When files are deleted from Windows machines, whether via the Recycle Bin or by immediate deletion, they are not actually purged from the system. That is because Windows merely marks the area occupied by the files as available for reuse, and in so doing, removes them from view. However, the data remain on the drive, and the files may be recovered through trivial means.

Intentional acts are not the only causes of file deletion. Temporary file generation (e.g., Word), drive defragmentation, and browser cache clearing are other common sources of data leakage. When working with sensitive information, such as credit card numbers and health care records, deleted files or file fragments may become a target of dedicated attackers using file recovery or forensic analysis software. Protecting against such attacks first requires an understanding of how and where deleted data may hide on a storage device.

Most commonly, a deleted file will remain in the free or unallocated space of a hard drive. This is the area of the disk that is reported as available for use by the operating system. If the data has not been overwritten, and the file record is intact, the file may be recovered using any number of commercial or open-source "undelete" utilities. Even if the file record has been corrupted, so-called "carving" applications may be used to recover the file.

Another area in which data may hide is the cluster tip. Because of the way in which Windows file systems allocate disk space, file data aren't necessarily overwritten when a new file is created. Files are written to discrete clusters or allocation units, and only one file (or file fragment) may occupy such a cluster. For example, if the cluster size is 4096 bytes, but a new file only occupies 1000 bytes, then the remaining 3096 bytes of that cluster may contain data from an old file.

File records themselves may contain deleted information. Newer versions of Windows use a file system known as NTFS. Although this system is more robust and provides better file management capabilities, it introduces its own set of concerns. The structure responsible for allocating and tracking the location of files on NTFS drives is called the master file table or MFT. Very small files may be stored entirely within the MFT record for that file rather than in the data area. Because the MFT entry for deleted files may persist long after deletion, these records serve as another potential avenue of attack.

In part two of this article, we will examine specific types of data leakage and discuss possible methods for defending against attack. We also will examine the risks of virtual memory and how to mitigate those risks.