Over the years most forensic examiners have seen or had some experience with Cipher.exe the command line utility. Cipher the Windows program can be used to encrypt data or to destroy it beyond recovery. This article will describe the functionality and artifacts left behind when cipher.exe is used to destroy data.
History of Cipher.exe
Cipher is a program created by Microsoft and shipped with its operating systems. Starting with Windows XP and Windows 2003 Server products, Cipher included the ability to wipe data from a hard drive. When I use the term wipe, I am referring to a process where data is overwritten and the prior data cannot be recovered.
How is Cipher accessed
Cipher is a command line utility and should be ran from the command line found in the start menu of most Windows computers.
By selecting Command Prompt and typing in ‘cipher.exe /?’ you will be able to see all of the commands that can be used with cipher.
By scrolling down you will find the command ‘/w’ which is the subject of this article.
Data occupies clusters and when that data is deleted from the recycle bin it still exists on a traditional SATA hard drive until it is overwritten. The ‘/W’ command in cipher overwrites the data. The
When running cipher does the last accessed date of cipher.exe change?
Yes – but there are other ways the last accessed date will change.
- By right mouse clicking on ‘cipher.exe’ in the System32 folder and viewing the properties
- Double clicking on ‘cipher.exe’ in the System32 folder (although he program cannot be used this way it will flash on screen and close)
Does Microsoft advertise that Cipher is a tool to overwrite data?
Yes – You can see from the website below and the screenshot that Microsoft does indeed advertise this functionality.
Additionally, forensic software companies, conferences and research papers written about Cipher have deemed it an anti-forensic tool. (See CEIC Presentation on Anti-Forensic Tools)
When happens when cipher.exe is executed from the command line using the ‘/w’ command?
- Creates a folder named ‘EFSTMPWP’ to be used in writing a temp file (fil[num].tmp) to overwrite entries in the $logfile, $bitmap and $mft
- Overwrites sections of $LogFile
- Overwrites sections of $BitMap
- Overwrites sections of $Mft
- Creates temporarily files (0.E, 1.E…) in the folder EFSTMPWP until there is no longer any space left on the hard drive and receives a write failure
*Write failures can happen without the drive being full and can cause Cipher to error out thinking it has completed and therefore explains why sometimes there is evidence of cipher being ran, but there is still data within the unallocated space
- Cipher will repeat step 5 three times with writing 0’s, 255 and random numbers on the third pass.
- Cipher will display on screen the following:
- Cipher will delete, but not overwrite the ‘EFSTMPWP’ folder
What happens if Cipher.exe is stopped by either selecting the process and ending it in task manager or closing the command prompt window?
Cipher will stop and the ‘EFSTMPWP’ folder will reside on the hard drive and not in the unallocated space. This folder will most likely contain tmp files as described above that may fill part or a good majority of the hard drive.
What forensic artifacts are important in determining if Cipher was used to wipe data from the drive?
- Cipher.exe last accessed date
- Evidence of a pattern of 0’s with little to no data found in the unallocated space
- Evidence of a pattern of 255 with little to no data found in the unallocated space
- Evidence of 1 to 3 folders found in the unallocated named ‘EFSTMPWP’ (You have to index the unallocated space and search it to find this)