Nabugu -

How to use SDelete to ensure deleted data is gone for good

When data is deleted from a disk, is it gone? One way to make sure file info is permanently erased is to use SDelete, a utility specifically tailored to remove key data.

SDelete is a tool that securely deletes files on NTFS-formatted logical disks by overwriting file data on clusters within the file system. Let's examine how to use SDelete.

SDelete offers users a secure and permanent way to delete data. The standard delete action does not remove data; it merely marks the space the deleted file previously consumed as unallocated. Those contents aren't overwritten until another application uses that space. Until that occurs, the data you believe you deleted continues to reside on the disk, and a variety of forensics tools could recover this data.

The OS' internal authentication and authorization processes offer safeguards to protect data, but attackers can still attempt to exfiltrate information from an acquired disk by attaching it to a system running a different OS, such as Linux.

SDelete can also be used to remove data within compressed files, as well as information protected by Encrypting File System (EFS). EFS uses asymmetric encryption to protect files when the OS is offline, such as with a stolen disk drive. When a file is created and saved to disk and later encrypted using EFS, the space consumed by the original file copy is marked as unallocated and available for programs to use. The newly encrypted file is a different object from the original, and the original version is not encrypted. File compression presents similar security and performance concerns.

SDelete satisfies two requirements compared to regular delete functions:

  1. It implements a secure delete option.
  2. It uses a method to delete file data on unallocated space, including files deleted earlier and files compressed or encrypted.

Before experimenting with SDelete, a warning: Back up your data first. Lost data cannot be recovered, and that's the point. Even better, test SDelete on a VM with trivial data before working with it in production.

How to install SDelete

SDelete is easy to install. Download the entire Sysinternals suite, or simply retrieve it as a zip file here. SDelete works with current Microsoft Windows client and server OSes from Windows Vista and Windows Server 2008 and later. Like most Sysinternals tools, installing SDelete is straightforward. Don't forget to add it to your command Path environment variable. That's a less common step some folks might miss. In addition, SDelete doesn't have a built-in GUI; various third-party add-ons exist, as well as projects that add a Secure Delete option to context menus.

After downloading the zip file, extract it, and add the folder to the system Path variable. There are 32-bit and 64-bit SDelete executables.

Use the following steps to add the sdelete command to the system:

  1. Extract the zip to C:\Program Files or another location of your choice.
  2. Open System Properties, and select the Advanced tab. Access System Properties by right-clicking the This PC icon in File Explorer and selecting Properties.
  3. Select the Environment Variables button.
    Screenshot of Environmental Variables window in SDelete
    Figure 1. Browse to Environment Variables.
  4. Under System variables, select the Path line, and choose Edit.
    Screenshot of System variables in SDelete
    Figure 2. Select the Path variable, and choose Edit.
  5. Select New to create a new line, and select Browse. Drill down to C:\Program Files\SDelete or wherever you placed the executables.
    Screenshot of adding SDelete to the Path variable
    Figure 3. Browse to the SDelete folder to add it to the Path variable.
  6. Choose OK in each remaining dialog box.

Note: SDelete prints a license agreement the first time you run it.

Screenshot of SDelete software license terms
Figure 4. SDelete displays copyright information the first time it runs.

How to use SDelete

The sdelete command's syntax is straightforward and has few options. Like other Windows utilities, type the command, add any parameters and specify an argument -- the file, directory, drive or disk you want securely deleted or cleaned.

sdelete [-parameter] <argument>

Open a Windows command prompt, and type sdelete without parameters or an argument. SDelete displays its copyright and help information.

Screenshot of using the sdelete command without arguments
Figure 5. Use the sdelete command without arguments to display help options.

Manage the sdelete command with the following options.

Parameter Function
-c Clean free space on a specified drive or physical disk
-f Treat letters as files not disks
-p Number of overwrite passes
-r Remove the read-only attribute from files
-s Perform directory recursion
-z Zero free space

Suppose I create a file named secret.txt. A basic sdelete command for the secret.txt file is the following:

sdelete .\secret.txt
Screenshot of securely deleting a folder with SDelete
Figure 6. Securely deleting the secret.txt file.

To delete an entire folder, type the following:

sdelete -r -s D:\SecretProject

The -s option causes SDelete to delve into the parent folder on the D: drive and delete folders and files below it. You can filter these files with wildcard characters, such as ? and *. The -r parameter removes read-only attributes, allowing those files to be deleted.

How to remove the banner message

Use the -nobanner parameter to prevent SDelete from displaying its copyright and version message each time it runs. This is useful when integrating SDelete in a script that passes its results to other utilities or logs or just to simplify the output.

How to use SDelete for other functions

Let's examine some other ways SDelete can help manage files. Not only is it useful for deleting individual files and folders, but it also includes tools to manage unallocated space.

Manage free disk space

If your goal is to manage free -- i.e., unallocated -- space where confidential files possibly resided, use the -c option to clean this space without affecting existing files. Specify a drive letter with this parameter. For example, to clean the free space on drive F:, type the following:

sdelete -c f:
Screenshot of using SDelete to clean a drive
Figure 7. Cleaning the F: drive.

On larger drives with a lot of free space, it might take SDelete a significant amount of time to complete the clean task. The time required also varies by drive speed. Adding more passes to the command also increases the time.

Cleaning free space helps ensure encrypted, compressed and deleted files are unrecoverable.

Zero free space

The -z parameter zeros free space on a disk. This is handy on virtual disks where unused space cannot necessarily be recovered by the virtualization software. By zeroing the unused space, SDelete helps virtualization software understand the space can be recovered. This step shrinks the virtual disks to a size that contains only real data rather than unused (wasted) space.

Set the number of passes

SDelete can make multiple passes of files, significantly decreasing the likelihood of recovery by advanced forensics utilities. Use the -p option to set the number of passes. Each pass writes random characters to the space. One pass is the default if you don't specify the -p parameter. Specifying more than five passes is uncommon; one to three passes is probably sufficient.

SDelete and Department of Defense

In addition to its use in enterprises, SDelete implements the Department of Defense's (DOD) 5220.22-M, a long-used data clearing and sanitizing standard. This enables military and contract personnel to conform with the standard.

The DoD's 5220.22-M standard dictates how users must protect classified data. It typically applies to members of the U.S. military, as well as to contractors that work with classified information. Under terms of the directive, users must protect data from unauthorized recovery, and they must ensure data compressed or encrypted after creation cannot be recovered. SDelete satisfies both requirements.

Note, however, that 5220.22-M was absorbed into the National Industrial Security Program Operating Manual (NISPOM), which became a federal rule in 2021. NISPOM does not include any specific data erasure method in its guidance.

SDelete lets users manage confidential data across their operations -- from repurposing systems to disposing old drives. Use it on NTFS file systems to ensure confidential data is not recovered. Just be careful with SDelete. Remember: When learning how to use SDelete, there is no undo feature.

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing