September 29th, 2005, 03:35 AM
Windows XP restore points and wiping
Well somebody else asked the question but the thread went suicidal.. I'm not as paranoid as everybody else, so here is the answer to what the XP restore point stores. Check this technet article, and the file listed at the bottom-
The XML file is broken down into three segments: Files, Directories, and extensions.
For each segment it contains those items to include, and to exclude. So as you can see by default very little personal data should be stored in a system restore. It excludes most document and profile information, and the only extensions included are programs and things of the like. Docs, pictures, adobe PDF, and other standard file formats for storing data are not included in the system restore.
As to how antivirus and cleanup tools impact system restore. In my experience if the cleanup utility does not specifically have an option to "wipe" system restore it doesn't know about system restore. BCwipe and some of the other utilities mentioned in the original question have options to delete system restore points.
Windows XP disk cleanup and restore points- http://support.microsoft.com/default...b;en-us;310312
As far as how good are disk wiping utilities. Most of them if they can do multiple wipes with a Peter-Gutmann wipe algorithm are going to be very effective. I'm sure there are some cheap software wipers out there that say they are doing a 7 overwrite wipe, and don't, but the ones mentioned in the original question do the trick.
September 29th, 2005, 04:22 AM
To be completely honest, that is the type of questions that my old boss would put onto me. He may not be doing something wrong, he may be asking because the company he works for is trying to ensure their data is safe.
Lets say Mr Jones is working on a classified document, now that document has to be cleared off the system, so they delete the file and use BCWipe to clear the free space. If Bad Man Joe knows about this and wants the document, can he get it by going to the past restore point?
I would suggest in this case to stop system restore, delete the restore files and keep BCWipe on hand.
Even if this guy is being shady, I feel information is free. If he is going to use it for bad, someone else is going to use it for good and now it is readily available.
September 29th, 2005, 04:40 AM
If it is a doc, wps, pdf, xls, or any other standard document file then no. You can open up that file on your xp machine and see what file types are included. I don't feel like cutting/pasting the contents of the file as it would be rather long.
If Bad Man Joe knows about this and wants the document, can he get it by going to the past restore point?
September 29th, 2005, 12:14 PM
Original Thread was
Thanks for the info here is the original thread --
First, When installing Win XP as a default the system restore is on.
What does it store?
Secondly, lets say you go ahead and make a' Restore" point, then you wash your system with Eraser, will it touch that restore point?
Third, what if you turn off restore and delete the restore point, then wash it, does it overwrite the data form that restore point that was deleted?
Last, has anyone done any research by taking several drives using the product below and verifying with forensics tools on which does what it claims?
2) Wipe Drive / Secure Clean by white Canyon Software
3) Window Washer
4) BC Wipe
5) Evidence Eliminator -- After seeing article in forum, you have to think, is there a gov back door-- I mean by this, would the government really allow a product to be on market that would be able to cover up tracks of bad guys and make prosocution harder for LEO?????????