Wipe your Deleted Data Away: Using cipher.exe

by [Published on 12 April 2005 / Last Updated on 12 April 2005]

In this article we will look at how to use a tool called ‘cipher’ which is a command line tool included with Windows 2000 and XP. We will learn how to use its newest functionality – allowing administrators the ability to wipe all deleted (marked for deletion) data on the hard disk. This would overwrite all of the deleted data and provide for better security. If someone steals your system, like a laptop, then the thief would not be able to recover that data. In this article we learn how to perform this procedure.


"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"

Cipher.exe Usage

Cipher is a cool tool; you can use it in quite a few ways. In this article we will focus on its newest functionality, the ‘wipe all’ feature. There are times where things just happen, an executive in a company I have worked for had his laptop stolen out of the back of his car because someone smashed the window in, and they saw a laptop case. Since this procedure was commonplace due to the sensitivity of the data we store, nothing was gained because the thief got a laptop clean from any critical data.

Let’s look at how to use the tool.

Open a Command Prompt by going to:

Start => Run => CMD => hit Enter => type cipher /? to view the syntax.

Let’s break this up into sections. First, you can see that you have the basic syntax for the command. You can use the command in the following way with switches.

The switches used are listed next. These are all important, but beyond the scope of this article. A future article will contain more information on the detailed usage of cipher.exe

The command we are going to be using is the last one in the list – the /w switch

cipher /w

So, if you wanted to cipher /w a folder on your C: drive called ‘ENCRYPT’D’ you would do the following command:

cipher /w C:\ENCRYPT'D

In case you don’t remember how to encrypt a folder, right click one and view its Properties …on the bottom of the Properties dialog box there is an Advanced button, clicking on it produces the Advanced Attributes dialog box. On the bottom of that dialog box is an option to encrypt the folder:

The cipher will begin its run:

Once completed, the wipe is done and any deleted data on the drive that has been deleted will be ‘history’. Good work, you have just made your system more secure. If it's taken or stolen, all deleted encrypted data has been safely removed from your system for good.

Summary

In this article we covered the basics of using cipher to remove encrypted data marked for overwrite (deleted data is called ‘deallocated’ until it becomes ‘reallocated’) so in case your system is stolen or falls into the wrong hands, any data you bothered to encrypt for security suddenly becomes accessible to someone who knows how to get it. System administrators and engineers can use Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system and to view the encryption status of files and folders from a command prompt. If your laptop for instance was stolen, data recovery software could turn up your deleted encrypted files. Like I mentioned earlier in this article, if you went through the trouble of encrypting the folder in the first place, the last thing you want to do is have someone grab it because you deleted it! Stay tuned for more articles!

Featured Links