Hard Drive Operations in Evidence Eliminator

Various hard drive-specific cleaning functions in a centralized format. 

Functions which scan for special file types which you wish to eliminate from your drives.

Enable File Scanning

The checkbox switches the scanning function on or off.

File Masks 

File masks are patterns which the drives will be scanned for. Wild-cards of * and ? are allowed.

? - in a pattern means any single character
* - in a pattern means any number of characters

If you enter *.* or *. or * a warning message is displayed. For if you ran this function with C:\ and *.* you would delete your entire hard drive!

All the listed file masks are scanned on all the listed drives, and then all matching files are eliminated. The standard configuration includes these types:

*.bak  - Backup files
*.gid  - Unnecessary Help files
*.chk  - Re-claimed disk clusters
*.old  - Backup files
*.tmp  - Temporary files
*.$*   - Temporary files
*.~*   - Temporary files
*.---  - Temporary files
~*.*   - Temporary files

This default provides a balanced set of protection for most people. In your individual system configuration you might discover other file types which programs leave behind that you would like to target. You may add other types. All masks listed are deleted from all the named drives or paths.

Suggestions to add your own file masks

Picture viewers may create Index files on your drives containing thumbnails. PaintShopPro's picture browse feature creates index files which can be eliminated with a mask of *.jbf for example. 

Skip Hewlett-Packard PaperPort files on file scans

Check this box to force Evidence Eliminator to skip the files generated by Hewlett-Packard PaperPort software in the format "~DESKTOP.*". It will skip such files in these scans, and this option over-rides the scan masks you have set. Please note that this option only affects this "Drive Scan" tab, and not other tabs. For example, if you enter a particular custom folder for elimination under the "Custom Folders" tab, then all files in that folder are eliminated as usual.

Skip Cryptext files on file scans

Check this box to force Evidence Eliminator to skip the files generated by Cryptext encryption software in the format "*.$#!". It will skip such files in these scans, and this option over-rides the scan masks you have set. Please note that this option only affects this "Drive Scan" tab, and not other tabs. For example, if you enter a particular custom folder for elimination under the "Custom Folders" tab, then all files in that folder are eliminated as usual.

High-Performance Mode

High-Performance Mode

New in Evidence Eliminator v3.0 (Latest version is 5.058) we introduced cutting-edge drive cleaning technology. Two functions are available - high-speed cleaning of directory structures and high-speed cleaning of file cluster tips. You can safely check all options in this section and be amazed at the rapid rate with which Evidence Eliminator will thoroughly cleanse your drives. Cleaning rate is approximately 3,200 files per minute on a fast PC for cluster tips. A detailed explanation follows on each function:

Directory Structures

A diligent user reported this issue in v2.01 and it is now fully implemented in v3.0 and later.

When you delete files, Windows sometimes keeps their names buried in the directory structure of the hard drive. This function scans and analyzes all the folders on your drives, securely eliminating all traces of deleted file names, and also their times, dates, sizes and attributes, leaving not one single trace of evidence remaining. As a full low-level cleaning solution, it is activated by a single checkbox. There is no need to adjust this function in any way, it is fully automatic. 

File Structures

Files are stored on your disk in clusters. Clusters are fixed chunks of space provided by the Windows File System. If the cluster size is 4kb and your file is 6kb, then your file takes two clusters but only occupies half the second cluster. Files normally have free space at their tips, containing data left-over from previous insecurely deleted files.

Under FAT32 the cluster size varies from 512 bytes to 32kb. Under FAT16 the cluster size is a fixed 32kb. These hidden spaces are quite big enough to contain evidence of web pages you have viewed, pictures, sounds, anything. 

In Win95 FAT32 and all versions of Win98 the cluster size varies according to partitioning and drive size. On an average 6GB drive the cluster size will be 4kb or 4096 bytes.

FAT32 is a faster, more efficient and secure file system than the FAT16. If you have old windows 95 FAT16, upgrading is a good idea. We recommend the use of the latest Windows 98SE (Second Edition) with FAT32 drives.

Evidence Eliminatorautomatically scans all your drives, analyzes each individual file and securely overwrites the cluster tip space with multiple passes of garbage according to your settings under the Mode Tab. There is no commercial service available that can reverse this function - total elimination. A file size limitation of 2 Gigabyte applies for cleaning of cluster tips. Files above this size are skipped. Most ordinary users never have files anywhere near to that size. 2 Gigabyte is larger than 3 full CD-ROMs.

The existing data in your files is not altered by this function. Only the free unused space in the file clusters is cleaned.

Cleans Cluster Tips of locked files

From V3.0 onwards Evidence Eliminator will clean the cluster tips of all files, including system files and DLL's - even while Windows has the files "locked" - Evidence Eliminator will still clean them for you.

Secure Under-Writing of existing Files and Folders

New World-Beating technology in v4.5 is now available. The disk space beneath existing files and folders can be securely overwritten with multiple passes of garbage according to your settings under the Mode Tab to defeat hardware analysis of deleted files by electron microscopes. 

Future advancements for this function have already been designed too, and will be available in new versions of Evidence Eliminatoras soon as we have manufactured and fully tested them for reliability and performance.

This function may take several hours to complete on a large drive. On ULTRA-DMA drives with a single Zero overwrite set in the Mode tab we have achieved test results of around 10GB of drive space cleaned per hour. The time taken increases proportional to the number of overwrites you select in the Mode Tab and the size of your drives.

