22

My company has a policy that files have to be shredded after they've been read. They provide with a tool shred.exe that I run on the file and it overwrites it with garbage in the file system before unlinking it.

Today I forgot to do that and I wonder what to do now. How do I shred a file that's been unlinked?

I'm using Windows 7 operating system.

At the moment I tried creating thousands of tiny files ranging from 1mb to 200mb and just copying them a hundred times in the file system, but it takes way too long.

Any other suggestions to do this quicker?

bodacydo
  • 849
  • 9
  • 16
  • 11
    In these days of SSDs the data isn't wiped even if you shred it. It's only wiped when the drive gets around to erasing the sector it was in. – Loren Pechtel Oct 19 '15 at 04:25
  • 3
    Related question: [How do I purge Windows of my private data when formatting the drive is not an option?](http://security.stackexchange.com/questions/101390/how-do-i-purge-windows-of-my-private-data-when-formatting-the-drive-is-not-an-op) – CodesInChaos Oct 19 '15 at 06:49
  • 1
    @LorenPechtel I would *hope* that means that those who wrote the policy have also ensured that everyone's on HDDs. But I'm not optimistic -- if they were that good they could have provided a technical solution (never decrypted to disk, delete always shreds, etc.) – Chris H Oct 19 '15 at 08:35
  • As suggested by others most file recovery tools will do. If you just want to overwrite the free space on your HDD you can use tools like CCleaner to automate that process. It creates all those small files for you, all you have to do is select the drive(s) and press start. – Malte Köhrer Oct 19 '15 at 11:55
  • Why don't you ask the IT dept. of your company, which probably maintains this policy? Be aware of the consequences: hopefully honest mistakes may happen. – mucaho Oct 19 '15 at 13:07
  • The policy enforced by your company to avoid data leak on Windows is plainly inefficient. Even if you shred a file **in place**, there are pieces everywhere on the file system. They aren't garbage collected by Windows and moreover, the **data is still withinin the freed disk blocks**. ---- Rather follow the **"Official" ovwerwrite tools** in @Iserni answer. – dan Jan 07 '16 at 07:17
  • @danielAzuelos : how do you know exactly what shred.exe does ? Maybe it's a really smart, low level, tool which works on the disk at a physical level ? I'm not saying that to say "you're wrong !". I'm really asking to understand your point, because I don't know much about hdds/ssds ! :) – Dinaiz Jun 23 '17 at 01:32
  • @Dinaiz shred just rewrites garbage to the file. Nothing low-level SSD-enhanced magic. – ThoriumBR Jan 28 '20 at 20:04
  • OP don't need to fill the disk with hundreds of thousands of 1k files. One big file using all available space is enough. – ThoriumBR Jan 28 '20 at 20:07

3 Answers3

24

First of all (just to be on the safe side) verify the file isn't in the Recycle Bin. If it is, choose Restore and of course shred the recovered file (or maybe you can shred it while inside the Recycle Bin).

If the file has been "truly deleted", recover it using an undelete tool such as Piriform's Recuva, then shred it for good.

Note (suggested by Chris H): deletion under most filesystems is lazy, i.e. the space occupied by the file is simply marked as reusable. Until it is actually reused, the old data is still there and may be recovered. Undelete tools can work in two ways: they can mark that space as occupied again, or they can read the space and make a copy elsewhere. You want the first kind of undeletion, since you want to make the original space accessible to the shredder and destroy it -- not make a copy that will leave the original space still maybe recoverable again and again.

A deleted file might be recoverable using Windows Shadow Copy, which is available since XP and enabled by default in Windows 7+. In an earlier edit I wrote 'chances are that it is disabled'. I should have written "on an unrelated note, ensure that it is disabled". VSS will not help you to shred a deleted file, since (as Chris H noticed) it will actually make another copy. You do not recover the original file space, which remains unshredded. For this reason, your company's IT admins should have disabled VSS on your computer. Otherwise, any "shredded" file may actually have several unshredded and recoverable copies lying around the disk.


