Wiping out remnants of deleted files… with Windows itself

Update: Bad link fixed

In computers, deleting a file is analogous to tossing a piece of paper into a trash can. Anyone could simply retrieve that piece of paper from the trash can; so could anyone undelete the file.

Cipher.exe, having performed data erasure on volume E (a USB flash drive)

Cipher.exe, having performed data erasure on volume E (a USB flash drive)

Proper data erasure, however, is possible; it is analogous to tossing a piece of paper into a shredder or burning it.

Internet is full of computer programs that offer secure deletion of files and folders or offer “wiping unused disk space” meaning that they overwrite the areas of your disk that are marked empty, so that remnants of the previously deleted files – if any – are permanently deleted. But do you actually need them? Because Windows itself can do it, if you explicitly ask.

You must know that Cipher.exe – included with Windows XP and later – features a /W switch that can be used to wipe a volume’s unused disk space. Doing that makes sure that what you have deleted remains deleted. (To learn how to use Cipher.exe, please consult its documentation page on TechNet and Microsoft Support article 315672.) Cipher.exe’s method of data erasure is standard-compliant. (No surprise there, since Microsoft’s main clients are in the enterprise sector.) It overwrites each byte three times: Once with zeroes, once with 255 (FF in hexadecimal system or 11111111 in binary system) and once with a random number. According to Wikipedia, this method is endorsed by four governmental data erasure standards. (Before 2001, there was a fifth: DoD 5220.22-M)

Cipher.exe warns you that to achieve the best results, you must close as many computer programs as you can. Therefore, the absolute best result is achieved when disk wiping programs are run when the operating system is offline, i.e. from a low-overhead live OS. Starting with Windows 7, a recovery environment is added to each installation of Windows, which can be accessed by pressing F8 before Windows boot process starts. Cipher.exe can be run from the Command Prompt in this environment. (The tricky part is navigating to a Windows\system32 folder that contains cipher.exe.)

How effective is it?

The answer is: Not 100% effective.

I tried it on Windows 7 for my boot volume (C:) and on Windows 8.1 for a USB flash drive containing a deleted Windows 8.1 installation source. Both were formatted as NTFS. First thing to notice: It left an empty folder called EFSTMPWP on the volume that was sanitized. Then, I let loose two recovery programs on it: Recuva (developed by Piriform) and TuneUp Undelete (from AVG). Bot claimed to have found the files the I deleted; all of them and intact. However, when I attempted recovery, in most cases the contents were 100% random garbage. I sorted the list of found files by size and the biggest file that I could recover successfully was warning.gif, at 597 bytes. Anything above that was wiped out. But anything below that was fully recoverable, including security_watermark.jpg, adminpack_en-us_noloc.inf, cversion.ini and EI.CFG.

I tried it on the same USB flash drive with the same conditions, this time with a FAT32 file system. As I expected, this time around, Cipher.exe left no trace whatsoever.


So, it seems you do need to download a program from the Internet after all because sometimes you have small files and sometimes your file might be named “Top Secret Umbra document, property of Trantorian Empire.docxv3″. CCleaner (from Piriform) and Eraser (from The Eraser Project) were both very successful at wiping the volumes clean. My recovery test didn’t find any actual files.


Posted on 2 June 2014, in Software Review and tagged , , , , , , , , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: