Can anyone recommend a tool for MFT cleanup? I want to in my MFT restore the entries for files which once existed but have been deleted to a "pristine" state, with zeroed out entries.
Master File Table cleanup utility? [closed]
Asked Answered
How is that different from a just formatted volume? –
Sheepcote
Mmm. The question is wrong. I mean on an in-use volume that the entries left-over in the MFT, from files which once existed but now are gone, those entries are cleaned up. –
Spinoza
If you want to go with a more naive approach yet retain your data, couldn't you backup the remaining contents of the volume, (full) format the volume and make sure it's been zeroed out, and then restore your data? Or are you looking for something that you can run frequently/periodically without such a heavy-handed process? –
Yoruba
In the end I was never fully successful. I found no software to do the job. I wrote a utility which created (and then deleted) vast numbers of empty files, to try to force re-use of MFT space; this did quite well - you could mainly only see the empty filenames. However, even this didn't get rid of every lingering older filename, although it did remove most of them. –
Spinoza
This paper by Hal Berghel and David Hoelzer lists a whole bunch of products which claim to securely erase files. MFT cleaning is a feature of some of them. The paper concludes that only one product, Evidence Eliminator, actually does cleanup the MFT properly.
PGP Corp responds here to criticism of its own product, PGP Shred. Apparently it has an advanced option, "Wipe NTFS Internal Data Structures" which will clean the MFT, although this option is not enabled by default.
I've used PGP Shred myself so to some extent I can recommend it, but I confess I've never checked whether the MFT wiping feature actually works as described.
Clearly vendors sometimes overstate the abilities of their software, so your mileage may vary. If it's really important to you that the MFT entries are properly wiped, you may want to run disk forensics tools over your disk post-wipe - some ideas on how to do this are in the Berghel and Hoelzer paper.
I've been checking with File Scavenger, which shows up 10k deleted files. This is after an MFT defrag! if FS shows up 0 files, then I'll be happy enough it worked. I'll try the utilities you've mentioned here - if one works, you get the accept. –
Spinoza
Sorry for the delay. I didn't have time to check out the software before the bounty expired. I've just tried PGP - important note, it can't blank the MFT on the boot partition. –
Spinoza
Problem kinda solved; I wrote a little program which simply loops creating new empty files. Created 100k files. This totally over-wrote all the lingering MFT entries. Of course, when you delete your empty files, you're left with your dummy MFT entries. But at least you know what they are when you see them. –
Spinoza
That's a novel approach - avoids mucking about with the MFT directly. Did none of the other tools actually work as advertised? –
Altimetry
Mmm. The question is wrong. I mean on an in-use volume that the entries left-over in the MFT, from files which once existed but now are gone, those entries are cleaned up.
It sounds a lot like you're asking for a program that will zero-out parts of the MFT that don't currently represent actual files. I'm going to go out on a limb here and say that no company is going to touch that one even with a stick.
- NTFS is poorly documented at best
- NTFS is a moving target, and the MFT is one of those "hands off" areas that are subject to change without notice
- Overwriting presumably unused areas of this block offers zero benefit to the average user
- Zeroing out the "free" space means zapping every bit that you don't think microsoft is using for anything important, a tenuous prospect at best.
- A mistake in this operation (which is surprisingly likely) means losing files at best, losing the whole filesystem at worst
In other words, the project would be expensive and time consuming to build, would be riddled with uncertainty about its safety, and would not offer enough (any?) benefit to customer to convince them to use it.
I can't imagine such a thing exists, nor do I expect that it ever will.
There are enough paranoid people around that there's always a market for this type of software. –
Altimetry
@Altimetry No, I think not. Not when a very safe and reasonable alternative exists: Step 1: copy the "current" files to a new volume. Step 2: zero out the entire drive, MFT and all. –
Karlynkarma
I found a satisfactory solution for this problem, check and test if you like:
Paragon HD Defrag, which is part of Paragon HD manager 2010, and using the boot cd of that product, has the function or option to truncate the MFT. The utility cuts off any excess mft entries that are not in use. (nice)
These days there also is Piriform CCleaner. It claims to overwrite mft entries. It generates tons of files called variations of zzzz.zzzz
I would suggest to generate say 8000 extra mft entries with CCleaner, then truncate mft using Paragon HD Manager boot CD, then restart and shift+delete the zzz.zzz files.
I tried ccleaner, and other tools to zero out unused MFT references.
I then searched with a hex editor for files I had previously deleted - and found them.
Then I performed a full format while re-installing windows 7, ran the hex editor again and they were still there. I was quite shocked that a full format and re-install didn't overwrite the MFT.
The only way I got rid of everything was to use DBAN.
Seems Windows 7 didn't perform a full format. How long did the format operation take, and for how large a drive? –
Electrolysis
you could use SDelete to zero your remaining free space
I tried sdelete; it doesn't touch MFT space. –
Spinoza
above is partially correct in that sdelete doesn't touch file names with the clear or zero option but it does rename the files first to hide the original names. but this wasn't what the original poster asked - the files had already been deleted –
Hhour
© 2022 - 2024 — McMap. All rights reserved.