1

If I delete files on a NTFS partition I can recover them shortly with a very high probability of success. When a file is deleted, only the file system entry is deleted, thus the content of the file will still remain intact for a periode of time, depending on the disk activity afterwards.

How can I make sure that the files will be unrecoverable and what is the best tool to do the job?

cmserv
  • 195
  • 2
  • 6
  • 14

10 Answers10

8

Non-Home editions of Windows come with a command-line tool called cipher.exe. In addition to letting you encrypt files with NTFS encryption, it also has a free-space wiping mechanism. e.g.

C:\> cipher /W:C:\

It will then wipe all free space on the designated drive. Other tools can do one-off file wipes, but I like cipher.exe because it is built-in on most Windows editions.

Chris W. Rea
  • 1,156
  • 1
  • 12
  • 18
  • 1
    Bear in mind that, if you're trying to cover your nefarious tracks, that cipher and sdelete both don't wipe slack space (the space between the logical end of a file and the end of the allocation unit it was stored in). – Evan Anderson Jul 24 '09 at 17:48
  • @Evan Anderson: Good point. How about: Copy the files, delete originals, then run cipher's free space wipe? Assumes the file copy operation wouldn't preserve the slack space. – Chris W. Rea Jul 25 '09 at 16:14
3

Any tool that overwrites the data is ultimately going to stop casual attackers (and, very likely, even well budgeted attackers). Recovering data from an overwrite on modern hard disk drives is extremely difficult. You can use as fancy a tool as you want (overwrites data with a cryptographically sound random number generator, etc), but in the end even a simple overwrite with zeros will protect you from all but the most sophisticated attackers.

Beware of SSDs and attempting to overwrite data. SSDs do "wear leveling" and tools that simply overwrite files without any awareness to the underlying storage technology may not actually overwrite the data.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
2

I use SDelete from sysinternals to securely delete files from our PCI environment.

Zypher
  • 36,995
  • 5
  • 52
  • 95
  • Note that SDelete securely deletes file data, but not file names located in free disk space. Any idea how to also make the names unrecoverable? – cmserv Jul 24 '09 at 13:45
  • 2
    I don't think there's any documented API in NTFS to do that (to put a new file in a chosen MFT slot). You're going to have to resort to something that plays fast and loose with the rules. I don't think I'd trust production data to such a utility. If you're going to be into nuking filesystem metadata then even wiping all free allocation units isn't going to be good enough since there could be data leakage within the "slack" space inside allocation units used to track filesystem metadata. At that point, you're better off overwriting the entire filesystem with zeros. – Evan Anderson Jul 24 '09 at 16:54
2

I've used SDelete in windows with success. http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

egorgry
  • 2,871
  • 2
  • 22
  • 21
1

On a workstation by workstation case you could use a piece of software designed to remove files from the disk, I've used one known as FileShredder.

If you're trying to do something on a corporate scale I would look at companies like Symantec - the name escapes me but I know they had a product which would do what you are looking for.

1

I've used bcwipe, which has the convenient feature of installing itself in the context menu in windows explorer, giving the option to delete or "delete with wiping" by a right click. It also wipes file slack, unused file space and directory entries.

Will M
  • 111
  • 3
1

You could also, if you're worried about the recoverability of file names in that slack space, use a filesystem container, like one from TrueCrypt.

mpbloch
  • 962
  • 8
  • 14
  • But then I wouldn't solve the problem of how to dispose of the original copies. – cmserv Jul 24 '09 at 19:42
  • You could switch methodologies, and save all sensitive things to the contained system in the FIRST place. Then either write zeros or destroy the original medium. – mpbloch Jul 24 '09 at 22:11
0

Here are a couple other utilities that you can try:

I've used killdisk before and like it, but haven't tried Eraser

quickcel
  • 438
  • 3
  • 9
0

In the days of FAT, the disk defragmentation utilities were able to wipe all free space, what is IMHO very good measure to protect deleted files (even when considering "reserved" sectors - there is only few of them, so only very little data is possibly left) .. but is it available for NTFS as well? I can't find such option.

Juraj
  • 257
  • 3
  • 9
0

Any Directory Opus user will have a built-in "secure wipe" feature that does about the same thing every other tool does:

This uses algorithms similar to those recommended by the US NSA and US Department of Defense for securely destroying the contents of a file to make recovery by forensic analysis of the magnetic medium of the disk extremely difficult if not unlikely. The number of passes for each file can be configured in Preferences.

Oskar Duveborn
  • 10,740
  • 3
  • 32
  • 48