DIY overwrite

However: a newly copied file (with VSS disabled) would be at the beginning of the free space area. If you copy a couple thousand files having the same size of the filesystem cluster size (or 1K if you're in doubt), you should be pretty sure that the file has been made unrecoverable even if it has not been "officially shredded".

"Official" overwrite tools

If you really want to be sure use a tool such as SDelete and tell it to wipe the disk's free space (be careful - not the allocated space!). Or you can use Piriform's CCleaner and do the same thing from the Tools menu. Another tool I just discovered by chance, and is recommended by Gutmann himself, is Eraser.

Unless the disk is carefully examined with an electron scanning microscope, nobody's ever going to be able to tell whether the file was shredded with the mandated tool or not before becoming totally irretrievable. If you use SDelete or such in so-called "secure" mode (aka Gutmann erase), even an electron scanning microscope will be none the wiser. Mandatory point: Gutmann erase is serious overkill even in Gutmann's own opinion.

(The above may of course not apply if the company shred executable keeps and possibly transmits a record of the MD5 of every file it shreds).

dan
  • 3,043
  • 14
  • 35
LSerni
  • 22,670
  • 4
  • 51
  • 60
  • 4
    *If* it works, you may upvote/accept it. But check it out first - you might even want to *down*vote it if it's not useful. If there're any problems, feel free to comment. – LSerni Oct 18 '15 at 22:52
  • 1
    I'm blasting my FS with 1k files now. I'll run defrag and blast it again tomorrow morning. That should do it. – bodacydo Oct 18 '15 at 23:09
  • I've a follow up question tho about one of the things you said - that after deleting a file, the new file will be copied at the beginning of the free space area. Doesn't windows pick file locations randomly? That's what I had heard. (And that's why you do defragmentation often on windows?) – bodacydo Oct 18 '15 at 23:10
  • The file is stored either in the directory entry (if very small) or in the first place where a "reasonably large" free hole exists. There are some tuning parameters that control how large is reasonably large. If you copy in files that are *smaller* than the one you deleted, you should be quite sure to hit the deleted file's file area sooner or later. It may take several dozen megabytes, if there are lots of small holes before that point. As for defragmentation, most clustered file systems are prone to it in some form or another, if they provide for file appending. – LSerni Oct 18 '15 at 23:58
  • 1
    In the old days, 3rd party undelete utilities could/did sometimes attempt to *copy* the file. If that still holds, undelete won't help you. Shadow *Copy* is a choice of name that would make me wary that this is still true. Free space wiping might take a while but is as certain as anything can be. – Chris H Oct 19 '15 at 08:32
  • Windows actually has a built-in, but little known, file wipe utility with the "cipher" command. You run it from a command prompt, specify the /W flag and the directory or drive where the deleted file resided. – PwdRsch Oct 19 '15 at 18:45
3

This can be accomplished with a native Windows tool called cipher.

cipher.exe has existed in Windows systems since Windows 2000, for the purpose of file encryption, but it has a switch that allows for the wiping of all free space on the specified volume. See my original question and answer over at SuperUser for how it accomplishes it and the required syntax.

enter image description here

Hashim Aziz
  • 979
  • 1
  • 8
  • 21
0

Yikes. If they want that much control over how files are destroyed, maybe they should do it themselves. In my opinion, as long as there is endpoint encryption and good access controls, a delete file is completely deleted except to the person that deleted it, and maybe that's really the point. I think they want to prevent you from having access to the file after it was supposed to have been deleted and if they don't trust you with access to the file, then they shouldn't trust you to delete it in the first place. Sounds like some wacky policies.

Anyway, what I would try to do is use PhotoRec or something to restore the file, and then once restored, I would shred it properly, as though I had never messed up the process in the first place. But if they're that tight on how you delete files, they probably won't let you use PhotoRec or other recovery tools. Best bet, tell IT what happened. Hopefully they're not stupid enough to fire you. I understand this post is old and you probably alreay took care of it, but for the sake of adding my two cents, there's my answer...

Robert Talada
  • 175
  • 1
  • 5