would be a not be able in that "very understandable, clear fashion" I think, since it would have to be done from a booted Linux for example, or at boot time (where you can't quite influence it). A compromise might be a normal runtime app to mark something to be deleted that would then be overwritten at boottime...

I can look into the MFT structure just for the fun of it, but as stated above, I doubt it would lead to a quick yet easy solution ;)

GastX
2008-04-07, 19:37
I remember the FAT-16 days when defragmenters offer to move all current directory entries in front of the directory, then over-writing zeroes to the end of the cluster.

Even without that, Norton Disk Editor was an easy tool to check the relation between directories, FAT and the data space.

My 149 Gb NTFS5 partitions are today able to write files of at least 768 bytes into the directory structure itself and nor the Diskeeper ultra-lite coming with windows, nor the good SysInternals defrag utility or the efficient Raxco PerfectDisk clean those tiny files when they are deleted. Reorganizing and cleaning the NTFS internal structure is out of their goals.

Finally, CHKDSK is the utility going as deep as I want to go.

A NTFS browser or editor coherently showing the relations between directories, MFT, the cluster bitmap and the data space will be fun but of little use. Of course, if edition occurs, it must be journalized and written only when disk locking is possible like it is for CHKDSK. System partition and caching (swapping) partition are not lockable when Windows runs.

BtW, recently my mouse (not me, not me:angel:) choose the wrong option and by the time I react, ~1500 small log files were deleted :sad:. I un-delete ~3500 files in the directories involved, confident that a quick check will reveal later the bad files :bigthumb:. I was wrong, because small files content is stored in the MFT, almost all the 3500 files were good. Surprise, some where erased 4 years ago :spider:. Now I have to manually check them all :cleaning:. Laterů

PepiMK
2008-04-08, 10:50
Spent some time looking into the MFT, since that could theoretically be used as a hardcore rootkit detection method as well. Doubt any rootkit would find its files MFT records physical location and try to block and direct read access there ;)

A standard MFT entry has 1024 bytes. Then, take the header of 42 bytes, at least three attribute headers of 24 bytes each, the standard information attribute record of 36 bytes and the filename attribute record of 66 bytes, plus the length of the filename (unicode, two bytes per character), and you'll have 808 bytes minus filename length * 2 left. Not sure about ADS (alternate data streams) though - if they would be part of the stream, you would have to subtract for example the Security stream of ~ 24+148 as well from the part available for data.
Listing all in-MFT files would still be kind of easy: the app would just have to browse the MFT tree for records with resident data attributes. Detecting deleted ones could be kind of easy as well, seems there's a two byte flag at +0x16 indicating if the file has been deleted. Minimizing the "effort", just overwriting the filename with rubbish and overwriting the data part with rubbish could be possible without having to go and actually delete/rearrange MFT records. But due to the unlockable state you described, I would very likely have a bootmanger boot up a miniature Linux of the two-floppy-size type and run it from there ;)

That kind of reminds me that I've wanted to put my LaTeX file recovery tool on my development blog for quite some time, but never came round to doing that ;)

Btw: I guess "easy to use" is quite relative. Most users wouldn't call Nortons Disk Editor easy :D

GastX
2008-04-09, 08:39
Hello,

Sorry, my Englisk is often too direct :oops: . I should have add a nuance about the old Nortons Disk Editor.
Few people are interested by the edition of the disc's structure. For them, NDE was straightforward comparatively to others disk editing software.
Disc's structure remains a technical (and sensitive) area.

spy1
2008-06-11, 21:18
Well, thank you very much for looking into it, anyway.

It wouldn't do for it to be too "technical", because Pete would wind up being computerless! :oops:

Gotta run. Pete

hitechluddite
2008-09-10, 01:18
I found this thread doing a search for a MFT cleaning program. I have a program I got in 04 that does a pretty good job keeping the MFT size down. It was designed to undelete files and it has an option to erase undelete data after searching a drive. It is pretty resource intensive but will virtually eliminate the MFT when it is finished. It's an old version of Filesaver. alas mine is not working now because I had to change MB' asnd that rendered the license invalid. I have a request in to them and I'm hoping they will still support it