Jump to content
RESET Forums (homeservershow.com)

$Extend\$Rmmetadata\$Txflog\$Txflog still recoverable after 3 pass overwrite

Server Grunt

Recommended Posts




Long time since my last visit her on the forums, so it feels good to be back.



I am changing a lot in my IT-environment set-up and one of the outcomes of this re-structuring is that I need to get rid of a large number of hard drives.



I am a little paranoid with my personal data, so I have deleted files, then re-formatted and done both empty space write over and a normal 3-pass overwrite (DoD-level).



To check I use 3 separate file recovery tools and they all come up with that the only files that are recoverable are - $Extend\$Rmmetadata\$Txflog\$Txflog.



My understanding is that this was something used in Vista and server 2003 and 2008. My drives have all been in server 2008 and Home Server environments so that explains why it is there. Not e that the machines doing the “cleaning” are all Win7 machines.



However, my question is, what information can one get out of these logs. Are there anything that might reveal any actual information or is it just metadata from the management system? 

To clarify: Can anyone recover any senitive dta from these $Txflog-files?

Link to comment
Share on other sites

You need to check out this, then: 




NTFS extension file
Used for various optional extensions such as quotas, reparse point data, and object identifiers.
The "$TxFLOG" is the Transactional NTFS Log.
Pretty much *any* structure starting with "$" on an NTFS volume is a NTFS metadata object.  These are created as part of the formatting process, and when the disk is used.  
If you're formatting the drive and not "wiping" it clean (diskpart's "clean all" command, use with extreme caution), then these will always remain and always be recoverable. Period.  That doesn't mean that they're relevant or have any real information. 
So, no, these cannot be used to really recover data or grab additional information.
That said, if you're worried, you will want to do one of two things:
  • Physically destroy the drives.  
    This way, there is no possibility of recovery. 
  • load up an administrative command prompt, run "diskpart", select the CORRECT disk, and make sure it's the correct disk, and then run "clean all".  This writes zeros to the entire disk, making most data recovery (almost) impossible.  
    This will take roughly 4 hours per TB of capacity to complete. 
    This will also leave the disk in an uninitiated state. 
  • Like 1
Link to comment
Share on other sites

or some folks use DBAN (disk boot and nuke)


And you know what I say to them?


You might as well physically destroy the drive.

  • Like 1
Link to comment
Share on other sites

Thanks Drashna and nrf! 


How I missed you all of you here, guys!

This community is the greatest!




  • Like 1
Link to comment
Share on other sites

To clarify, why I hate DBAN....   a single write pass to the disk is enough to prevent recovery in all but the most extreme cases.  I mean laser forensics, spending thousands of dollars to recover data. 


So for most consumers, a single write pass to the disk is enough to completely nuke the contents.  This can be done via a format, or better yet, with a zero pass to the whole disk (which is precisely what DISKPART's "clean all" command does). 


Anything more is unnecessary and just stresses the disk out. and can potentially reduce it's longevity. 


And if you're incredibly concerned with no data being recovered, then the ONLY option you should be using is physical destruction. 


So, friends don't let friends DBAN a perfectly good drive.  But don't believe me, ask people that work in data recovery. Or test it yourself. 




And explicitly here, the reason that data recovery even works is that pretty much every file system does not actually "delete" the data when it deletes a file. It just removes the pointers to that data from the file allocation table, and leaves the data intact.  This intact data is what recovery software looks at for "deep scanning recovery".  It reads the data, and then tries to piece it back together.  

The same goes for a quick format.  The partition information may be intact on the drive, and recoverable.  


In both cases, once you write over this data, it's gone.  A full format or the full zero pass pretty much ensures that everything is overwritten and no longer recoverable. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • E3000
      By E3000
      Hey guys,
      Has anyone around here been successful in setting up Proxmox on a Gen8 using a HBA for storage?
    • rhbkweb
      By rhbkweb
      Hi all,
      As you may all know, in the last days where discovered 2 big security flaws on CPUs named Meltdown and Spectre (https://spectreattack.com/)
      I have a HP Microserver N40L and after search the HP support site I did not find any information about how and if HP will release any patch or update to the N40L in order to fix this security issues.
      Does anyone has any news or information about how HP is handling this?
      Edit: Just found the HP page about this at: http://h22208.www2.hpe.com/eginfolib/securityalerts/SCAM/Side_Channel_Analysis_Method.html and I don't see any mention to HP microserver N40L
    • Dave
      By Dave
      I've been a big fan of this product and have it running in my home.  It's now $20 off if you follow this link.

