About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Software » Reviews » The Evidence Eliminator Documents

The Log File

If you tickle EE just right, it will write and save a log file of its operations.


Get It

Try It

Evidence Eliminator v5.0 started work: 3/07/01 7:29:00 PM
Beginning Safe Restart procedure.
Generating random data...<OK>

Apparently a single generation of random data is all you need...

Eliminating Folder: C:\recycled\
Scanning C:\recycled\ for mask *.* ... please wait... <OK>
Files found: 1
Eliminating File: C:\recycled\desktop.ini <Skipped system file>
Eliminated 0 file(s)

Yep, it's a federal case. Nothing happened here.

Drive Scan no. 1 C:\
Scanning C:\ for mask *.tmp ... please wait... <OK>
Files found: 0
No data found
Scanning C:\ for mask *.bak ... please wait... <OK>
Files found: 0
No data found
Scanning C:\ for mask *.gid ... please wait... <OK>
Files found: 0
No data found
Scanning C:\ for mask *.chk ... please wait... <OK>
Files found: 0
No data found
Scanning C:\ for mask *.old ... please wait... <OK>
Files found: 0
No data found
Scanning C:\ for mask *.$* ... please wait... <OK>
Files found: 0
No data found
Scanning C:\ for mask *.~* ... please wait... <OK>
Files found: 0
No data found
Scanning C:\ for mask *.--- ... please wait... <OK>
Files found: 0
No data found
Scanning C:\ for mask ~*.* ... please wait... <OK>
Files found: 0
No data found

Ok, so now we know that too: What junk files EE looks for.

Eliminating Folder: C:\WINDOWS\applog\
Scanning C:\WINDOWS\applog\ for mask *.* ... please wait... <OK>
Files found: 0
No data found

This directory contains lists of all the programs you've run - ostensibly to help speed up program loads. If you don't want this data around, all you have to do is delete it once yourself - including the desktop.ini file - and it will never come back again.

Eliminating Folder: C:\WINDOWS\temp\
Scanning C:\WINDOWS\temp\ for mask *.* ... please wait... <OK>
Files found: 0
No data found

Straightforward. No comments necessary.

Eliminating folder tree: C:\WINDOWS\Recent\ including root folder...<OK>
Eliminating folder C:\WINDOWS\Recent <OK>
Eliminating Recent Documents registry...
Eliminating Registry Key...
This section is clear <OK>

The Wonder of Windows is that Microsoft doesn't think it's enough to clutter your Start Menu with things they presume you cannot find on your own; the same junk has to go into your Registry as well.

Eliminating Start Menu Run history...
Eliminating Registry Key... This section is clear <OK>
Eliminating Start Menu Find Computer registry...
Eliminating Registry Key... This section is clear <OK>
Eliminating Start Menu Find Files registry...
Eliminating Registry Key...
This section is clear <OK>

More MRU lists.

Eliminating IE Typed URL History...
Eliminating Registry Key...

What's in your IE location bar.

Eliminating IE Typed AutoComplete data...<OK>

Even if it can be cleaned, beware of using this IE feature - it's dangerous having IDs and passwords lying about!

Eliminating Folder: C:\WINDOWS\Temporary Internet Files\
Scanning C:\WINDOWS\Temporary Internet Files\ for mask *.* ... please wait... <OK>
Files found: 1
Eliminating File: C:\WINDOWS\Temporary Internet Files\desktop.ini <P1>[0][-][R]<NAME><ZERO><KILL><OK>

The squigglies mean EE is running pass 1 and filling the file with 0's, then 1's, then its 'random data', then obfuscating the file name (which, as 'desktop.ini', is hardly compromising anyway).

Eliminating Folder: C:\WINDOWS\History\
Scanning C:\WINDOWS\History\ for mask *.* ... please wait... <OK>
Files found: 1
Eliminating File: C:\WINDOWS\History\desktop.ini <P1>[0][-][R]<NAME><ZERO><KILL><OK>

Same op performed on IE's History.

Scanning C:\WINDOWS\Cookies\ for mask *.* ... please wait... <OK>
Files found: 1
Eliminating File: C:\WINDOWS\Cookies\index.dat <P1><NOWIN><DOS><OK>

Here go the cookies!

