Monday, April 20, 2015

windows - Why does cipher /w fill up temporary files instead of writing to the raw disk?


The Windows command cipher /w can be used to securely wipe a hard drive's free space without the use of third-party tools or GUIs:


enter image description here


cipher works by creating a folder called EFSTMPWP on the root of the target drive; inside this folder, it successively fills three temporary files with zeroes, ones, and random numbers respectively, one after the other, to the size of the empty space left on the drive.


By the time a file has taken up all of the drive's empty space, it's effectively forced the file system to overwrite all data held in its free space with the file's newly-written data, rendering any data previously held there permanently irrecoverable.


enter image description here


I understand Windows doesn't typically grant users access to the raw drive like Linux does, but I'm confused as to why Windows' own utilities would choose to write data indirectly to files in this way and be subjected to disk I/O bottlenecks in the process, instead of simply writing to the raw disk itself.


Is there a particular reason it wipes disks using files instead of writing to the raw disk, or was this likely just a design oversight?


Answer



Looking over cipher /? from command line I see that the cipher command/app does much more than just the operations that occur when using the /w option. As stated in the help it is used to display and alter the encryption of directories and files on NTFS partitions.


It seems to me that the /w switch with this command is just a simple function that works with files and folders only on NTFS partitions as per it's core functionality description via chipher /?.



cipher /?


Displays or alters the encryption of directories [files] on NTFS partitions.
/W Removes data from available unused disk space on the entire
volume. If this option is chosen, all other options are ignored.
The directory specified can be anywhere in a local volume. If it
is a mount point or points to a directory in another volume, the
data on that volume will be removed.




A few specific things to point out per the Microsoft post "How to use Cipher.exe to overwrite deleted data in Windows~"
regarding this tool's specific functionality. . .



  1. this command/app was apparently designed in the days of Windows 2003 (maybe it's even older) so consider using another tool if it doesn't suffice for your task/operation needs.


  2. there's a mentioned gotcha with the /w option functionality with files smaller than 1 KB so if smaller than 1 KB files is important to you, use another tool.


  3. it states it can take a long time to complete if there's a lot of free space to be overwritten so it's not like they are claiming this tool is an efficient raw disk I/O beast—use another tool if that's a problem for your needs.





Knowing all this it seems the additional I/O overhead and bottleneck risks you mention were not of any importance or concern when this functionality was designed.


This tool does nothing special with this functionality (working with files and folders on NTFS partitions) that another native Windows method could not do; this specific functionality is not robust.


See the "How to zero fill a virtual disk's free space on windows for better compression" post and the answer on there regarding fsutil for another native Windows method to zero fill free space.




  • FSUTIL


    fsutil volume diskfree f:

    Which showed this report:


    Total # of free bytes        : 249899469856
    Total # of bytes : 249997291520
    Total # of avail free bytes : 249899469856

    I used Total # of avail free bytes in the following commands:


    fsutil file createnew F:\clear 249899469856
    fsutil file setvaliddata F:\clear 249899469856
    fsutil file setzerodata offset=0 length=249899469856 F:\clear
    del f:\clear

    It took about 4 hours to write 250GB of zeros.


    Source






Further Resources



  • CIPHER.exe



    /w:PathName


         Remove data from unused portions of a volume.
    PathName can indicate any directory on the desired volume.
    Cipher does not obtain an exclusive lock on the drive.
    This option can take a long time to complete and should only be used when necessary.


  • How to use Cipher.exe to overwrite deleted data in Windows~



    Note The cipher /w command does not work for files that are smaller
    than 1 KB. Therefore, make sure that you check the file size to
    confirm whether is smaller than 1 KB. This issue is scheduled to be
    fixed in longhorn.


    Data that is not allocated to files or folders is overwritten. This permanently removes the data. This can take a long time if you are overwriting a large amount of space.




No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...