How to Use Cipher.exe Tool to Overwrite Deleted Data in Windows
The Cipher.exe command-line tool can be use to encrypt and decrypt data on drives that use the NTFS file system and to view the encryption status of files and folders from a Command Prompt. Cipher.exe tool can be use to manage encrypted data by using the Encrypting File System (EFS).
Microsoft has developed an improved version of the Cipher.exe tool that provides the ability to permanently overwrite (or "wipe") all of the deleted data on a hard disk. This feature improves security by ensuring that even an attacker who gained complete physical control of a Windows 2000 and later versions of Windows computer would be unable to recover previously-deleted data.
IMPORTANT: Please note the following important information:
- You must close all programs before you start Cipher.exe.
- Cipher.exe is not a cure-all that makes it safe to store sensitive data in a plain-text format. Although you can use this tool to remove sensitive data from a drive, if best practices are followed, such data would not normally be created on the drive.
When you delete files or folders, the data is not initially removed from the hard disk. Instead, the space on the disk that was occupied by the deleted data is "deallocated." After it is deallocated, the space is available for use when new data is written to the disk. Until the space is overwritten, you can recover the deleted data by using a low-level disk editor or data-recovery software.
When you encrypt plain text files, Encrypting File System (EFS) makes a backup copy of the file so that the data is not lost if an error occurs during the encryption process. After the encryption is complete, the backup copy is deleted. As with other deleted files, the data is not completely removed until it has been overwritten.
The Chipher switch we are going to be using is the /w switch.
The syntax for the Cipher tool with /w switch is:
Code:
Cipher /w:<drive>:\<folder>
To overwrite the deallocated data:
1. Quit all programs.
2. Open the Command Prompt by clicking Start Menu --> All Programs --> Accessories, right-click on Command Prompt, and open it as an administrator. In Windows Vista and later versions of Window operating systems type cmd.exe into Start Screen or Start Menu, right-click on Cmd.exe, and open it as an administrator.
3. Type following command and press Enter key:
Code:
cipher /w:folder
Where folder is any folder in the volume that you want to clean. For example, the Cipher /w:c:\test command causes all deallocated space on drive C to be overwritten. If C:\folder is a Mount Point or points to a folder on another volume, all deallocated space on that volume will be cleaned.
You can use the Cipher /w:C command line command to remove deleted files permanently. To wipe deleted files from a drive other than C:, substitute the actual drive letter that you wish to scan.
Data that is not allocated to files or folders is overwritten. This permanently removes the data. This can take a long time if you are overwriting a large amount of space.
Did you find this tutorial helpful? Don’t forget to share your views with us.