Jump to content











- - - - -

Possible to remove all files/directories from a volume without formatting?

Started by Guest_AnonVendetta_* , Jul 01 2018 05:13 AM

  • Please log in to reply
6 replies to this topic

#1 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 01 July 2018 - 05:13 AM

I'm looking for something, preferably a command(s) that can remove all files/directories from a volume without formatting. Usually the volume will have an NTFS filesystem. I'm aware that it would take time to enumerate everything before deletion, which might take some time depending on the amount to deleted. And I would need to be able to force delete/override protected directories, preferably without confirmation. Like C:\Windows, System Volume Information, etc. If possible, I would also like to be able to exclude certain things as well. Like via wildcards or whatever.

 

My reason for needing this is volume encryption, I dont like having to format before restoring from a backup. I want the encryption to be retained. And via this method, the disk/volume signature wouldnt change.

 

My plan is to try strarc or rsync for file-based backups/restores of encrypted volumes.


#2 cdob

cdob

    Gold Member

  • Expert
  • 1469 posts

Posted 01 July 2018 - 07:06 AM 

xdel a:\
http://www.coderforl...utilities/#xdel
  • Brito likes this

#3 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 01 July 2018 - 08:13 AM

@cdob: Thanks, I'll test with it a bit with some stuff on a non-critical partition. I was thinking of running it from a PE environment, since that's where I usually run my restores from.


#4 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 01 July 2018 - 08:21 AM

I just tried it on a volume. It fails to remove the $RECYCLE.BIN, System Volume Information, and a file called diskpt0.sys. diskpt0.sys is a file used by Shadow Defender. My disk was in Shadow Mode at the time of the deletion, so maybe it wasn't removed because the file was in use. I use Shadow Defender to test risky stuff, without worrying if any changes will persist after a reboot.


#5 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 01 July 2018 - 10:33 AM

Please remember that this is plain delete.

Secure delete is another thing:
https://docs.microso...wnloads/sdelete

Formatting the volume (using the /q or quick switch) will be faster and more or less equivalent to (actually only slightly more effective than) "plain" delete.
Formatting the volume (not using the /q or quick switch) will be probably slower (but safer) than sdelete.

But of course when you format you cannot exclude anything (though still in a number of cases it would be faster to backup the exclusions, format and then restore the backed up exclusions.

Of course it depends on the amount of files to be deleted (or secure deleted).

 

Another technique could be to use fsz to create "same files" but filled with 00's and then delete them (but this will have some issues with "strange file permissions" and similar), or delete the files (using the xdel, thus removing the file permission issues) then use fsz to create a single file same size as free space. 

 

Data embedded int the $MFT records (very small files) won't be actually affected by xdel, so if the scope is non-recoverability, then sdelete (or the fsz technique[1]) could be needed (at least for these small files).

The disk signature IS NOT affected by any "format" command (that is related to the volume only).
The volume serial will obviously change with a format operation (but nothing prevents from restoring a saved one).

:duff:
Wonko

 

[1] for these files, there is the need to check for some "edge cases" and if needed use something else than fsz, see:

http://www.forensicf...wtopic/t=10403/

https://www.forensic...565939/#6565939

https://www.forensic...587693/#6587693


#6 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 01 July 2018 - 01:46 PM

@Wonko: I'm not worried about secure deletion, plain is fine. And since they are located in an encrypted volume, an attacker would first have to defeat the encryption. Neither TrueCrypt nor its' VeraCrypt successor have been publicly cracked, so I doubt that even a forensics expert could get at any non-securely deleted files.

 

I'm not sure if VC uses the volume serial/signature, but I do know that it uses a hidden track for its' bootloader in sector 0 (legacy boot only, VC in UEFI uses a different loader). And every encrypted partition has a volume header, if this is destroyed the volume cant be mounted.

 

I tried xdel from a PE with a encrypted partition that is mounted, it had no issues removing everything. And took less than a minute. It was about 8GB of used space.


#7 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 01 July 2018 - 03:16 PM

@Wonko: I'm not worried about secure deletion, plain is fine. ...

...

I tried xdel from a PE with a encrypted partition that is mounted, it had no issues removing everything. And took less than a minute. It was about 8GB of used space.

 

Good :)

 

:duff:

Wonko


Back to Community forum


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. reboot.pro
  2. Groups
  3. Community forum
  4. Privacy Policy
  5. Site policies ·