Permanently delete files in Windows using built-in utilities

A good wiping tool is available in all Windows systems since Windows 2000

Cipher.exe is a command line tool was originally released with Windows 2000 with the release of NTFS V5.0 and the ability to use the Encrypting File System, but continuosly upgraded by Microsoft and available on all actual Windows systems.

The main objective of this tool is

Displays or alters the encryption of directories [files] on NTFS partitions.

but can be simply used also for securely wipe file from disk, using the /W option:

/W        Removes data from available unused disk space on the entire
volume. If this option is chosen, all other options are ignored.
The directory specified can be anywhere in a local volume. If it
is a mount point or points to a directory in another volume, the
data on that volume will be removed.

The description is not entirely accurate, but tool can be used to modify the binary content for a designated part of the hard drive, effectively making it indecipherable.


How file delete works?

I’ve already written a lot about NTFS filesystem, and i’ve also written a specific chapter in my book The little handbook of Windows Forensics, but in a nutshell:

when you delete a file,Windows simply delete an entry in the master file table (MFT), a big index that tells the computer where the actual file is stored.

Actually data are still present on the disk, but without an entry in MFT may be overwritten with other files.
Obviously, without permanently deleting it, the file could potentially be recovered at a later date using a recovery tool.


How to use cypher.exe to wipe deleted files

Cipher.exe allows securely overwrite all the deleted data in a specific volume, without using third-party tools.

After deleting a file (for example in a flash disk), simply open the command prompt and execute this command:

cipher /W:DRIVELETTER:

where DRIVELETTER is the volume containing the deleted files (please note there are NO spaces between /W and DRIVELETTER):

D:>dir
Volume in drive D is CipherTest
Volume Serial Number is 5AC0-AF19
Directory of D:\
01/10/2019 11:54 AM 8 test.txt
1 File(s) 8 bytes
0 Dir(s) 1,556,480 bytes free
D:>del test.txt
D:>cipher /W:D:
To remove as much data as possible, please close all other applications while
running CIPHER /W.
Writing 0x00
……………………………………………………………………………………………..
Writing 0xFF
……………………………………………………………………………………………..
Writing Random Numbers
……………………………………………………………………………………………..
D:>

That’s all Folks!

References


Related posts

1 Comment

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.