Please read carefully the safety messages you receive on enabling this function. There is a slightly increased risk of loss of data, over the normal risk that exists if a PC is powered-off or crashed during disk writes, whatever software is in use. However, this function has performed perfectly in our test procedures. We recommend the normal sensible precautions when using a powerful disk cleaner like Evidence Eliminator including maintaining a good working Windows installation, booting freshly before use, keeping regular data backups, running ScanDisk, making sure other programs are not running, and a good power supply to the PC, preferably a UPS (Un-Interruptable Power Supply) if available for maximum resilience and system reliability.

A small red "Magnet" icon appears to the right of the lower Status Bar in the main program window when Under-Writing is in progress.

Scramble Attributes within Evidence Eliminator

Within each file and folder in your disk, a variety of date and time information is stored. You can see some (but not all) of this information by right-clicking on files or folders in Windows explorer and selecting "Properties". In addition to Date and Time of creation, modification and date of last access, each file also remembers a hidden counter of Centi-Second (one-hundredths of one second) accuracy, showing when the file was made.

This option enables Evidence Eliminator to completely scramble these records as it performs the "Securing Directory Structures" operation.

You can set up to 24 months into the past and up to 24 months into the future as the range for randomization of the dates and times.

The default is up to 6 months in the past and up to 1 month into the future.

Randomizing into the future a month or two provides "cover" even after you have finished running EE. Because any dates or times of any file accesses you make, are "smoke screened" by the randomized dates and times you have already created in the future. It's impossible to prove which files were dated because you used them, and which files were dated because of the randomization process of Evidence Eliminator.

This provides effective cover against snoops analyzing the date and time records of the files and programs in your PC.

A safety message about affected programs will appear when you enable this function. If you have any program on your disk which relies on file dates and times, obviously they would be affected. Such programs are rare. Most programs are not interested in file dates and times. If anybody finds any program which is affected by this function, please e-mail the name of the conflicting program to our Technical Support.

Prevent DLL error messages:

DLL files are system files. It is recommended if scrambling attributes, you should also mark the "DLL Version" checkbox in this section. This clears Windows database of the times and dates of its installed DLL files. Failure to do this may cause errors as the machine boots. The exact error message is: "System File Error. The following files have been replaced with older  versions by a program you recently ran. These files are currently in use and cannot be automatically repaired. Windows may not run correctly until you exit and restart Windows so that these files can be automatically repaired."

These annoying error messages are common on Windows 95/98 after daylight saving time changes. Often there is nothing wrong with the DLL's at all. Windows has simply become confused about their timestamps.

The only downside to clearing the DLL database is a badly-programmed installer may down-grade your system DLL files without Windows telling you about it. However, most modern software installers are intelligent and will only replace DLL files with newer versions.

If you use Evidence Eliminator's function to randomize the dates and times of files on your PC, we recommend you go into ScanDisk options and switch OFF the function that corrects file dates & times. ScanDisk will otherwise "repair" any dates set in the future and un-do the randomization process to some extent.

Write Caching

If you intent to use multi-pass deletion, please note the information on Write Caching under Miscellaneous Tips.

Hard Drive Space

Cleaning Free Space on your drives

An essential function to make sure you complete the job properly. Don't skimp on this section. It takes a little time. Your computer may spend 5-10 minutes on a full Safe Shutdown. Computer time is almost free, let Evidence Eliminator do the hard work for you to keep your system crystal-clear. Hit Safe Shutdown with full options selected every day you surf the Internet.

Enable Free Space Elimination

Free data in all unallocated areas on your drive is overwritten with multiple passes of garbage according to your settings under the Mode Tab. There is no commercial service available that can reverse this function - total elimination. 

Speeding up Evidence Eliminator™ with "Ballast Files"

The time it takes to clean your drives free space can be reduced by creating "Ballast Files" to occupy unnecessary free space.

Recycle Bin Evidence

Recycle Bin

This option securely eliminates all files in the Recycle bin on all drives.

A single hidden system file "desktop.ini" will be skipped in the Recycle Bin in Test Mode. This tiny file has only a few bytes of system data in it and is required to maintain the integrity of your Windows installation. After a Safe Shutdown or Safe Restart it will be eliminated and Windows will re-create it on boot-up.

Hot-Key Recycle On Demand

With the new "Hot-Key Recycle" feature, press CTRL-Delete to eliminate the contents of the Recycle Bin.

Using the SHIFT key in Windows, you can send files direct to the recycle bin without confirmation. Hence, use SHIFT-Delete instead of the normal Delete for an instant recycle of your files/folders, before you engage Evidence Eliminator to finish the job.

Alternatively right-click your recycle bin and uncheck the "Delete Confirmation" option. Pressing Delete will now send files directly to the recycle bin. 

Uncheck the "Show an OK/Cancel Message" box in Evidence Eliminator, too, (under Options/Misc/Explorer) and you may now simply use the following keystrokes to securely eliminate all and any files/folders on your PC, instantly:

Delete
CTRL - Delete

With this configuration, you only have to press the Delete key twice (holding down CTRL on the second press) and your normal Windows Delete function is complemented with the Evidence Eliminator secure destruction process capable of withstanding determined attack by Forensic Software.

This same function is available by right-clicking on any files or folders and selecting "Evidence Eliminator Safe Delete" from the pop-up menu.