The other day I came across a very interesting tool while researching ways to clear unallocated space on a Windows machine. This process is very well documented for *nix machines using "dd" and "/dev/zero", however I was unaware of a similar process for Windows based OS's. The tool in question is included in Windows XP and is called "cipher.exe". This tool has many uses as the following output shows:
C:\Documents and Settings\Administrator>cipher /?
Displays or alters the encryption of directories [files] on NTFS partitions.
CIPHER [/E | /D] [/S:dir] [/A] [/I] [/F] [/Q] [/H] [/K] [pathname [...]]
CIPHER /W:directory
CIPHER /X[:efsfile] [filename]
/E Encrypts the specified directories. Directories will be marked
so that files added afterward will be encrypted.
/D Decrypts the specified directories. Directories will be marked
so that files added afterward will not be encrypted.
/S Performs the specified operation on directories in the given
directory and all subdirectories.
/A Operation for files as well as directories. The encrypted file
could become decrypted when it is modified if the parent directory
is not encrypted. It is recommended that you encrypt the file and
the parent directory.
/I Continues performing the specified operation even after errors
have occurred. By default, CIPHER stops when an error is
encountered.
/F Forces the encryption operation on all specified objects, even
those which are already encrypted. Already-encrypted objects
are skipped by default.
/Q Reports only the most essential information.
/H Displays files with the hidden or system attributes. These
files are omitted by default.
/K Create new file encryption key for the user running CIPHER. If this
option is chosen, all the other options will be ignored.
/W Removes data from available unused disk space on the entire
volume. If this option is chosen, all other options are ignored.
The directory specified can be anywhere in a local volume. If it
is a mount point or points to a directory in another volume, the
data on that volume will be removed.
/X Backup EFS certificate and keys into file filename. If efsfile is
provided, the current user's certificate(s) used to encrypt the
file will be backed up. Otherwise, the user's current EFS
certificate and keys will be backed up.
dir A directory path.
pathname Specifies a pattern, file or directory.
efsfile An encrypted file path.
Used without parameters, CIPHER displays the encryption state of
the current directory and any files it contains. You may use multiple
directory names and wildcards. You must put spaces between multiple
parameters.
Now the point of interest to me lies in the "/W" option. This if specified, will clear data on any unused portions of the disk specified. I figured I would give this a try on a Windows 2000 Pro laptop.
C:\Documents and Settings\Administrator>cipher /W:c:To remove as much data as possible, please close all other applications while
running CIPHER /W.
Writing 0x00
................................................................................
....................
Writing 0xFF
................................................................................
....................
Writing Random Numbers
................................................................................
....................
C:\Documents and Settings\Administrator>
It's done, and it was painless. All unallocated space on the hard drive was overwritten by zeros, then ones and then random numbers. On a drive that had 4 gigs of free space, it took less than 20 minutes. Now if anyone gets a hold of this hard drive, it would not be possible to recover deleted files. This type of action can be scheduled on windows boxes to be run periodically. In an age of mobile computing, this type of extra security measure can be invaluable.
