Windows File Deletion: Going, Going, Still There

Written by Evan Schuman
December 9th, 2009

Absence may make the heart grow fonder, but it’s becoming much more difficult to achieve in Windows 7 and Windows Vista thanks to volume shadow copy. And that refusal to go away is becoming a real problem for IT security. Deleting a file—even using top security procedures—doesn’t make it go away; another copy is squirreled away somewhere, in a manner that makes it almost impossible to delete.

IT needs to remove files for so many reasons, from honorable ones such as removing sensitive personnel-related data when a laptop is transferred from one employee (or a departing employee) to a new employee to less honorable issues such as deleting information before it can be subpoenaed or sought in legal discovery.

Bruce Schneier’s excellent security blog recently discussed why Windows 7’s and Windows Vista’s approach to volume shadow copy (VSC) is so problematic.

“If the original file was stored on a volume protected by the Volume Shadow Copy service and it was there when a restore point was created, the original file will be retrievable using Previous versions. All you need to do is right-click the containing folder, click Restore previous versions, open a snapshot and, lo and behold, you’ll see the original file that you tried so hard to delete,” Schneier wrote. “The reason wiping the file doesn’t help, of course, is that before the file’s blocks get overwritten, VSC will save them to the shadow copy. It doesn’t matter how many times you overwrite the file, the shadow copy will still be there, safely stored on a hidden volume. Shadow copies are read-only, so there is no way to delete a file from all the shadow copies.”

This very real shadow copy problem is just one symptom of the growing “data copies in unexpected places” dilemma. E-mails and files retrieved from the road—and sometimes even at the office—may also be kept on a PDA.

When that PDA is synched to the laptop, those files may not only hide in yet another place on that laptop; copies may exist on a server with that carrier or phone manufacturer, depending on how that particular PDA handles data synch. This problem is all atop the very well known memory stick issue. All told, one sensitive document created on a company desktop machine may, in a matter of minutes, be unintentionally copied in 10 locations: an employee’s desktop; the LAN server that backs it up; a PDA; the carrier/vendor server that synchs the PDA data; a memory stick; the home computer the employee used that memory stick in; the personal external backup drive connected to that employee’s computer; an offsite backup service the employee uses; the shadow copy on that employee’s work desktop machine; and the shadow copy on that employee’s home desktop machine.

And if that employee happened to E-mail that file to colleagues, clients or anyone else, the number of copies of that file may mushroom by the number of people who were cc’ed and all of the places on theirdevices were it might be stored, plus various E-mail servers and the servers on the ISPs for the entity sending it and the entities receiving it. And their backup systems.

Yep, ridding the world of a sensitive file is suddenly a lot more troublesome than it used to be, assuming it’s even possible anymore.


2 Comments | Read Windows File Deletion: Going, Going, Still There

  1. PCI Guy Says:

    This problem has been around for a long time, perhaps 20 years or more, and is present in earlier versiond of Windows, too, including Windows XP. Sadly, the clueless folks at the PCI Security Council don’t understand how modern file systems work, and they have been stupidly requiring software developers to “securely delete” sensitive data. The thing is, that’s not really possible, and the old technique of overwriting confidential data multiple times simply generates a few more allocated disk sectors, while leaving the original “confidential” data untouched.

  2. Cranston Snoard Says:

    Ah, but perhaps one day (one can always hope, can’t one?) PCI might catch up with the late 20th century and then think about moving into reality. Meantime, this only serves to heap on more evidence of how “useful” PCI really is…


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.