Rm & Rmd

PURPOSE   RM OPERATION   RMD OPERATION   OPTIONS   COMMAND LINES   RELATED PROGRAMS


Author: Dan Mares, dmares @ maresware . com
Portions Copyright © 1998-2016 by Dan Mares and Mares and Company, LLC
Phone: 678-427-3275
Last update: 04-30-2012

top

PURPOSE

To remove files. (more efficient than del command). The rm.exe programs use regular DOS file matching.

RMD is also useful when needing or considering any of the following processes:

1. removing a file with object re-use (overwrite the file) in mind.

2. cleansing the slack space found at the end of each file.

3. wiping JUST the data of the file, and leave the slack space data in tact.

4. cleanse (or overwrite) the free space of a hard disk. “Cleansing” means that the remaining free space is overwritten one time with hex 00’s. This does not meet Department of Defense minimum criteria, but it erases the disk enough so that the average user cannot recover data. See poor mans disk wiping below.

5. removing files which are provided to the program in the form of a list. Often, in Intellectual Property e-discovery cases, it is requested that removal of identified files be conducted. The -S options performs this task.


top

RM OPERATION

This program is delivered under one of two names. Either rm.exe or rmd.exe. If copied and renamed to the alternate name, the program takes on the attributes of that program as described in this documentation. Some options are also dependent on the program name. For instance rm.exe can’t cleanse drives or overwrite files or slack space, while rmd accomplishes all.

RM(d) will remove files AND directories based on the filespec given it. The nice thing about this program is that if it doesn’t find a file matching the filespec, it merely continues and doesn’t put any message on the screen as the DOS delete does. The drawback is that you don’t know when it doesn’t find a file. With the -L option you can see a listing of files it would delete before actually deleting them. This will give you a warm fuzzy feeling if you are not sure about your filespec matches.

By default, the program gives a prompt if the file being removed is marked as readonly or hidden. The user can then choose to delete the file or leave it alone.

It will with the -r (recursive) option also remove subdirectories fitting the filespec. (All files within these subdirectories are removed, regardless of name or attributes). Be reminded that the default of the program is to process all files *.* unless otherwise directed by using the -f option, or some other proper syntax. The filespec provided on the command line is only used to match directory names in the current directory and filenames in subsequent subdirectories.

If the -r option is used then ALL the files and subdirectories located within the target directory will be deleted. Again, the target directory is considered *.* unless otherwise properly directed. This deletion process may take some time because the program has to do a recursive directory search of all subsequent subdirectories. The -r option is very powerful and dangerous. It operates similarly, but more efficiently than the DOS deltree command.

It is recommended that until the user becomes fluent in the proper use of the command line options that the -L (upper case ell), be used to familiarize and test the operation of any recursive deletion process. This option will display files that will be deleted without the -L.

Locking out Paths (no longer supported)

The RMD program (and only the RMD program) also has the capability of “locking out” a drive or subdirectory and not allow files to be removed from those areas. This lock out cabability is ONLY effective when using rm or rmd to remove files. Normal Windows deletion functions are not restricted. To “lock out” a path you would set an environment variable called RMPATH with a list of drives, and/or subdirectories to lock out. If a drive by itself is included in the RMPATH command, then the entire drive is locked out and files cannot be erased. The format of the set RMPATH command is similar to the set path command:

set RMPATH=c:\dos\;c:\programs\;c:\paths_to_lock_out;

The above command will prohibit removals from the c: drive and the work and dos directories on the d: drive.

This RMPATH command can be set in the autoexec.bat or from the command line. It doesn’t matter. If you list a drive only, (ie. c:) then all removals from that drive will be prohibited (this takes precedence over individual paths). If you wish to list paths (subdirectories) then you MUST MUST MUST end the path with a backslash (\), or else it will have no effect. Place a semicolon, or space between items, (just like set path command).

Any time an attempt to remove a file residing on either a locked out drive, or a locked out directory, the program will give and error message that you cannot do this.

