Wiping Drives and Free Space with SDelete
SDelete is a free program from Microsoft’s TechNet Sysinternals collection. It runs from the command line, and can be used to wipe drives, wipe files, or wipe free space.
Time Needed: Varies; from a few minutes to several hours, depending upon size and speed of drive and computer
Software: TechNet Sysinternal’s SDelete
Available from http://technet.microsoft.com
Media: Can be run from Windows desktop
1. Download SDelete.
2. Extract the contents of the compressed file.
3. Copy sdelete.exe to c:\windows\system32\ (this will enable you to run it from any location)
4. Open a command prompt session with Administrator rights.
5. To wipe all files on drive X: and its subdirectories and to wipe free space, enter Sdelete -p 2 –s -z X:\*.* (to see all command-line switches, enter Sdelete with no options)
6. Wait; the program displays status messages as it runs. When the program is finished, you can reuse or dispose of the drive.
Evaluating the Effectiveness of Disk Wiping Programs
We used demo versions of two popular data recovery programs to evaluate some of the disk wiping programs discussed in this article. To determine whether a typical data recovery program could recover files on a SD card wipe with Roadkil’s DiskWipe, we first of all formatted the card using a card reader. Ontrack’s EasyRecovery Data Recovery (available from http://www.ontrack.com) had no difficulty finding folders and files to retrieve.
However, when we used DiskWipe to wipe the drive using a one-pass blank disk (zero fill) operation, EasyRecovery DataRecovery was unable to find the file system, let alone any files or folders.
After reformatting the card, taking a few photos, and deleting the photos, EasyRecovery Data Recovery was able to find the new photos, but the contents of the card before running WipeDisk were unrecoverable.
To evaluate SDelete, we used SDelete to wipe all of the files on a hard disk, but omitted the –z switch; when –z is not used, SDelete deletes files and renames them, but does not clear free space. To determine what might be visible, we used a demo version of Disk Doctors NTFS Data Recovery software, available from http://www.diskdoctors.net.
Disk Doctors were able to locate the deleted folder and Outlook Express message folders, but SDelete had renamed them from their original names and DBX extensions (Outlook Express message folders). If you use SDelete, it’s very important that you take time to use the –z switch to clear free space on the disk (once a file is deleted, the space it occupies is free space).
We also used Disk Doctors to evaluate the effectiveness of a freeware program called Eraser, which can delete and overwrite files and folders from the right-click menu. We created a documents folder with a subfolder called Figures and used Eraser to overwrite the folder and subfolder using its default settings.
Disk Doctors was able to locate the folders, but the contents are files with garbage names and are zero bytes in size – except for leftover word processing temporary files (files that begin with $). These filenames were not changed, which could enable a snooper to figure out the names of the files in the folder – although the files themselves were destroyed. By using more overwrites or different methods available with Eraser, a more thorough wiping may be possible.
We’ve highlighted a variety of free ways to protect data on castoff drives from being retrieved. As you can see, your best bet is to overwrite data directly, but you also might want to consider using a program such as SDelete to scramble filenames first and then use a disk wiper such as Eraser or WipeDisk to finish the job.
Use demo versions of data recovery programs such as Ontrack Easy Recovery Data Recovery, Disk Doctors Data Recovery (various editions for NTFS, FAT, and flash media), and others to evaluate the effectiveness of your data wiping procedures. Remember, the full versions of these and other data recovery programs can save your data if you accidentally format or partition a disk because, until the data is overwritten, it’s still there.