Secure Remote File Deletion in Windows

TL;DR

Remotely deleting files securely requires more than just a simple delete command. This guide shows you how to use PowerShell with encryption and secure wiping tools, along with auditing, to ensure data is unrecoverable when removed from remote Windows machines.

Secure Remote File Deletion in Windows

1. Understand the Risks of Standard Deletion:
• Standard deletion just removes file pointers; the data remains on the disk.
• Recycling Bin and temporary files can be recovered.
• Data recovery software can easily restore deleted files.
2. Prerequisites:
• PowerShell access with administrative privileges to remote machines (WinRM enabled is best).
• Remote machine must have PowerShell execution policy set appropriately (e.g., Set-ExecutionPolicy RemoteSigned -Scope CurrentUser).
• Network connectivity between your management station and the target Windows machines.
3. Step 1: Encrypt Sensitive Files Before Deletion

Encryption adds a layer of security even if wiping fails. Use BitLocker or EFS (Encrypting File System).

• BitLocker (Full Volume Encryption): Ideal for entire drives, but requires more setup.
• EFS: Can encrypt individual files/folders. Example PowerShell command to enable EFS on a folder:

  Convert-ToEfs -Path "C:SensitiveFolder" -Confirm:$false

4. Step 2: Securely Wipe Files with PowerShell

Use the Get-Content and Set-Content cmdlets to overwrite file data. This is more reliable than relying on simple deletion.

• Example Script (Wipes a single file):

  $filePath = "C:SensitiveFile.txt" 
  $randomData = [System.IO.StreamWriter]::new($filePath).ToString() # Create random data
  Get-Content $filePath | Set-Content -Path $filePath -Value $randomData -Force 

  Important: This overwrites the file with random data *before* deleting it.

• Example Script (Wipes multiple files in a folder):

  $folderPath = "C:SensitiveFolder" 
  Get-ChildItem -Path $folderPath -File | ForEach-Object { 
    $filePath = $_.FullName 
    $randomData = [System.IO.StreamWriter]::new($filePath).ToString() # Create random data
    Get-Content $filePath | Set-Content -Path $filePath -Value $randomData -Force 
  }

• Repeat the overwrite process multiple times for increased security (e.g., 3-7 passes).
5. Step 3: Remotely Execute the Script via PowerShell

Use Invoke-Command to run the wiping script on remote machines.

• Example Command (Single Machine):

  Invoke-Command -ComputerName "RemoteMachineName" -ScriptBlock { 
    $filePath = "C:SensitiveFile.txt" 
    $randomData = [System.IO.StreamWriter]::new($filePath).ToString() # Create random data
    Get-Content $filePath | Set-Content -Path $filePath -Value $randomData -Force 
  }

• Example Command (Multiple Machines):

  Invoke-Command -ComputerName "RemoteMachine1","RemoteMachine2" -ScriptBlock { 
    $filePath = "C:SensitiveFile.txt" 
    $randomData = [System.IO.StreamWriter]::new($filePath).ToString() # Create random data
    Get-Content $filePath | Set-Content -Path $filePath -Value $randomData -Force 
  }

6. Step 4: Verify File Deletion
• After wiping, attempt to recover the files using data recovery software on the remote machines. They should not be recoverable.
• Check file system logs for evidence of deletion and overwriting (Event Viewer).
7. Step 5: Implement Auditing

Enable auditing to track file access and deletion events.

• Configure Object Access Auditing: In Local Security Policy, enable auditing for the files/folders you are protecting.
• Monitor Event Logs: Regularly review security event logs on remote machines for suspicious activity related to file access or deletion. Look for Event IDs 4656 (Object Created), 4663 (Object Accessed) and 4674 (Object Deleted).
8. Step 6: Final Deletion

After wiping, use the standard Remove-Item command to delete the files.

Invoke-Command -ComputerName "RemoteMachineName" -ScriptBlock { Remove-Item -Path "C:SensitiveFile.txt" -Force }

9. Important Considerations:
• SSD Drives: Secure wiping is more complex on SSDs due to wear leveling. Consider using the manufacturer’s secure erase utility if possible.
• Virtual Machines: Deleting a VM doesn’t necessarily wipe the underlying storage. Ensure proper data sanitization of the host system.
• Regularly test your process to ensure it is effective and reliable.