2

As the title says, not only I want to completely erase it's bits and bytes from the disk but also it's trace on file system, so NO Undelete software can show that it HAD been there at all.

There are good software that will do the first task ( SDelete comes to mind ) but what about ways to accomplish the second task?

The disk type is HDD and the OS is Win7.

RockPaperLz- Mask it or Casket
  • 7,741
  • 30
  • 73
  • 122
BHP
  • 139
  • 4
  • 1
    Formatting the disk will do that. – harrymc Feb 20 '23 at 14:22
  • 3
    No, harrymc. That is not guaranteed. – r2d3 Feb 20 '23 at 14:27
  • 3
    @harrymc that's a quite misleading comment even from you. (Though *AFAIK* *non-quick* format in Windows does more or less zero fill the partition. Not entirely sure though, and even if it was, it *might* have changed at some point, to full partition TRIM on SSD, for example, which in turn *might or might not* make every block reads zero.) – Tom Yan Feb 20 '23 at 14:30
  • 1
    Behzad, the answer to your question depends on the operating system, the file system and the disk itself. Therefore your question ist not specific enough. I mention the operating system as data about your activities is stored in more locations than you imagine. And your disk does not show you everything. => Don't do anything bad! – r2d3 Feb 20 '23 at 14:30
  • 1
    Besides, in the case of SSD (or even HDD these days, especially the WD SMR ones), whether you can achieve something like `as if it hasn't existed at all` depends on your "POV". If you are talking about what the *logical block* reads, it's more or less possible (e.g. given the software knows the filesystem well enough). But if you are talking about the actual NAND memory (or HDD/magnetic sectors), it's pretty much impossible (especially if you are talking like deleting just a folder or so, instead of a full drive multi-pass random filling that might not destroy every trace either). – Tom Yan Feb 20 '23 at 14:38
  • @TomYan: I have not entered fully into the method for the formatting of the disk, as clearly that's not the subject here. So how can I be misleading? – harrymc Feb 20 '23 at 14:41
  • @r2d3 I edited the question. The disk type is HDD and the OS is Win 7 – BHP Feb 20 '23 at 15:57

4 Answers4

3

The crucial pieces nobody has mentioned so far are the change journal (USN journal) & MFT (master file table). Please see steps 2 & 3 of the below necessary steps which must be done to achieve what you want.

  1. Delete the folder/files (side note: holding shift while you press delete skips the recycle bin)

  2. Delete the change journal. See this answer for how to do it on Windows 7.

As files, directories, and other NTFS file system objects are added, deleted, and modified, the NTFS file system enters change journal records... Each record indicates the type of change and the object changed. - https://learn.microsoft.com/en-us/windows/win32/fileio/change-journal-records

  1. Clear the entries in the MFT which have been marked as "free" (unallocated). The MFT contains the metadata of all the files you have ever deleted, and points to the location where their data is (or was) stored. This is why some tools can actually tell you what specific file(s) overwrote previously deleted files. These entries never get cleared unless you use a utility that specifically clears them.

  2. Wipe the free space of the drive using a multi-pass wiper. These are all the sections of the drive that contain the actual data which is allowed to be overwritten. In other words everything that's been "deleted", which until it is overwritten really just means "hidden from view".

Notes:

  • After step 2 & 3 are complete, nobody should be able to see that the file (or folder) ever existed. But if they know that it did, they could find it by sifting through all recoverable data that has yet to be overwritten. If they are looking pretty soon after you completed steps 1-3 but not 4, they will encounter the data that file contained since it won't have been overwritten yet.
  • Regarding step 4, you may not need to go nuts with the multi-pass overwriting. I would set it to between 2 - 5 times just to be safe. See this article for reference. It may be that some utilities only overwrite part of the data in order to corrupt it, but not overwrite the entire free space. This would be a time saving mechanism since it can be a time-intensive process to overwrite every single free bit on a drive. That could possibly allow someone extremely determined to somehow rebuild parts of the file, although I personally don't know how that would be done.
AFOC
  • 130
  • 4
1

*This advice is for an HDD and NOT an SSD drive.

*Re: SSD drives.. The cipher command should be fine but SSDs have a limited lifespan and any time you write to a block, it will decrease the lifespan of said block (unlike HDD). cipher will write a block THREE TIMES. For an SSD, this is probably going to be three different addresses making the purpose irrelevant and yet still deteriorate the drive. Things like the windows disk derangement will simply refuse to defragment an SSD drive but with this said, I am not going to be responsible for telling someone to do them. For SSD drives, see what TRIM is all about.

There are free tools on the internet that will do all of this in close to one sweep. Some of those tools (in the past) have been compromised with malware or questionable governments. The suggestions here use nothing but tools already built into Windows.

First.. clean up

  1. Close everything possible.
  2. Run "Disk cleanup" clean out everything you are comfortable removing.
  3. Delete all files in %TEMP%. Empty internet caches where willing.
  4. Defragment your drive. This step alone will get rid of a large amount of entries left behind but not 100%.
  5. Use the built-in Cipher utility to wipe free space. Technically, you could have ONLY done this step but then your file system would still be MESSY!

Using the Cipher utility.

There is a built in program in windows that can be used to wipe the free space on drives. It only takes a folder name and intends that you will only run it from the drive you want to wipe free space on.

  1. Open cmd.exe as administrator.
  2. Run cipher /W:C where C is the drive you want to wipe the free space on.

There are many other tools to do this process but SU doesn't like people giving software recommendations (so I won't) but here is a nice page full of them including more detailed information on the built-in cipher utility.

Señor CMasMas
  • 4,794
  • 1
  • 11
  • 27
  • This is assuming there's no bug in cipher, and that Windows haven't been "compromised" with a malware - or a government... In short, no way to be sure. – Sylvain Feb 20 '23 at 17:45
  • Thanks for the cleanup @Sylvain . I don't know what my brain was doing there. – Señor CMasMas Feb 20 '23 at 17:45
  • When you `cipher` or alike the same logical block on an SSD for multiple times, very likely the (garbage) data will be written to a different memory (NAND page/block) every time. – Tom Yan Feb 21 '23 at 00:38
  • Thank you @TomYan .. internal comment amended. One of the reasons I avoided culpability for SSD. – Señor CMasMas Feb 21 '23 at 16:06
0
This answer is for the case when you are going to create this folder in the future.

While Windows 7 is a stable and fine system, it's not the best one to use for high privacy concerns.

Anyway - I would:

  • disable any swap file,

  • save my critical data on an unique USB key and directly work on it ONLY,

  • as Windows saves MRU and recent files opened, this can be deleted - but can be recovered also - maybe you'd use non meaningful names, like random digits or chars.

When you wish to delete it, as per your question: take a hammer and reduce the USB key chips into small enough pieces.

It won't be recoverable.

Again, it's not 100% safe - nothing is - especially due to how windows work, and in particular if you've a swap file. DRAM content can be accessed and read in some conditions even after being powered off (it's called coldboot).

Rohit Gupta
  • 2,721
  • 18
  • 27
  • 35
Sylvain
  • 385
  • 10
  • 1
    The question is for a folder not a drive. Perhaps you should delete your answer before it gets downvoted. – Rohit Gupta Feb 21 '23 at 01:26
  • You can have a single folder in a small USB, what's the problem? The solution I propose is relatively secure, maybe the most secure here. Which is what the question asks for. Otherwise "so NO Undelete software can show that it HAD been there at all." does NOT exists. – Sylvain Feb 21 '23 at 02:05
  • 1
    Question - How to delete a **Folder**. You are proposing to destroy the whole drive with a hammer. – Rohit Gupta Feb 21 '23 at 02:29
  • I'm proposing to secure a folder inside a drive that can cost 2$ - I'm proposing a secure solution for deletion. But you're just happy to downvote me maybe. 2K reputation isn't enough? That's sad. – Sylvain Feb 21 '23 at 02:51
  • It is a lateral solution. However, you are assuming that this is for a new folder to be created in the future. There is no such indication in the question. For your answer to be valid, you have to ask the OP if this is the case. Or if you prefix your answer with that fact, I would happy to upvote it. – Rohit Gupta Feb 21 '23 at 03:06
  • I have done it for you. You can edit it to suit. – Rohit Gupta Feb 21 '23 at 03:13
  • @RohitGupta Thank you. I DO agree OP didn't mention if the folder already exists or not. Mea cupla. But if it already exists, it's a silly question - and OP is in danger if such data are compromising and on an home installed Windows :-( Thanks for the upvote, no hard feeling. Wishing you the best. – Sylvain Feb 21 '23 at 03:23
0

The science and technology behind drives makes this not a binary state of readable/unreadable.

Data recovery has ALWAYS been a case of "how much do you (or those you suppose may want to recover this data) want this data back?"

You take the type of data you have, guage its likely value, and take steps appropriate to those choices.

These will range between writing over (and over, and over, and over) with random bit patterns (more effective for HDDs), to encrypting the drive during use and then just deleting the recovery key (valid for all drive types), to sending the ATA Erase Command (SSDs, but don't trust this) to physically destroying the drive.

Physically destroying the drive is the best way to be certain the data is irrecoverable, both for HDDs and SSDs. If there is data you do not want recovered: destroy the drive.

music2myear
  • 40,472
  • 44
  • 86
  • 127