SDelete / Secure Deletion Evidence
Location
$MFT, $UsnJrnl, $LogFile, and C:\Windows\Prefetch\SDELETE*.pfDescription
Evidence of secure file deletion using Sysinternals SDelete or similar tools can be recovered from NTFS metadata artifacts. SDelete renames files sequentially (AAA, AAB, AAC..., ZZZ) before deletion, leaving distinctive patterns in the MFT and USN journal.
Forensic Value
The sequential rename pattern (AAA through ZZZ) left by SDelete in the $MFT and $UsnJrnl is a reliable signature of anti-forensic secure deletion, as no legitimate application produces this naming pattern. The $UsnJrnl captures the rename operations with timestamps, allowing analysts to determine exactly when secure deletion occurred and correlate it with other suspicious activity. Prefetch files for SDELETE.EXE reveal execution count, timestamps, and the volumes accessed, confirming tool usage even after the binary is removed. The original filename and parent directory can sometimes be recovered from $MFT resident data or $UsnJrnl entries preceding the rename sequence.
Tools Required
Collection Commands
MFTECmd
MFTECmd.exe -f "C:\$MFT" --csv C:\output\ --csvf mft_sdelete.csv
KAPE
kape.exe --tsource C: --tdest C:\output --target FileSystem --mdest C:\output\modules --module MFTECmd,PECmd
PowerShell
Get-ChildItem "C:\Windows\Prefetch\SDELETE*" | Copy-Item -Destination C:\output\Prefetch\
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.