Scanning C:\WINDOWS\Downloaded Program Files\ for mask *.* ... please wait... <OK>
Files found: 0
No data found

Microsoft's default location for downloaded program files (obviously), which no power user with dignity would ever use anyway. The question is: If you do use another location to download files, would EE help you? Would you want it to?

Eliminating File: C:\WINDOWS\Application Data\Microsoft\Outlook Express\Deleted Items.dbx
No file found: C:\WINDOWS\Application Data\Microsoft\Outlook Express\Deleted Items.dbx
Eliminating File: C:\WINDOWS\Application Data\Microsoft\Outlook Express\Sent Items.dbx
No file found: C:\WINDOWS\Application Data\Microsoft\Outlook Express\Sent Items.dbx

LookOut bloat droppings.

Eliminating Media Player History...
Eliminating Registry Key...
This section is clear <OK>
Eliminating NSN3 Typed URL history...
Eliminating Registry Key... This section is clear <OK>
Eliminating Folder: C:\Program Files\Netscape\Navigator\Cache\
No folder found: C:\Program Files\Netscape\Navigator\Cache\
Eliminating File: C:\Program Files\Netscape\Navigator\netscape.hst
No file found: C:\Program Files\Netscape\Navigator\netscape.hst
Eliminating File: C:\Program Files\Netscape\Navigator\cookies.txt
No file found: C:\Program Files\Netscape\Navigator\cookies.txt
Eliminating Folder: C:\Program Files\Netscape\Users\default\Cache\
No folder found: C:\Program Files\Netscape\Users\default\Cache\
Eliminating File: C:\Program Files\Netscape\Users\default\netscape.hst
No file found: C:\Program Files\Netscape\Users\default\netscape.hst
Eliminating File: C:\Program Files\Netscape\Users\default\history.dat
No file found: C:\Program Files\Netscape\Users\default\history.dat
Analyzing Netscape v4 cookies...
Netscape 4 Cookie file not found
No JavaScript found prefs.js
No JavaScript found liprefs.js
Scanning C:\Program Files\Netscape\Navigator\Mail\ for mask *.snm ... please wait... <OK>
Files found: 0
No data found
Eliminating File: C:\Program Files\Netscape\Navigator\Mail\Trash
No file found: C:\Program Files\Netscape\Navigator\Mail\Trash
Eliminating File: C:\Program Files\Netscape\Navigator\Mail\Sent
No file found: C:\Program Files\Netscape\Navigator\Mail\Sent
Scanning C:\Program Files\Netscape\Users\default\Mail\ for mask *.snm ... please wait... <OK>
Files found: 0
No data found
Eliminating File: C:\Program Files\Netscape\Users\default\Mail\Trash
No file found: C:\Program Files\Netscape\Users\default\Mail\Trash
Eliminating File: C:\Program Files\Netscape\Users\default\Mail\Sent
No file found: C:\Program Files\Netscape\Users\default\Mail\Sent
Scanning C:\WINDOWS\SYSBCKUP\ for mask rb*.cab ... please wait... <OK>
Files found: 0
No data found

A lot to comment on here:

  • If Microsoft's Media Player does actually keep an MRU list in the Registry, then of course it's a good idea to delete it.
  • There's little point in searching for Navigator 3.x stuff (NSN3) if Navigator 3.x isn't even installed on the system, although looking for it anyway is of course the more thorough approach.
  • It would seem a lot easier to check for the existence of the Navigator hive first rather than move to strike each and every possible Navigator file on its own.
  • prefs.js and liprefs.js can contain a lot of junk, but they also contain all the settings for Netscape - both 3.x and 4.x. Removing these will set you back to 'factory defaults' - something you might not have been prepared for. Then again, if crime is your game, you won't want to take any chances - you'll want these files deleted anyway.
  • Again, there's little use looking for Netscape mail files if you've already found that the Netscape hive doesn't exist.
  • The final entry is for Registry backups and represents a configurable setting in EE.

[Executing Plug-In: Adobe Acrobat Reader v3.0]

* * *

Plugins are data about settings from other programs which can be deleted. If new programs come along, one need only add an EEP file to the setup. Very thorough work.