Using RMD instead of DOS DEL (USE EXTREME CAUTION IF DOING THIS)

If you are real adventurous, you can go into command.com and edit it to change the DEL command to something else. Then if you rename this RM.exe program to del.exe, whenever a person gives the del command, they will not get the internal command.com command, but will get this program with its enhanced safety features.


top

RMD OPERATION

NOTE: The RMD operation is designed to allow compliance with Department of Defense requirements for clearing and declassifying data on a disk.

RM.exe and RMD.exe are actually the same program. If the program is named RM.exe then the object re-use (overwrite) options are not available, and the normal DOS erasure takes place. However, if the program is named RMD.exe the overwrite procedures are installed and defaulted. To have both available, copy the RMD.exe to a file called RM.exe. (I thank the author of REDX for this idea).


top

OBJECT RE-USE and RMD

RMD doesn’t wipe the entire disk. In order to wipe the entire physical drive, you must use other software. RMD will, however clear the area of the disk that is being taken up by the file(s) being removed. This provides the user with the confidence that the disk areas and slack space at the end of file are being sanitized “on the fly” as files are being removed. This additional confidence is always good to have in case the disk is stolen or compromised before the entire disk can be declassified.

(NOTE: if you are using a recycle bin, like the default from Microsoft, or other recycle bin setups that do not allow for command line deletion of files, you have to experiment with the reliability of the RMD commands). For this reason, it might be wise to turn off the recycle bin completely.

When clearing free space, you should also remove any remants of the shadow copy files that might allow Windows to recover deleted files. This deletion of the shadow files should be done before running rmd to clear free space.

The user should be cautioned that if the size of the file has been reduced more than one cluster size, or the file was copied to another part of the disk, then the extraneous area that was freed up when the file was resized/copied, may not be removed with this procedure. The procedure only removes up to and including the last cluster that the file is currently residing at.

To the best of my interpretation, the difference between clearing and declassification procedures is that to clear an area of the disk you must overwrite that area 3 times. (once with hex 0’s, once with hex 1’s, and once with random bits.) To completely declassify an area, you must repeat the above procedure 3 times. In effect, overwriting a particular segment of the disk a total of 7-9 times. (the standards seem to change each week. so keep up with them if it is of extreme interest). When the RMD command removes a file, for time considerations, it overwrites the disk space once by default. During this pass it overwrites with random characters. This is the program default.

This default can be changed with a -d # option, or the -c # (last character option), where -d # is the number of overwrites, from 0-X times you wish the file to be overwritten, -d 9 is the declassification requirement. Obviously, the more overwrites, the more secure. However, this overwriting does take time, and for non-sensitive data, possibly 0, 1 or 2 overwrites are sufficient. This is an excellent security measure that will cleanse the disk as you remove files. A 0 overwrite merely does a simple DOS remove which will allow you to possibly recover the file using traditional file recovery utilities. Lets face it, except for very highly funded three letter agencies, most organizations will not be able, or have the funds necessary, to use magnetic microscopy to recover data that has been overwritten even once.

Each time the program overwrites, it successively uses hex 0’s, then hex 1’s (FF) the randoms, in that order. The LAST pass is always the RANDOM character pass. If you want the last pass to be something other that the random characters you can modify that by using the -c option. The -c option causes the characters in the random buffer to all be the same. The character which you choose using the -c option.

After the overwrite, the program changes the name of the file 3 times thus causing the directory entry to also be overwritten so that the name does not appear in the directory.

Remember, once the file is overwritten, there is NO program I know of that is capable of recovering the data. In case you are wondering where the name RMD came from, it is for ReMove and Destroy, thus RMD.

An environment variable called REUSE can be used to change the -d options.

set REUSE=0  will cause all overwrites to be turned off
set REUSE=1  will cause overwrites to be once
set REUSE=2  will overwrite twice
set REUSE=3  default of 3 overwrites

NOTE: Any -d option on the command line will override this variable setting.

The above operation of RMD is only valid when a specific file(s) is being removed, not cleansing the free space of the disk.


SLACK SPACE

RMD has one other important capability. It can cleanse the slack of a file. Slack is that space between the end of the file and the end of the current cluster. On some hard disks this can be as much as 15K (32 sector cluster). The -s option will remove slack from the files specified. Be careful. If the -s is not used, the files themselves will be erased.

Windows NT and Slack space.

Under some earlier versions of windows NT(4), XP and some later version of 98, the operating system itself overwrites the slack of a file. For security reasons, the OS fills the internal buffers with 0's to the size of the default cluster size, so when a file is written it doesn't contain slack. However, to be certain, RMD can overwrite the slack area. The default is to use hex 00's to overwrite the slack areas. While more recent WIN7 and newer, will overwrite or clear slack space when files are written.

With the use of the -c option, the user can specify which character to overwrite the file slack with. Since operating system defaults are constantly changing, it is suggested the user determine if the current version of the OS creates any slack at all.


CLEANSING FREE SPACE ON A DISK

Only the RMD.EXE program is capable of cleaning free space. If you wish to cleanse the remaining free space on a disk, use RMD without any filenames or options. This will overwrite any remaining space on the hard disk with 0’s.

Because cleansing free space is so time consuming, the DEFAULT IS A SINGLE PASS OF 0'S. DOES NOT MEET DOD 5X OVERWRITE SPECS. To get DOD 5X overwrite, place the rmd in a batch file and run it 5 times, each time with a different -c option.
rmd -c 0
rmd -c 255
rmd -c 128
rmd -c 999 (999 get random values)
etc.

To cleanse the free space on the disk, make the target drive the default (ie: D:>) enter the command rmd by itself without any file names. It will cleanse the remaining free space on the default drive. Or enter RMD DR: (where DR: is ONLY the drive letter(s) of the drives to cleanse, RMD c:). If you place a filename of any type on the command line, it assumes you are asking for file removal not drive cleansing.

A suggestion would be to run rmd in a script scheduled when the computer is not being used. For instance, schedule it at midnight each night right after the virus checker. This way it will remove all previously erased files before the start of each session.

A simple way to clean a disk for its next use is a 3 line batch file. Assuming drive D: is the target to be cleaned.

C:>format D: /q
C:>rmd d:
C:>format D: /q

The quick formats merely clean the root directory and fat (of MFT). This takes about 15 seconds. The rmd then cleans all the free space, which as it turns out is the entire drive. However, rmd leaves a remnant of a filename in the root directory. Necessitating the use of the second quick format to clean that out. The DOS version of rmd will only work up to 2 gig. but the 32 bit version will work on any free space the operating system can see. (I learned this trick from the people at NWCCC).

NOTE on the recycle bin:

In order for all the free space to be cleansed, the user should empty the recycle bin prior to starting the cleaning operation. If the recycle bin is not emptied, then any files being held in the recycle bin will still be recoverable by other means. Or you could explicitely tell rm to delete the recycle bin, (rm c:\recycle -r), then run rmd. It is the users responsibility to determine the exact name and location of the current recycle bin directory.

Also, on a FAT32 file system, the user might see a number of files being created, all with the file name template: (99999999.99x) These files are created because the FAT32 file system only allows for maximum file sizes of 2 GIG to be created. So in order to accomplish the task of cleaning the free space of a large drive (> 2GIG), a number of these files must be created. At the end of the process, you might occasionally see one of the remaining in the root directory. If this is the case, delete it manually. (this is not the case on an NTFS file system).


top

POOR    MANS    DISK    WIPE

A simple process to wipe data from a drive. It is left up to you to determine the actual technical description of what happens.

Step 1: Format the drive. (what does this do to the MFT?)
Step 2: Make the drive the default. (IE:    F: or    CD F:\)
Stpe 3: Remove any recycler or recycle bin. (F:>rmd    recycler    -rF)
Step 4: Run rmd from the command line. (F:>rmd), or (F:>rmd F:)
Step 5: Format the drive again.

