Is there a script to safely delete a file?

[rodrigo.brasil]

To safely delete a file, you need:

• Rewrite all file content with random data
• Rename the file with random data
• Delete the file

There are a lot of tools to do it, like SDelete. But this tools you will need to download and install... If there is a native utility or a good script, my life will be easier.

But maybe this does not work like I think. Let's say I did this:

Code: Select all

echo "My very secret password" > secret.txt

Then:

Code: Select all

echo "Delete it, ###########" > secret.txt

Can I confirm that cmd.exe will rewrite it exactly where the old data was in the disk? Or there is no way to know this and if someone read the entire disk, the password can be there (if the OS don't write others things in another time)?

[miskox]

You have to open the existing file for read/write and set a filepointer to the beginning of it. So you need filepointer (see viewtopic.php?f=3&t=5552&p=34051#p34051). So this means 3rd party program. In this case sdelete is your best option.

Maybe someone has a better idea.

Saso

[GeoffVass]

Generally speaking, you can't rely on the idea that writing new data to a file will replace the existing data. A 'file' consists of some metadata such as the name, and a linked list of pointers to clusters on the disk which the file system uses to construct the contents. NTFS is a transactional database, in essence, so if you try to overwrite a file with the echo command, most likely the list of clusters used by the file previously will be untouched and the file's data will be created with a new list of clusters. Then the original clusters will be marked as available for the file system to use later. In a transactional database, you don't ever overwrite physical blocks that have data in them; you write new blocks. That way the database can roll back if there is any corruption. So in the scenario where you 'echo' out to the same file name, if you could look at the contents of clusters at a low level you'd still be able to see the contents of the original file.

To add to the complexity, NTFS actually stores very small files in the Master File Table itself, because the overhead of maintaining the links to clusters outside the MFT is more than just putting the data in the MFT. And generally you can't write to the MFT because the file system is in complete control of that. The very small files in your example would be stored in the MFT.

SDELETE from Sysinternals handles all this by opening the file and following the cluster chain so it overwrites the specific clusters in use by the file, and it also has the ability to wipe the space occupied in the MFT.

So the answer is that you can't do this from batch, the process needs very sophisticated access to file system APIs.

Additionally, depending on how long the file exists, it might have been captured by a shadow copy, so deleting/modifying the original file won't take the data off the disk unless you remove all the shadow copies first.

But in reality, if your concern is attackers who can examine the drive at a low level, use Bitlocker, and/or have drives disposed of with degaussing.

[miskox]

Interesting read: https://degaussing-101.com/morgan-stanl ... each-cost/

Saso