Scenario: Email Privacy
You have just accessed your mail account from your office. You’ve got some private messages that you decide to take home on a USB flash drive. After copying the messages on the USB flash drive, you delete the messages from the computer hard disk, as other people have access to your office computer and you don’t want them to see your mail. Bad news! The mail programs don’t erase files and information to make sure the messages you delete are really gone. They simply ask Windows to perform the deletion. And Windows leaves the contents of deleted files on disk! This data must be securely wiped, overwritten and erased. Someone will eventually run a recovery tool on your office computer and find your deleted mail messages.
Deleting a file using the Windows operating system does not remove the file contents from your hard drive. It simply prevents you from accessing the file. As a result, sensitive and private information can be easily retrieved by almost anyone.
The solution: Erase Deleted Data (securely erase files deleted in the past)
The Erase Deleted Data feature ensures that previously deleted files are removed from your computer beyond recovery. Previously deleted information and files are usually stored in the following locations on disk:
1. The disk free space: The free space on disk usually contains the contents of the files that were previously deleted using standard operating system commands. Some of them were temporary files used by applications; these temporary files were created and deleted without your knowledge. Let’s also take into account the Windows Paging file, the system file used for the virtual memory support. The size of this file changes dynamically, and it can temporarily store the parts of files or other information. You see now that the disk free space is not at all “empty”: it may contain passwords, financial records, personal files, etc. In a word, it contains sensitive data that can be restored using any disk utility.
2. The file slack: The file slack is usually filled with random information that comes from your computer. The information can be a listing of a directory, a part of a password file or other sensitive data from your computer. This information is an easy target for hackers as they can restore it using any disk utility.
3. File/Folder names and properties: After deleting files and folders on NTFS or FAT drives, recovery utilities may still be able to find the names and properties of the files and folders you have deleted, even if they are not able to recover any information from their contents. This way, the identity of the erased files and folders can be revealed.
4. Systems log file (NTFS drives): Or the file named $LogFile, that contains a list of transaction steps used for NTFS recoverability. The log file size depends on the volume size and can be as large as 4 MB. It is used by Windows NT/2000/XP/Vista/7/8 to restore consistency to NTFS after a system failure, and it contains very sensitive information about all transactions you make in your system (such as temporary data of all files you are working with).
The Erase Deleted Data feature was designed to help you get rid of any sensitive information stored in these areas of your disks:
- It wipes the free space on drives. This ensures that the content of previously deleted files is destroyed beyond recovery. The existing files on the drive are not modified.
- It wipes the files slack without modifying the files themselves. This ensures that any sensitive information that happens to be located in the slack portion of a file is now gone forever.
- It removes any file attributes that might reveal the identity of the erased files or folders by destroying (scrambling) files and folders properties (name, date, size, etc.). This ensures that the files and folders properties on NTFS or FAT drives are properly destroyed and cannot be recovered.
- It erases the system transactions log file (NTFS drives), ensuring that information about the transactions you make in your system, are deleted.