Since my other thread on this topic got hijacked I'm starting over. That
post told of a weird directory that appeared on one of my drives, with
1,319 files with random names, no date, and all the same size.

Well, another one appeared today, but I believe I have found the culprit. I
use Eraser to scrub a drive when I want to make sure something has been
completely eradicated. I ran it again yesterday, and sure enough, another
strange directory showed up. So I think I have found the culprit. I will
keep an eye out the next time I run Eraser to make sure, but I am glad I
have found the source.

MajorLanGod <lonelydad58@gmail.com> wrote:

> Since my other thread on this topic got hijacked I'm starting over.
> That post told of a weird directory that appeared on one of my
> drives, with 1,319 files with random names, no date, and all the same
> size.
>
> Well, another one appeared today, but I believe I have found the
> culprit. I use Eraser to scrub a drive when I want to make sure
> something has been completely eradicated. I ran it again yesterday,
> and sure enough, another strange directory showed up. So I think I
> have found the culprit. I will keep an eye out the next time I run
> Eraser to make sure, but I am glad I
> have found the source.

Without clarification, I'm assuming "Eraser" means "Heidi Eraser".
There are lots of erase-deleted-file utilities.

VeraCrypt (aka TrueCrypt) let you add a fake partition. If you were
forced to give the password to the encrypted container (file that
becomes a drive when mounted), you could give the password to the bogus
partition with placeholder files to sate the opponents need to get
inside your encrypted container. The real protected data was in another
partition in the encrypted container that was accessed using a different
password, but it looked like garbage data in the sectors in the mounted
drive that were really in the hidden alternate partition. It was to
obfuscate what you really wanted to protect.

Heidi Eraser has a similar function. If you do a wipe of sectors using
whatever algorithm, the data left in the wiped sectors would not be all
zeroes (never used) nor remnant data typical of content that would've
actually been stored there. It could be detected that parts of the
drive had been erased. To obfuscate the wipe action, Eraser will insert
dummy data into those sectors, and which are assigned to dummy files.

https://eraser.heidi.ie/eraser-settings/

Replace erased files with the following files to allow plausible
deniability specifies a list of files to use to replace the erased
files’ space on the drive after deleting to give the impression that
no files were erased, except other files which were deleted before
(hence plausible deniability.)

Did you enable that option? Rather than overwrite the "erased" sectors
with random data, you list a set of files with coherent content, so it
looks like the content is legit in those sectors. It is unclear if new
fake files are created to point at those sectors, or if just the content
of the replacement files is written to those sectors (but no files are
created to point at those sectors).

I haven't used Heidi Eraser for many years. The info above is what I
found on how to use the software. To find other users of Heidi Eraser,
check out their forum:

https://eraser.heidi.ie/forum/

If "Eraser" means some other sector-wipe tool, you'll have to be more
explicit than just saying "Eraser".

On 5/25/2023 6:08 PM, MajorLanGod wrote:
> Since my other thread on this topic got hijacked I'm starting over. That
> post told of a weird directory that appeared on one of my drives, with
> 1,319 files with random names, no date, and all the same size.
>
> Well, another one appeared today, but I believe I have found the culprit. I
> use Eraser to scrub a drive when I want to make sure something has been
> completely eradicated. I ran it again yesterday, and sure enough, another
> strange directory showed up. So I think I have found the culprit. I will
> keep an eye out the next time I run Eraser to make sure, but I am glad I
> have found the source.
>

This appears related to "Free Space Erasure", which erases the white space
on a partition. Google did not find this article for me earlier.

https://eraser.heidi.ie/forum/threads/eraser-creates-a-lot-of-big-files-during-unused-space-erasure.18689/

"there's a new folder named 4x8NmCn!UQgiKR1C+] with a lot of files having the same size 216MB"

*******

Here is another tool, that can erase white space.

https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete

sdelete64.exe -z c: # White space cleaning

In a test, I salted a disk (NTFS FS) with a pattern, then used sdelete64 and
I could still detect a bit of the pattern later (maybe a hundred chunks).
Heidi should be better at this sort of thing. I still find
sdelete64 is good for prepping .vhd containers for compaction
operations (if you zero out white space, the .vhd does not need
to waste storage space to record the zeroed region).

Using unique patterns, you can attempt to "hide" materials on a
partition, use your favorite cleaner, then scan with HxD to see
if the cleaning worked or not. This has the ability to scan at
the sector level (do a Run As Administrator on the executable,
and then the disk opening menu will work).

https://mh-nexus.de/en/hxd/

Paul

MajorLanGod <lonelydad58@gmail.com> wrote:
> Since my other thread on this topic got hijacked I'm starting over. That
> post told of a weird directory that appeared on one of my drives, with
> 1,319 files with random names, no date, and all the same size.
>
> Well, another one appeared today, but I believe I have found the culprit. I
> use Eraser to scrub a drive when I want to make sure something has been
> completely eradicated. I ran it again yesterday, and sure enough, another
> strange directory showed up. So I think I have found the culprit. I will
> keep an eye out the next time I run Eraser to make sure, but I am glad I
> have found the source.

FWIW, I find the "no date" bit a bit strange. AFAIK, a file cannot
have "no date". Perhaps the date is strange or all fields are zero or
something, but probably some tool - i.e. for example DIR instead of
File Explorer - will probably show some kind of date which might have
led you to the cause sooner.