Is it reasonable to assume that recovering overwritten information
How does Windows deal with a normal File Save?
Are there snags to password protecting a file?
The original question is much more detailed, but I want to take it
and talk about what’s reasonable to expect, or not expect, when
deleting files and keeping your data secure on your hard disk.
Become a Patron of Ask Leo! and go ad-free!
I appreciate that a normal file delete simply removes the file name
Personally, I believe that yes, that is a costly operation that
would typically be out of the price range of most folks. Certainly
companies and governments with motivation and money may elect to do so,
but you’re right: I’m sure it would only happen if they thought that there
was something valuable to be found, or perhaps done in the course of a
What makes it costly is that the drive must be disassembled to gain
access to that magnetic residue. That involves clean rooms and
technology that can analyze the disk media at a much finer level of
detail than the drives own read/write heads.
It’s also something that’s relatively easy to thwart beforehand by
using secure delete utilities such as SDelete which deletes files and clears unused space by
overwriting it multiple times.
How does Windows deal with a normal File Save? Does it attempt to
We don’t know. Or rather, we may know but we shouldn’t count on
First, the way space is reused will vary a great deal between file
system types. FAT32 will behave differently than NTFS for example.
Second, whatever way it is now there’s nothing that says it might
not change in the future as the file system is optimized for
performance, stability or any number of other reasons.
Realize also that a “File Save” is rarely a direct write on
top of the old file by the application. If that failed halfway through
for any reason then you would have lost both old and new versions of
the file. What’s much more common is a sequence like this:
- Write the new copy of the file to a temporary file
- If that succeeds, then delete the old copy of the file
- Rename the temporary file to the proper file name
As you can see, where the new file is written has nothing whatsoever
to do with where the old file happened to be. To the file system
they’re just two different files.
If every File Save is to a new area of disk, then what I am
If this would work, how often should normal people repeat it?
As you say, since every file save is likely to be to a new area of
the disk, this will not work. However, it includes another misconception
that I wanted to address.
Filling a document with “=rand()” is making a huge
assumption about how the application itself behaves. In this case,
you’re talking about Word and Excel, but really it applies to any
application that saves files.
The assumption is that it’s doing what you think it’s doing.
What you think it’s doing in this case is filling up that portion of
the file where data used to be with the new data you’ve just
That’s a bad assumption.
Many applications have fairly complex file formats, and many also
perform additional optimizations for speed. For example, it might be
faster to grow the file with new data while leaving the old data in the
file, but marked as “no longer used” – kind of like the file system
itself in your first question. As you can see, your old data is still
in there, and could possibly be extracted by using other tools to
examine the file.
In fact, there have been many instances of exactly this happening
and sensitive data coming to unexpected light because people didn’t
realize that Word behaved in just this manner.
Now the applications may have options to disable this type of
functionality (the feature in Word is called “Fast Save” and can be
turned off in Options), but others may not.
Bottom line: don’t rely on what you think the application does to
erase sensitive data. If you really need to be absolutely sure that
data is positively erased, then delete the file using a secure delete
Are there snags to password protecting a file? I have only a few
There are so many snags to password protecting files that I
basically recommend avoiding it. It’s typically best thought of only as
“keeping honest people honest”.
The problem of course is that Windows does not provide a facility to
password protect files. Windows assumes that multiple user accounts and
access control will be used to restrict access to things on your hard
disk, and that other means will be used when transferring data from
machine to machine.
The result is that each application must add password protection on
its own. So Word has password protection, and Excel has password
protection, and other applications may have password protection. They
might all be implemented the same way or not. They might be easy to
crack (as many are), or they might not. Password protection might
encrypt the data in your file, or it might not.
Once again, if what you have is truly sensitive, then I recommend
avoiding application-specific password protection, and move to an
encryption solution such as TrueCrypt.
And to come full circle, an added benefit of using a solution like
TrueCrypt is that only encrypted data is physically written to the
disk. That means that even the magnetic residue that might be
recoverable is itself encrypted and thus so much useless noise without
the encryption key.
3 comments on “How does Windows delete files, and what can I do to keep my files secure?”
Hi Leo — Been reading your stuff for 5 years, at least. It is the only tech email I always open and read. So: Thank You! Nice work!
As to TrueCrypt: Thanks to you I tried it and it is just as good as you said it would be. It is the answer for the enquirer in the above text. Thanks for the tip.
Word (and some other applications) also have the ability to “save updates”, which also means that the original data would still be present.
In addition, some applications do a “save” by a slightly different pattern of: copy the original file to a temp file; re-write the original file; erase the temp file. This is sometimes done to preserve “other” characteristics of the file.
Many file systems will indeed allocate a new block for any writes rather than overwriting an existing block, unless the file was explicitly opend for “update in place” (when such support exists in the file system).
i’ve seen programs that recover files deleted from the windows recycle bin…..so most of the time you won’t have to worry about expensive file recovery