Jump to content
RESET Forums (homeservershow.com)

$Extend\$Rmmetadata\$Txflog\$Txflog still recoverable after 3 pass overwrite

Server Grunt

Recommended Posts




Long time since my last visit her on the forums, so it feels good to be back.



I am changing a lot in my IT-environment set-up and one of the outcomes of this re-structuring is that I need to get rid of a large number of hard drives.



I am a little paranoid with my personal data, so I have deleted files, then re-formatted and done both empty space write over and a normal 3-pass overwrite (DoD-level).



To check I use 3 separate file recovery tools and they all come up with that the only files that are recoverable are - $Extend\$Rmmetadata\$Txflog\$Txflog.



My understanding is that this was something used in Vista and server 2003 and 2008. My drives have all been in server 2008 and Home Server environments so that explains why it is there. Not e that the machines doing the “cleaning” are all Win7 machines.



However, my question is, what information can one get out of these logs. Are there anything that might reveal any actual information or is it just metadata from the management system? 

To clarify: Can anyone recover any senitive dta from these $Txflog-files?

Link to comment
Share on other sites

You need to check out this, then: 




NTFS extension file
Used for various optional extensions such as quotas, reparse point data, and object identifiers.
The "$TxFLOG" is the Transactional NTFS Log.
Pretty much *any* structure starting with "$" on an NTFS volume is a NTFS metadata object.  These are created as part of the formatting process, and when the disk is used.  
If you're formatting the drive and not "wiping" it clean (diskpart's "clean all" command, use with extreme caution), then these will always remain and always be recoverable. Period.  That doesn't mean that they're relevant or have any real information. 
So, no, these cannot be used to really recover data or grab additional information.
That said, if you're worried, you will want to do one of two things:
  • Physically destroy the drives.  
    This way, there is no possibility of recovery. 
  • load up an administrative command prompt, run "diskpart", select the CORRECT disk, and make sure it's the correct disk, and then run "clean all".  This writes zeros to the entire disk, making most data recovery (almost) impossible.  
    This will take roughly 4 hours per TB of capacity to complete. 
    This will also leave the disk in an uninitiated state. 
  • Like 1
Link to comment
Share on other sites

or some folks use DBAN (disk boot and nuke)


And you know what I say to them?


You might as well physically destroy the drive.

  • Like 1
Link to comment
Share on other sites

Thanks Drashna and nrf! 


How I missed you all of you here, guys!

This community is the greatest!




  • Like 1
Link to comment
Share on other sites

To clarify, why I hate DBAN....   a single write pass to the disk is enough to prevent recovery in all but the most extreme cases.  I mean laser forensics, spending thousands of dollars to recover data. 


So for most consumers, a single write pass to the disk is enough to completely nuke the contents.  This can be done via a format, or better yet, with a zero pass to the whole disk (which is precisely what DISKPART's "clean all" command does). 


Anything more is unnecessary and just stresses the disk out. and can potentially reduce it's longevity. 


And if you're incredibly concerned with no data being recovered, then the ONLY option you should be using is physical destruction. 


So, friends don't let friends DBAN a perfectly good drive.  But don't believe me, ask people that work in data recovery. Or test it yourself. 




And explicitly here, the reason that data recovery even works is that pretty much every file system does not actually "delete" the data when it deletes a file. It just removes the pointers to that data from the file allocation table, and leaves the data intact.  This intact data is what recovery software looks at for "deep scanning recovery".  It reads the data, and then tries to piece it back together.  

The same goes for a quick format.  The partition information may be intact on the drive, and recoverable.  


In both cases, once you write over this data, it's gone.  A full format or the full zero pass pretty much ensures that everything is overwritten and no longer recoverable. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...