Tuesday, April 17, 2007 - Almanac Vol. 53, No. 30
When is a PC file truly deleted?
So, you dragged that sensitive file to the Recycle Bin, emptied the bin, and now the file is gone forever, right? Not so fast. Like cats, deleted files seemingly have nine lives. When you delete a file, the operating system simply changes the first character of the filename and marks the space the file occupies as being free. The filename and data remain on the drive until overwritten and are easily retrievable using widely available recovery and forensic tools.
But wait, there’s more. For speed and efficiency, Windows creates temporary files for storing file data while the file is open, and these temporary files often remain even after deletion. Windows also uses page- and swapfiles to create "virtual memory" for faster operation, and deleted files can often remain in these as well. And what about copies on backup tapes, CDs, or other media?
Windows XP has a "Disk Cleanup" utility that can be accessed via the Start/Programs/Accessories/System Tools/Disk Cleanup menu sequence. For secure file deletion, security experts recommend using one or more disk-wiping or "shredding" utility programs that are available from many sources, some for free or minimal cost. These programs will overwrite the space occupied by a deleted file with 0’s, 1’s, or random data and can be set to make multiple passes. Opinion varies on how many passes are needed, but three is considered sufficient in most instances.
A more thorough, not overly technical discussion of file deletion can be found at www.sans.org/reading_room/whitepapers/incident/631.php.