Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

cipher Permanently Delete Files

The cipher program does a few interesting things. This post will talk about wiping free space, making it (realistically) unrecoverable using the free built in tool called cipher.

Deleting Files

As you probably know, deleting files doesn’t really “delete” them. It only makes the space available for future overwrite. This means that a forensics investigator could easily recover sensitive data unless further methods are taken.

There are several tools that help with secure deletion, but one of them is built into windows and it does a pretty good job of overwriting free space.

Cipher Tool

The cipher tool will write zeroes and then flip the bits as it does 3 passes.

From an administrator prompt run:

cipher /w:C

This will take a few hours depending on the speed of your computer.

What is the EFSTMPWP File?

When cipher runs, it creates a temp Folder with a few temp files in it. If you interrupt cipher with a Ctrl+C it will leave this file and not delete it. While it’s running though, it will completely fill your drive using the 0x00, then 0xFF and then Random numbers. It uses these temp files to accomplish this. It’s safe to delete this if you interrupted cipher.

It would be exceptionally difficult for even the most skilled forensics recovery team to recover data wiped by cipher. With that said, there are many files that are in use at all times such as caches, page files, and temp files that are not routinely deleted. They do contain information about your computer usage and can easily be recovered.

Cipher is a great tool to use after you’ve reinstalled windows and are preparing to sell or give away a computer, but if you are processing sensitive data, cipher should not be your end all, be all tool!

Last updated on 27 Jan 2019
Published on 27 Jan 2019