Forensic wipe a file from hard disk in C

I know how to go about forensic wiping a complete disk for example. I could just use createfile and then writefile to write the entire disk. For example D:\ with random garbage bits of data so that when I fire up a utility like easus recovery manager, I won't be able to find any trace of any file or recover them. Now I'm trying to accomplish the same with a particular file or directory in a disk. Suppose there is a file called Test.txt and I want to delete it and also fill the space occupied by it with garbage values so the space is not left out to be overwritten as windows usually works. Is it possible to do it in C? If so, how do I go about it? A code snippet would be extremely helpful!

cwinapi

Answers

answered 3 months ago Ajay Brahmakshatriya #1

Any kind of software technique cannot reliably zero out a file system, let alone a single file or directory. You need to abandon this approach.

Now your other option is to physically destroy to bits. Yes it works, but come on. You cannot destroy a disk every time you want to destroy a file.

The other more feasible option is to always encrypt your data while storing in the file. This reduces the problem to erasing only the key. But since it is significantly smaller, you can put it on a piece of paper. Now you just have to tear that paper and do a normal delete on the file. Even if "they" recover the encrypted contents, they can't do anything with it.

Although there are factors to consider. When reading the file, you have to be careful that the data remains "in memory" only. You might say, I will never write the unencrypted stuff to the disk. But the OS might do it. Say it swaps your process out.

So you need to carefully design your viewer. It should decrypt the file only into memory pages which are pinned. You might need to write some kernel modules for it. You also have to be careful about how you send the data to your display driver and what it does with it. Yes, it is doable with enough kernel modules. But each step from decryption to drawing pixels on the screen needs to be carefully audited.

answered 3 months ago Paul Sanders #2

[Meta answer]

Good news:

Turn on device encryption

Device encryption helps protect your data by encrypting it. Only someone with the right encryption key (such as a password) can decrypt it.

Bad news:

Device encryption is not available in Windows 10 Home.

The Lord giveth and the Lord taketh away, see: https://support.microsoft.com/en-gb/help/4028713/windows-10-turn-on-device-encryption

comments powered by Disqus