DO NOT!    DO NOT!    DO NOT!    DO NOT!
Do not place on the command line any indication of a file type, ie: -f *.*, or just *.*. If you are pointing at a drive with files, it WILL remove ALL files it sees.


RMD and NTFS Alternate Data Streams

The version 2.02.xx, and later, of RMD is designed to also overwrite any NTFS Alternate Data Streams (ADS) found with a file. RMD only removes the actual ALTERNATE DATA attributes and not other attributes that are available in data streams such as links and backup data identifiers.

There is currently no way to wipe only the ADS by itself. Conversely, when a file is wiped, if there is an ADS with the file, the ADS is ALWAYS overwritten. The -s and -C option have no effect on the ADS action. The only additional item available with the ADS action is the -l (that’s and ell, not one.) listing option that lists the files as they are wiped.


BUGS of RMD Cleansing:

If the user uses ^C (control C) to abort the 32 bit version running under WIN9X, there may be remnants of files left in the root directory of the drive being cleansed. You might see an error message that a particular file(s) couldn’t be removed. In this case, you must manually remove the file. This occurs only sporadically when ^C aborts the operation. (It is because of the way WIN9X buffers its operations).

Because there is something called partition slack (which is the few sectors between the last cluster of the partition and physical end of the partition) that isn’t seen by the OS or file system, RMD doesn’t clean these last unreachable sectors. However, since the operating system doesn't see or write data to these areas this section of the disk should be of little concern when cleaning it. Partition slack is created because the disk has more physical sectors than FDISK can properly partition and set aside for the file system.


REGULAR EXPRESSIONS

(To be instituted in a later version of the programs. Not currently active)

The rm and rmd programs will NOT take general regular expressions in filenames. General regular expressions are widely used in UNIX filenames and so, the rm programs attempts to follow these guidelines. Some regular expressions are:

* - ‘asterisk/star’ will match any amount of characters including NO characters. With the rmu programs, the * by itself will mean ALL files regardless of whether they have an extension or not. This is to comply with UNIX wildcard standards, and differs from DOS standards in that a * will match only a file name and not a file that contains an extension. While *.* in the rmu programs will only delete files that have extensions. Those without extensions will not be deleted because the (.*) is a legitimate distinct file type to look for which files without extensions don’t fit.

? -‘question mark’ will match any character in this relative position. (a character must be present)

[a-Z] -‘bracketed characters’ will match any characters contained within these brackets. The character on the left side of the - must be lower in ascii sequence than the one on the right

! -‘exclamation/NOT’ will negate the bracketed characters meaning it will match all EXCEPT those in brackets.

Since regular expressions are both powerful and complicated, if a user really needs them to be operational, contact Mares and Company, for an upgrade.


top

OPTIONS

When an option is listed X + #, do not include the + plus sign in the command line. The + plus sign is used to indicate the option takes another item (modifier) to be used with it. This is standard Maresware option notation.

-f + filespec:  Look for these type files to erase. Filespec (the template) can be repeated and as many as 10 different file types can be listed. The default, if no -f is used, is all files, *.*. [FILES=filename]

-x + filespec:  E(x)clude these files from the removal process. Will not remove the files following the -x. The -x option and its related files should be the last thing on the command line. This will NOT work on files found in subdirectories with recursive removals (-r). This option will take regular expression. [EXCLUDE=filename]

-p + paths  Look in these paths (subdirectories) for the files. As many as 10 subdirectories can be listed, and a matrix is built using the paths and filespecs given above. The default, if no -p is used with the -r recursive option, is all directories *.*. No -p, with the -r, is very dangerous. [PATH=filename]

-c + #:  Use the value represented by # to overwrite either the slack or free space. The default is hex 00’s. If the -c is used while cleansing a drive, the drive MUST be explicitly defined on the command line, or else it will wipe the entire file system. The abbreviated shortcut is not allowed. (i.e. must have rmd d: -c 9 ) [CLEANSE_CHAR=xxx]

