views:

356

answers:

4

Problem
I want to securely delete a file in windows XP.

Context
I need to delete my input file securely once i have finished with it, at the moment i am over writing all the data with zero, this is messy as my temp folder becomes full of old files also the name of the files is a security issue, rather than just moving them to the recycle bin i would like them to skip it and just disapear, this is in conjunction with being wiped byte wise as data recovery software can recover items from beyond the recycle bin. as the name is also importaint i need to remane them before i delete them.

+8  A: 

This is a progressive problem. What is "secure" for one application is insecure for another. If security is really important and you find yourself asking these kinds of questions on Stack Overflow, then most likely need to contract with an external security consultant. Examples of really important include financial information, medical records, or anything else where there is a law or contract requiring the securing of the data. I don't say this to be mean or imply that you are incapable of solving the problem, but to point out that this is a rather complex and evolving problem.

Basically to accomplish what you want to accomplish:

  1. Once your code you wrote finishes then change the file size to empty - this makes recovery more difficult because the original file size is lost.
  2. Then rename the file (RenameFile)to a different name.
  3. Finally delete the file using DeleteFile, which does not move the file to the recycle bin.

Make sure you maintain an exclusive handle on the files the whole time they are on the disk too, or they can just be copied before they are deleted.

As I said, this is a progressive problem. This is a really basic solution, and is subject to a number of vulnerabilities. So depending on the level of security needed you might consider never letting the file be written to disk, or using multiple pass overwrites. If security is really important, then actually burning the hard drive platter at a high temperature, and then smashing it is the only way to be sure.

Edit: It appears you removed your code sample.

Jim McKeeth
Just a note: there is a scientific study showing that multi-pass overwrites are just a waste of time. One-pass overwrite has the same result and effectiveness. http://www.springerlink.com/content/408263ql11460147/
liggett78
A: 

Deleting a file can be touchy subject...

Depending on the need of your customer I would like to point to the Data remanence phenomenon. Which is residual data left after a simple overwrite. Data erasure is a method of destroying the residual data.

There are a few standards on how to erase the residual data, DoD 5220.22-M is mostly referred to by "secure file delete" applications, but apparently the rules have changed.

As of the June 2007 edition of the DSS C&SM, overwriting is no longer acceptable for sanitization of magnetic media; only degaussing or physical destruction is acceptable.

So what I'm saying is, try to get the rules which your customer has to follow.

Davy Landman
+1  A: 

There are third-party utilities to do this kind of thing from the command - I found PGP Command Line has this feature, if you search around you can probably find a free app that will do this from the command line. You could then just call the command from your app in order to securely delete the file.

I would say that if you are insistent upon writing your own code to do this, then instead of using all 0's, write random bytes to the disk. And don't use the built-in c++ rand function, use a more secure random number generator.

As Jim McKeeth said, this is not something you want to do yourself if there are serious legal repercussions for getting it wrong.

Kip
+1  A: 

Jim has described well the issues with solving your problem in code. The problem is indeed progressive, and any solution you implement will only approximate complete security without ever attaining it. So one thing to do is to decide exactly what you need to protect the file against (snooping family members? co-workers? corporate espionage? totalitarian governments?), then design your solution accordingly and document its limitations.

I have a sort of an orthogonal suggestion though. Instead of - or in additon to - implementing secure wiping in code, you can require cooperation from users. For example, you can suggest (or require) that input files be stored on an encrypted volume. In corporate environments PGP Disk might be preferred, since it's a recognizeable brand, while home users would be well served to use the free and well-tested TrueCrupt. Both products support creating virtual encrypted volumes as well as encrypting whole partitions. This would go a great length to keeping the names and contents of input files secure, even before you write a single line of code.

(edit: typos)

moodforaday