      There is an Amazon link to buy it and December 17th to 22nd it will also be $20 off on the Circle website.  So heads up!
      Take a look at the video below for a better understanding of what it can do for you.  In my house, if anything hops on my wifi the box will notify me immediately.  I've set it up so anything that jumps on is put in a KID friendly profile.  I look at what they are seeing on their iPads and can turn off apps. YouTube, Safari, App Store = Off.
    • ultimusrex
      By ultimusrex
      Hey everyone. First of all, I'm unsure if this is the best place for this thread, so admins, feel free to move it, if necessary.   As I am just starting (or trying to get started) setting up a smart home/home automation system, and I am a huge technophile, it has always been a dream of mine to have a cool (and useful) central touchscreen control panel in my house. As I was dreaming up future plans for my smart home, I revisited this concept. At first it was a fleeting and fanciful dream, since there is no way that, on our budget, I am going to waste an expensive tablet computer to act as a mostly dedicated wall-mounted control panel. But then my eyes got wide, along with my grin, as I remembered the likes of www.gearbest.com -- with a huge selection of relatively dirt cheap off-brand smart phones and tablets. So now I've been thinking very seriously about this possibility and searching for a good tablet at a good price, as well as some nice wall-mount hardware.   So I'm wondering what you all think about the DIY touchscreen control panel for the smart home. Do any of you already have something implemented? I am trying to compile a list of possible uses for such a device, to make it as useful (and cool) as possible. If you have any ideas, or know any good apps for this purpose, please include them in a reply. The ultimate version of this idea would be to have a tablet eventually in most rooms of the house, maybe a larger, slightly more expensive one near the home entry, and smaller, cheaper satellite devices throughout. I personally would prefer an Android tablet for this, but if you have any ideas for an iPad (or Windows), please share those, too.   Here are some of my own ideas: Home Automation Control Center -- most likely using the mobile app for whichever smart home ecosystem you have decided to go with in your home Weather Station -- Lately I've been really happy with an Android app called "Weather Timeline" that I think would look good and work well Music Player -- I don't think this would work very well if you're a big audiophile, but using the tablet's bluetooth, you could connect it to bluetooth speakers in the room or a bluetooth receiver in your media center and play Pandora, Spotify, or whatever over them, or find a more robust whole-home music system that has an tablet app available for control. Video Phone -- using Skype, Google Hangouts, or whatever. Motion Sensor/Security Cam -- I know there are ways, with combinations of apps and the likes of Tasker, to have the built-in (front-facing) camera watch for motion then start recording or broadcasting when it sees something. Intercom -- if you have tablets mounted in multiple rooms and don't feel like shouting across the house to your spouse or children, you could "call" them on the tablet network. I know there has to be some walkie-talkie-type apps available, or there's always Google Hangouts with voice calls and video calls. Note/Message Center -- you could keep a notepad or sticky notes widget, or an audio note app, on the home screen so you can leave memos to your family, manage your shopping list, etc. Household Calendar -- using Google Calendar (or whatever app/service your household uses), you could keep track of everybody's agenda. Security System Control Center -- Currently, we have an ADT system, but once our contract is up, I'm hoping to cancel them and set up a self-managed system and use a mounted tablet for controlling and activating it.  
      I'm sure I'll think of some other ways to use a wall-mounted tablet, and I'll try to add them to this list as they come to me (or as I add them to my own mounted tablet).
    • doliveira
      By doliveira
      At my home office i have a server running “Windows Server 2012 R2 Essentials” and I have already setup the Anywhere Access + VPN and all is working fine.
      But there is one problem that I explain bellow:
      My internet uses a Dynamic IP address that is shared to all the ISP clients in my street and city.
      The problem is that I have tested to browse the internet dynamic IP instead of using the mycompany.remotewebaccess.com url it will open my server Anywhere Access page.
      In a simple way, if I type on my browser my internet IP as: it will open the same page as if I type mycompany.remotewebaccess.com
      I think this is a security risk and also if someone else on my street or city is using Anywhere Access it can conflict with my own install.
      So does anyone knows what I need to do in order to resolve this problem? 
      IMPORTANT NOTE: My internet ISP does not allows static IP’s, so that is not an option in my case.
  • Create New...