-d + #:  Only in the RMD version. The # is replaced by 0, 1, 2, or 3 indicating the default number of overwrites to a file that is being removed. For each iteration, the overwrite buffer is successfully cycled through hex 0’s, 1’s, and Random characters. The last write is always from the random buffer. The contents of the random buffer can be changed with the -c XX option. The -d option has no effect if cleansing the free space. To get a multi pass of cleansing free space, use rmd in a batch file, and each call use a different -c option. [DESTROY=x]

-D:   DO NOT Delete subdirectories that meet the file type criteria when the -r option is used. If the -D is used, then subdirectories are left in tack, but empty. This option is only valid when used in conjuntion with -r, (rm dirname -rD). Also, for a subdirectory to be removed, its name must match one of those filenames listed as a template for removal. (*.* does fine). [REMOVE_DIRS=[ON|OFF]]

-eE:   Remove only empty directories. Normally this would be in addition to a -r option. If the -e is used, the -r is automatically added. Important NOTE: you also need to place a dummy file type on the command line, so the program thinks it is really looking for a file. Just provide it with something that is non existant, like zzzz.zzz

-i:  Interrogate. This option prompts at each file name and asks for verification to remove the file. [INQUIRE=[ON|OFF]]

-F:  Forced removal. This option overrides the -i, and also does not prompt if the file is readonly. It merely changes the attribute and removes the file. This is a useful option to use for unattended batch file removal. Since it will not pause and wait for an answer. But be careful. It erases all. (notice this is uppercase F). [FORCE=[ON|OFF]]

-L  (upper case ELL) Merely list the files that would be removed. This is to show you before hand what files are identified. If the file list looks OK, run the exact same command line without the -L. [LIST_ONLY=[ON|OFF]]

-l:   (lower case ell) Causes the program to list the files as it removes them. Files in subdirectories being removed are NOT listed. (I don’t know why anyone would use this, its just for UNIX compatibility). This option truncates the filename to fit on a single printed line. It may not be sufficient for some cases. If the full path/filename is needed, use the -lw option. [SHOW_DELETED=[ON|OFF]]

-lw:   Causes the program to list the files as it removes them. The filename/path is listed in its entirety and often spans two lines on the screen. It isn't as pretty as the -l option, but provides full filename. Files in subdirectories being removed are NOT listed. (I don’t know why anyone would use this, its just for UNIX compatibility). [SHOW_DELETED=[ON|OFF]]

-n + #days Remove only those files ‘N’ewer than # days old. [NEWER=xxx]

-[Oo] + #days  Remove only those files ‘O’lder than # days old. Use -o and -n to bracket dates. [OLDER=xxx]

-r:  If a directory matches the filetype, do a recursive removal of all subdirectories. Remember, if no -p dir_path is designated, the all directories are the default. Which makes this a very powerful option. [REC=[ON|OFF]]

-s: (RMD only)  cleanses/removes the slack space between the end of the file and the end of the current cluster. The -s ONLY removes slack, it does not touch the data contents of the file. (RMD defaults to overwrite the data and file slack, so this additional -s when overwriting files with RMD is unecessary). Does NOT remove the file. Causes the (-ilf) options to be turned off. If a -r (recurs) option is used, then all files in appropriate subdirectories will have their slack cleansed. Only available in RMD version. (see also -c option). [SLACK=[ON|OFF]]

-S + filename:  Text file (filename) containing a list, one per line, of files to remove. (The names in the file, MUST be filenames, and not merely directories. If the file can't be found, the program continues with the next.) See also -V option.    [SPEC=filename]

The line of text containing the filename MUST be pipe ( | ) delimited if the line of text contains more information than just the filename, see samples below. (i.e. if it is the output of diskcat which also contains file size etc.). The filename MUST be left justified, without leading spaces and be the first item on the line.

If the text files contain only the filename, (which is the preferred format), then there is no need for the pipe delimiters.

