The Windows command cipher /w
can be used to securely wipe a hard drive's free space without the use of third-party tools or GUIs:
cipher
works by creating a folder called EFSTMPWP
on the root of the target drive; inside this folder, it successively fills three temporary files with zeroes, ones, and random numbers respectively, one after the other, to the size of the empty space left on the drive.
By the time a file has taken up all of the drive's empty space, it's effectively forced the file system to overwrite all data held in its free space with the file's newly-written data, rendering any data previously held there permanently irrecoverable.
I understand Windows doesn't typically grant users access to the raw drive like Linux does, but I'm confused as to why Windows' own utilities would choose to write data indirectly to files in this way and be subjected to disk I/O bottlenecks in the process, instead of simply writing to the raw disk itself.
Is there a particular reason it wipes disks using files instead of writing to the raw disk, or was this likely just a design oversight?
Answer
Looking over cipher /?
from command line I see that the cipher
command/app does much more than just the operations that occur when using the /w
option. As stated in the help it is used to display and alter the encryption of directories and files on NTFS partitions.
It seems to me that the /w
switch with this command is just a simple function that works with files and folders only on NTFS partitions as per it's core functionality description via chipher /?
.
cipher /?
Displays or alters the encryption of directories [files] on NTFS partitions.
/W Removes data from available unused disk space on the entire
volume. If this option is chosen, all other options are ignored.
The directory specified can be anywhere in a local volume. If it
is a mount point or points to a directory in another volume, the
data on that volume will be removed.
A few specific things to point out per the Microsoft post "How to use Cipher.exe to overwrite deleted data in Windows~"
regarding this tool's specific functionality. . .
this command/app was apparently designed in the days of Windows 2003 (maybe it's even older) so consider using another tool if it doesn't suffice for your task/operation needs.
there's a mentioned gotcha with the
/w
option functionality with files smaller than 1 KB so if smaller than 1 KB files is important to you, use another tool.it states it can take a long time to complete if there's a lot of free space to be overwritten so it's not like they are claiming this tool is an efficient raw disk I/O beast—use another tool if that's a problem for your needs.
Knowing all this it seems the additional I/O overhead and bottleneck risks you mention were not of any importance or concern when this functionality was designed.
This tool does nothing special with this functionality (working with files and folders on NTFS partitions) that another native Windows method could not do; this specific functionality is not robust.
See the "How to zero fill a virtual disk's free space on windows for better compression" post and the answer on there regarding fsutil
for another native Windows method to zero fill free space.
fsutil volume diskfree f:
Which showed this report:
Total # of free bytes : 249899469856
Total # of bytes : 249997291520
Total # of avail free bytes : 249899469856
I used Total # of avail free bytes in the following commands:
fsutil file createnew F:\clear 249899469856
fsutil file setvaliddata F:\clear 249899469856
fsutil file setzerodata offset=0 length=249899469856 F:\clear
del f:\clear
It took about 4 hours to write 250GB of zeros.
Further Resources
/w:PathName
Remove data from unused portions of a volume.
PathName can indicate any directory on the desired volume.
Cipher does not obtain an exclusive lock on the drive.
This option can take a long time to complete and should only be used when necessary.How to use Cipher.exe to overwrite deleted data in Windows~
Note The cipher /w command does not work for files that are smaller
than 1 KB. Therefore, make sure that you check the file size to
confirm whether is smaller than 1 KB. This issue is scheduled to be
fixed in longhorn.
Data that is not allocated to files or folders is overwritten. This permanently removes the data. This can take a long time if you are overwriting a large amount of space.
No comments:
Post a Comment