Master File Table cleanup utility? [closed]

2020-06-18 20:29发布

问题:

Can anyone recommend a tool for MFT cleanup? I want to in my MFT restore the entries for files which once existed but have been deleted to a "pristine" state, with zeroed out entries.

回答1:

This paper by Hal Berghel and David Hoelzer lists a whole bunch of products which claim to securely erase files. MFT cleaning is a feature of some of them. The paper concludes that only one product, Evidence Eliminator, actually does cleanup the MFT properly.

PGP Corp responds here to criticism of its own product, PGP Shred. Apparently it has an advanced option, "Wipe NTFS Internal Data Structures" which will clean the MFT, although this option is not enabled by default.

I've used PGP Shred myself so to some extent I can recommend it, but I confess I've never checked whether the MFT wiping feature actually works as described.

Clearly vendors sometimes overstate the abilities of their software, so your mileage may vary. If it's really important to you that the MFT entries are properly wiped, you may want to run disk forensics tools over your disk post-wipe - some ideas on how to do this are in the Berghel and Hoelzer paper.



回答2:

Mmm. The question is wrong. I mean on an in-use volume that the entries left-over in the MFT, from files which once existed but now are gone, those entries are cleaned up.

It sounds a lot like you're asking for a program that will zero-out parts of the MFT that don't currently represent actual files. I'm going to go out on a limb here and say that no company is going to touch that one even with a stick.

  • NTFS is poorly documented at best
  • NTFS is a moving target, and the MFT is one of those "hands off" areas that are subject to change without notice
  • Overwriting presumably unused areas of this block offers zero benefit to the average user
  • Zeroing out the "free" space means zapping every bit that you don't think microsoft is using for anything important, a tenuous prospect at best.
  • A mistake in this operation (which is surprisingly likely) means losing files at best, losing the whole filesystem at worst

In other words, the project would be expensive and time consuming to build, would be riddled with uncertainty about its safety, and would not offer enough (any?) benefit to customer to convince them to use it.

I can't imagine such a thing exists, nor do I expect that it ever will.



回答3:

I found a satisfactory solution for this problem, check and test if you like:

Paragon HD Defrag, which is part of Paragon HD manager 2010, and using the boot cd of that product, has the function or option to truncate the MFT. The utility cuts off any excess mft entries that are not in use. (nice)

These days there also is Piriform CCleaner. It claims to overwrite mft entries. It generates tons of files called variations of zzzz.zzzz

I would suggest to generate say 8000 extra mft entries with CCleaner, then truncate mft using Paragon HD Manager boot CD, then restart and shift+delete the zzz.zzz files.



回答4:

I tried ccleaner, and other tools to zero out unused MFT references.

I then searched with a hex editor for files I had previously deleted - and found them.

Then I performed a full format while re-installing windows 7, ran the hex editor again and they were still there. I was quite shocked that a full format and re-install didn't overwrite the MFT.

The only way I got rid of everything was to use DBAN.



回答5:

you could use SDelete to zero your remaining free space