Selective Deletion


In crime investigation, especially in computer crime investigations, seizure and analysis of digital evidence is a de facto standard procedure. To prevent alterations on the original digital evidence a so called (bitwise) image is created. In this image all data contained on the digital evidence is stored, even non-relevant content or content with the risk of associated privacy violations. In countries with an elaborate protection of private personal or confidential data, this data has to be securely deleted from the image. Facing the rising request for a selective deleting functionality, common
problems, limitations and requirements for a tool selectively deleting non-relevant data are outlined in this paper. For demonstration purposes, a prototype as a plugin for the Digital Forensics Framework (DFF) was implemented. The design of the implementation, some considerations as well as a comparison between a commercial tool and the evaluation
of the implemented wiping strategy are presented.


The tool can be used to selectively delete files/directories in a safe way. Yet, only NTFS is supported. Data content and corresponding file system meta data is erased.
When deleting, the describing data structures (e.g. B-tree representation) is modified in a way that the image/disk is still usable and mountable.

Some more functionality is included:
– Matcher, a module to find duplicates of checked files
– Hashcalculator, a module to calculate hash trees for  checking differences before/after deletion
– Carver-cleaner is used to flag files, that are found by a carver but are not administrated by a file system (here: only NTFS)

The source code can be found here:


Can be found in the master thesis (German version)

An english translation is currently work in progress. It will be added shortly.

The master thesis was done by Christian Zoubek under the guidance of Konstantin Sack. Questions can be adressed to both.