I appreciate that a normal file delete simply removes the file name from the
directory system and marks clusters as available for reuse. I also realize
that, just as trying to stick one piece of paper over another identical sized
piece will normally leave a small amount of the lower piece exposed, so
overwriting a disk leaves small areas with the original magnetization. Is it
reasonable to assume that recovering overwritten information is so expensive
that it would only be attempted for disks storing very valuable
How does Windows deal with a normal File Save? Does it attempt to rewrite
the file to the same clusters, simply returning excess cluster to the available
pool if the new file is smaller than the original and adding a few new clusters
if the new file is larger than the original? If every File Save is to a new
area of disk, then what I am suggesting will obviously not work, but if
clusters are reused as far as possible, then is this a feasible way for people
to deal with small amounts of moderately sensitive data?
Are there snags to password protecting a file? I have only a few password
protected files, and I protected them so long ago that I have forgotten how I
did it. If I were to now password protect existing files, the file system would
obviously only know about the password protected files, but would the old files
still be in their original clusters?
You’ve raised several good points all around saving files and the potential
chance of recovering said files even after they’ve been deleted. Sometimes
that’s a good thing (recovering a file you “accidentally” deleted) or a bad
thing (someone else recovering a file you didn’t want them to see).
There are several assumptions in your questions as well, and as we’ll see in
a minute, assumptions are rarely a good thing.
Become a Patron of Ask Leo! and go ad-free!
I like your overlapping paper analogy, since in essence it’s exactly right.
If each “bit” on a hard disk is represented by a single piece of paper that’s,
say, either black or white, then you’d think of writing new data to the disk as
putting down a new layer of pieces of paper over what’s there already. But as you
say, you still might be able to see the color of the paper just underneath what
you just put down. Or the one underneath that. Or the one underneath that.
And indeed, this is exactly how extremely advanced computer forensics can
sometimes recover “old” data on the disk. By using special tools to examine the
disk media, they can sometimes reconstruct the data that was on the disk prior
to what’s there now. And sometimes even the data before that.
Windows will re-allocate disk space in the worst possible way for your security
The good news is that no, it’s not easy, and does as I understand it,
require special equipment. I don’t know if commercially available data recovery
services make this type of recovery available, but I would expect it to be
expensive. And of course I’d expect some government and perhaps even some
corporate facilities to have this technology available. (And for the record
this only applies to magnetic material. As I understand it, anything
that’s written into solid-state devices like flash drives completely overwrites
the prior contents.)
So, yes, I’d currently expect it to be attempted only when there’s something
very valuable to be recovered. Though, of course, we’ve seen technology improve
over time, so who knows if that’s going to be a valid assumption a year or five
in the future?
Which leads me to your question about cluster re-use. First, we need to
clarify that exactly how clusters are re-used depends not on Windows as much as
the format you chose for your hard disk. FAT32, for example, allocates file on
disk very differently than NTFS does.
All that being said, we could certainly figure out the file systems re-use
algorithm, (hint: it doesn’t try to re-use recently released clusters, it more
likely attempts to allocate clusters in such a way as to reduce disk head
movement), but since that’s dependent on the file system, and could
easily change, we’d be making an assumption. And if we’re making security
decisions based on that assumption, that could be a very dangerous
The safest assumption is worst assumption: assume that Windows will
re-allocate disk space in the worst possible way for your security needs. For
example that means that you should never assume that the act of saving a file
in any way will (which also depends on the application involved as well as the
operating system) overwrite exactly the file’s old clusters. New clusters may
well be allocated somewhere else entirely, and the old clusters will be marked
“free”, but otherwise remain untouched and discoverable by recovery tools. It’s
not guaranteed that will happen, but from a security perspective it’s what
you should assume.
Which brings me to your final point: password protected files. Without
knowing exactly how you’ve protected the files it’s impossible to say
what might happen. However, we can make some general statements:
A password protected file is likely “just a file”. That means whenever you
change it, copy it, rewrite it or whatever, the clusters it previously occupied
may still remain unused and discoverable on disk.
Many password protection schemes do not actually encrypt the file’s
contents, or use a very “light” encryption. That means that the contents of the
file might actually be easily visible outside of the file’s intended
File system specific encryption and passwording might be more
secure, but there are tradeoffs, and it’s still safest to assume the worst.
So if we’re assuming the worst (contents of deleted files might remain
discoverable for a long time, encrypted files aren’t really very special, and
even overwritten files might be recoverable with enough resources), what’s a
person to do?
First: understand your exposure: do you really have something on your hard
disk that anyone else would care about? For as many people that ignore security
completely, there are just as many that over-state their security and privacy
needs. As I’ve said before, for many of us we’re just not that interesting. No
one wants to steal the pictures of your puppies or your email to your
Second: understand the risk: you’re much more at risk from security issues
elsewhere. Pissing off your waiter, and then giving him your credit card is my
favorite example. But even elsewhere it’s more likely that the paper bank
statements you put out for curbside recycling are much more likely to be stolen
than the information within the deleted files on your hard drive.
If you do have legitimate and important security needs, my advice is
If you’re concerned about deleted file or empty space recovery, use a tool
like SDelete (Secure Delete) which
will delete and overwrite a file multiple times, and also has an option to
overwrite the free space on your drive so that too becomes
If you’re concerned about the prior contents of the used space on
your hard disk, then I’d use a tool like SpinRite which as part of it’s drive maintenance will rewrite
every cluster on your hard disk several times, effectively removing any prior
images “peeking out” from underneath the magnetic equivalent of those slips of
paper we talked about earlier.
I’ll wrap up by summarizing what I do.
I do use TrueCrypt to encrypt all
my “sensitive” files on all my systems. By sensitive I mean my
financial records, my master list of passwords and so on.
I also use TrueCrypt to encrypt a
large partition on my laptop that contains all of my work. This isn’t as
sensitive, but since laptops are more easily stolen it just makes sense to
ensure that if it is, my work documents, web site files and client information
isn’t unnecessarily exposed.
I rarely use SDelete. With my use
of encryption, there’s rarely anything to delete that would be left exposed on
disk that I might care about.
I use SpinRite not for its
security aspects described above, but as a maintenance tool to keep my hard
disks performing their best.