Working on disk structure...
Checking volume: C ...<OK>
Checking Media ID...<OK>
Media File System: FAT32
DPB type is: FAT32 [Extended DPB OSR2+]
Locking volume...<OK>
Testing lock...<OK>

Ok, enough time spent on the kindergarten routines. Time for the low down dirty stuff. (At this point the volume should obviously be locked - yet tests have shown that it's apparently not. EE can complain even after this point that other programs are still writing to disk.)

FAT32 Bootsector at Sector 0                      [D]
OEM Name =                                        MSWIN4.1
Bytes per Sector =                                512
Sectors per Cluster =                             8
Reserved Sectors =                                32
Number of FATs =                                  2
Number of RDEs =                                  0
Media Descriptor =                                248
Sectors per Fat =                                 0
Sectors per Track =                               63
Number of Heads =                                 240
Hidden Sectors =                                  63
BTotal Number of Sectors =                        15634017
BSectors per Fat =                                15240
Extended Flags =                                  0
File System Version =                             0
Root DIR Starting Cluster =                       131213
File System InfoSector =                          1
Backup Boot Sector =                              6
BIOS Drive Number =                               128
Boot Signature =                                  41
File System Type =                                FAT32
Bytes per FAT =                                   7802880
FAT1 sector 1 =                                   32
Entries per FAT sector =                          128
Max Cluster =                                     1950439

Straightforward disk stuff.

Securing FAT32 Root Directory...
Eliminated deleted filenames in root =            2

This is good. An MS root can contain 512 file names - and a lot of these files are deleted and the junk just accumulates. Note that you can't win disk space here: The size of the root is fixed.

Scanning C for all folders, deep scan, please wait... <OK>
Folders found: 1901

'Deep scan' seems to mean EE looks through all directories recursively.

Securing directory structures...
Eliminated deleted filenames =                    317

Again, as with the root, this is a good move, but this one will net you disk space as well. All directories save the root are of dynamic size and can start smaller than the root and grow larger than the root. If a lot of files are temporarily copied to a directory and then deleted, the directory will have a lot of slack in it. This move is good even if you're not a criminal and just want your disk cleaned up the way Microsoft should have cleaned it up in the first place.

Scanning C for all files, deep scan, please wait... <OK>
Files found: 20447

The second 'deep scan'. Ok, now EE knows how many files there are on disk. Great.

Securing file structures...
Evidence eliminated in file structures <OK>

Huh? 'File structure'? If EE is trying to eliminate data in the file slack, that's fine - but then it should say so.

Eliminating free space on drive C:\, please wait... [Mode 1 - ZERO]
Free data eliminated on C:\ <OK>
Eliminating free space on drive C:\, please wait... [Mode 1 - FILL]

Ah, this is cute. What EE is doing at this point is eating up all your disk free space. Version 4.5 put it all in one humungoid file, version 5.0 creates 64MB files until the disk is full. For both versions the files are stored in \eetemp. EE is supposed to be able to turn off system broadcasts about dwindling disk free space - but it doesn't seem to work. Nevertheless, this is an ingenious idea. (EE does not perform any secure shredding, but that's another matter discussed elsewhere.)

Log saved to C:\Program Files\Evidence Eliminator\EElog.txt<OK>

Run complete.

Ok, so now we've seen EE 'go for it' - what can we conclude?

  • There are a few minor areas where EE might possibly be more efficient.
  • Most of the junk EE deletes is stuff a well running system wouldn't have around anyway.
  • Eliminating file slack and disk slack is good - and the latter uses a very high level (read: inefficient) yet very ingenious algorithm.
  • Unless you lead a life of crime, you won't need this on a personal basis.
  • The minimal shredding EE performs would seem to be 'childs play' in the hands of almost any forensic analysis software.

In conclusion? EE does everything it says it's going to do - with one notable exception. For no good reason, it simplifies its shredding to the point that you definitely are not safe if this level of safety is what you or your corporation really need.

Almost every proper review of EE goes to great pains to test it and claim that it does everything it's supposed to, yet no one has questioned the shredding going on - and these same reviews can start with the oft-quoted 'known to defeat forensic analysis software' - yet no one anywhere has ever seen any such test results - no one anywhere has even tried it, and no one seems to know a hoot about what shredding really is.

So yes - exclude the shredding and assume you run a lame computer and there will be a lot of files cleaned out of your system by EE. And EE will cut the slack in your directories under root too. But if you need secure file deletion - you'd better look elsewhere.

Prev | TOC | Next

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.