This file format:


C:\anydir\anyfile
C:\another_dir\another_file
C:\as_many_files\as_are_necessary

Or:  

F:\anydir\another\dir\filename.ext|123456|09-12-2002|12:26AM
C:\anydir\anyfile                   |     123  |  08-12-2002  09:25AM
C:\another_dir\another_file         |   12387  |  04-12-2002  09:25AM
C:\as_many_files\as_are_necessary   |  122344  |  02-12-2002  09:25AM

Note of caution when using a file with the -S option. It has been seen that some filenames may contain unprintable characters (such as hex A1, decimal 161 which displacy as    "¡"), such as those between 128 and 255. If the text file which contains filenames contains some of these unprintable characters, the text representation of the character may NOT be what is actually stored in the master file table. SO when RMD reads the text file and tries to find a file with a name containin this special character, it won't find that character in the MFT, and thus not remove that file. In order to find these files, you might try and find the unusual character in the text file, and replace it with a wildcard ? (question mark). This now makes the text filename a wildcard name, which RMD should be able to find. This process should be reviewed, and tested if you have such filenames in the text file.

-[Vv]:  The upper and lower case V can be used to enhance the function of the -S listfile option. If the upper case -V is used, then the files in the -S list are looked for, and a confirmation on the screen is put to indicate that the file is/isnot currently on the disk, and would be available for deletion. (This is good, to see if there are any eroneous files in the list, or if files such as system files would not be located).

The lower case -v is use to confirm that after the removal, the file does or does not exist. After the file removal operatation, the program attempts to locate the file in question. If it find the file is still there, it produces a message that the file was not deleted. This will most often happen with locked system files and may need special attention to delete such files.

The -V option is suggested as a precursor, and the -v option is suggested as a part of the final confirmation run.


top

COMMAND LINES

rm  filespec(s)[DEFAULT=*.*]  options(-ilLfFpxr) 

The program can usually determine the type of file that "filespec" is. If no filespec is included, the default is *.* for any option. If filespec is a directory, then all files (*.*) in the directory are defaulted. If it is left out,(not included), then all files (*.*) and directories (*.*) are assumed, depending on the specific option used, and as modified by subsequent -p or -f options. If the option used depends on a directory, (ie the -r option, needs to recurse through directories, so it assumes the item is a directory, or if none is provided, it defaults to ALL directories and files) the filespec is assumed to be a directory.

The filespec can contain wildcards, and can be a list of various types of filespecs.

rm *.dat
rm *.dat -F         /*remove and don’t ask questions*/
rm *.dat junk -i    /*interrogate each removal*/
rm *.c -x myfile.c  /*remove all .c files except myfile.c*/
rm ce*.c      /*file must begin with a ce in their name and end with .c extension*/
rm ab?.*      /*file must have ab followed by a character then any extension*/

Recursive removal ↓

C:\>rm -r /* extremely dangerous, will remove all files and subdirectories from 
          the starting location. if this is root, the entire drive is wiped.
          It is better to use the following */
C:\>rm -p  c:\xxxx_dir  -r   /* which specifically targets a subdirectory xxxx_dir. OR */
C:\>rm     c:\xxxx_dir  -r   /* which is a specific directory name, shortcuts to the -p option */
                             /* the directory should exist */

C:\>rm     filename.xyz -r   /* If the filespec, is determined to NOT be a directory, 
                                then the program assumes it is a filetype to search for, 
                                and searches for and removes only files meeting the filespec. */


rmd           /*cleanse the remaining free space on default drive -c not allowd*/
rmd dr:       /*cleanse the drive (dr:) specified*/
rmd dr: -c 8  /* cleanse dr:  and overwrite with decimal 8 */

rmd * -s                         /*remove the slack from allfiles in this directory*/
rmd file1 file2 file[a-z]       /*overwrite all appropriate files*/
rmd -S file_list_to_remove      /*remove the files in this list */
rmd -S file_list_to_remove -v   /*confirm removal of these files after the process */
rmd -S file_list_to_remove -V   /*before running, confirm these files exist or not */

the wilcard [a-z] format above is currently not supported.


RELATED PROGRAMS

NTIMAGE

top