S 4.56 Secure deletion under Windows operating systems

Initiation responsibility: IT Security Officer, Administrator

Implementation responsibility: User, Administrator

NT-based Windows operating systems

The Windows NTFS file system stores all file information such as the file name, path, and attributes in a Master File Table (MFT). This information is not encrypted. Programs that access the hard disk directly can obtain access to any file by circumventing the Windows security mechanisms. This applies especially to programs that run on the same IT system but under an operating system other than Windows.

When a file is deleted from the NTFS file system, the file itself is not physically deleted or overwritten and access to the file is just disabled instead. When using Windows NTFS, though, in contrast to the situation when using MS-DOS, it is no longer possible to access the deleted data using a reconstruction program or by accessing the hard disk directly. In spite of this, deleted files can be restored using programs that run in an operating system other than Windows and that access the hard disk directly.

For these reasons, Windows must be installed as the sole operating system to ensure no other operating systems can be started (see S 4.52 Device Protection under Window NT/2000/XP and S 4.339 Prevention of unauthorised use of removable media under Windows Vista and Windows 7).

However, if you want to be able to start a different operating system (multiboot system), it is recommended to use a program for hard drive encryption to prevent possible violations of the confidentiality of the data by another operating system. The BitLocker program contained in Windows Vista, Windows 7 and Windows Server 2008 for hard drive encryption is unsuitable for use on multiboot systems. A suitable product from a third party manufacturer should be used instead on multiboot systems. In Windows 2000 or higher versions, it is also possible to use the Encrypting File System (EFS) for hard drive encryption as an alternative. EFS supports the encryption of individual files (see S 4.417 Secure use of EFS under Windows).

Recycle bin in Windows

In Windows, files are moved to a user-specific area, the Recycle Bin, upon deletion provided that the user did not expressly request direct deletion. The files are only deleted from this area when the storage space allocated for deleted files is exceeded on the corresponding disk drive or the user explicitly empties the Recycle Bin. The contents of the Recycle Bin should therefore be deleted regularly so that the hard disk does not become too full and the user does not lose track of the files.

The maximum size of the storage space reserved for the Recycle Bin can be set to a suitably lower value, e.g. 2 MB, by opening the "Properties" of the "Recycle Bin" icon. Files with sensitive contents should not be moved to the Recycle Bin and should be deleted explicitly instead by keeping the Shift key pressed during deletion.

In Windows, it is possible to reconstruct deleted files from the Recycle Bin using utility programs. Files with especially sensitive contents should therefore be completely overwritten instead of dragging them to the Recycle Bin (see S 2.3 Data media control and S 1.15 Deleting and destroying data).

Windows XP, Vista, Windows 7, and the Server versions 2003 and higher offer the ability to delete files directly without using the Recycle Bin. Direct deletion of the files can be specified in the properties of the Recycle Bin (Remove files immediately when deleted) or forced by activating the policy User Configuration | Administrative Templates | Windows Components | Windows Explorer | Do not move files to the Recycle Bin. The users should be informed when direct deletion is specified.

In Windows XP, Vista, Windows 7, and the Server versions 2003 and higher it is possible to overwrite all free disk space on a data medium or in a subdirectory using the cipher.exe /w command. The cipher.exe program overwrites the space a total of 3 times. In the first overwrite phase, it overwrites the free space with 0x0, in the second with 0xF, and in the third with pseudo-random data. It should be taken into account when using this command, though, that the contents of small, deleted files (less than 4 kB) might not have been overwritten when they are stored directly in the Master File Table (MFT) and not in separate data media clusters. This method is also suitable for purging unencrypted temporary data from encrypted files.

Special deletion programs should be used to actually delete confidential files irretrievably. Such programs overwrite all residual data relating to these files on the data media.

Shadow copies

Windows clients under Vista and higher and Windows Server 2003 and higher offer the possibility to use so-called shadow copies (also known as Volume Snapshot Service) to backup older versions of files and directories on a hard drive. Shadow copies can be activated for every file system in the Properties dialogue. With activated shadow copies it is possible to restore deleted files and older versions of files on the corresponding file system for a certain period of time; this will also be possible if the original file was securely deleted using a corresponding program.

Thus, shadow copies must not be used on file systems that may require secure deletion of files. Here, use of a file system encryption may offer additional protection as this also encrypts shadow copies.

Review questions:

© Federal Office for Information Security. All rights reserved.