What's a good secure file deleter

The problem with deleting files is that the file data is just one small part of what really gets saved onto your disk. On a modern filesystem there will be lots of metadata and other artifacts scattered around the disk:

  • Journal entries on journaling filesystems, e.g. NTFS, ext3, ext4.
  • Search index entries.
  • Prefetch / superfetch cache entries.
  • Shadow copies.
  • Image thumbnail caches, e.g. WinXP's thumbs.db / Win7's thumbnail database.
  • Temporary files, e.g. from ZIP/RAR extraction.
  • Alternate data streams (ADS), e.g. EFS FEK descriptors.
  • COM / .NET object registration data.
  • Wear leveling sectors on SSDs / USB flash drives.

This presents a challenge. Simply deleting the file data securely will only result in that data being deleted. There's no guarantee that the metadata won't contain sensitive data, or even be enough to reconstruct the entire file or match its hash against that of a known plaintext.

For example, even if the file is deleted we might be able to detect the following:

  • The name of the file and when it was created / deleted / modified.
  • A cryptographic hash (or checksum, e.g. CRC32) of the file, from an indexing database.
  • Occurrence of certain words or phrases inside the file from a search content index.
  • Company name, product name, COM object interfaces, .NET namespaces, etc. if it was a PE executable.
  • A thumbnail if the file was an image.
  • Various metadata from latent alternate data streams.
  • Partial plaintext from temporary files and wear leveling sectors.
  • Entire plaintext recovery from shadow copies or temporary files.

Identifying the locations of these and appropriately deleting them is cumbersome and may not even be possible in some cases. The best you can do is manually go through and clear any backups, delete the files, clear out your caches, wipe your thumbnail database, then do a cipher /W pass to ensure that most of it is wiped. Unfortunately even this won't guarantee anything, since some of it is stored in files and structures that are just trimmed or modified instead of properly deleted, resulting in blocks of data that are unlinked from the structure but not wiped.

So how can we get round this? The only real way to do it is with full disk encryption. Use an industry standard like TrueCrypt to encrypt your entire hard disk, using a strong password. Even this isn't 100% foolproof on SSDs with wear-leveling (in which case TRIM and Secure Erase are good options) but it protects you against all relevant practical attacks as long as you're not worried about governments throwing a ludicrous budget at recovering your data.

Of course, if you're really paranoid, the only guaranteed solution is full physical destruction. This is usually achieved using an industrial disk shredder that physically cuts the disk up into little cubes, and often involves a pass through a strong magnetic field. For government and military purposes, these cubes are often melted in a furnace afterwards for good measure.


There's the sdelete CLI utility from Microsoft Sysinternals:

https://technet.microsoft.com/en-us/sysinternals/sdelete.aspx

You can use SDelete both to securely delete existing files, as well as to securely erase any file data that exists in the unallocated portions of a disk (including files that you have already deleted or encrypted). SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with SDelete, your file data is gone forever.

sdelete securely deletes the file contents and also the file name in the file allocation table:

To overwrite file names of a file that you delete, SDelete renames the file 26 times, each time replacing each character of the file's name with a successive alphabetic character. For instance, the first rename of "foo.txt" would be to "AAA.AAA".