SDelete / Secure Deletion Evidence

windowsFilesystem & TimelineDisk Image

Location

$MFT, $UsnJrnl, $LogFile, and C:\Windows\Prefetch\SDELETE*.pf

Description

Evidence of secure file deletion using Sysinternals SDelete or similar tools can be recovered from NTFS metadata artifacts. SDelete renames files sequentially (AAA, AAB, AAC..., ZZZ) before deletion, leaving distinctive patterns in the MFT and USN journal.

Forensic Value

The sequential rename pattern (AAA through ZZZ) left by SDelete in the $MFT and $UsnJrnl is a reliable signature of anti-forensic secure deletion, as no legitimate application produces this naming pattern. The $UsnJrnl captures the rename operations with timestamps, allowing analysts to determine exactly when secure deletion occurred and correlate it with other suspicious activity. Prefetch files for SDELETE.EXE reveal execution count, timestamps, and the volumes accessed, confirming tool usage even after the binary is removed. The original filename and parent directory can sometimes be recovered from $MFT resident data or $UsnJrnl entries preceding the rename sequence.

Tools Required

MFTECmd (Eric Zimmerman)KAPEPrefetch ParserUsnJrnl Parser

Collection Commands

MFTECmd

MFTECmd.exe -f "C:\$MFT" --csv C:\output\ --csvf mft_sdelete.csv

KAPE

kape.exe --tsource C: --tdest C:\output --target FileSystem --mdest C:\output\modules --module MFTECmd,PECmd

PowerShell

Get-ChildItem "C:\Windows\Prefetch\SDELETE*" | Copy-Item -Destination C:\output\Prefetch\

MITRE ATT&CK Techniques

T1070.004T1485T1070

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical