In part one of this article, we discussed how manual and automatic file deletion activities may leave data remnants on disk, which could compromise sensitive information. By understanding where these remnants hide, we are able to devise methods for preventing data leakage and permanently removing traces of old files. This is critical if an attacker could gain physical access to the system or if the storage medium is to be discarded, sold, or reused.

Overwriting is the only reliable, non-destructive method for removing deleted files. The number of times that data is overwritten and the pattern of 1s and 0s used in each pass determine the thoroughness of the process. The U.S. Department of Defense specifies both a three-pass and a seven-pass data deletion standard; however, Peter Gutmann determined that successive overwrites can improve effectiveness up to a theoretical maximum of about 35 passes.

Most widely-available deletion tools are configurable and allow the user to select the pattern and number of passes. These utilities often allow deletion of specific files, removal of Recycle Bin contents, and overwriting of volume free space. The last of these is perhaps the most critical function that a wiping utility can provide. Free space should be wiped both before and after drive defragmentation, as files are moved around the medium throughout the process.

For those using Windows XP Professional, the operating system includes a handy utility called cipher.exe. This file normally provides cryptographic functions for the Encrypted File System, but when used with the /W switch, it allows a three-pass overwrite of free space. It does not wipe cluster tips or purge MFT entries, but it is very fast. To use, just type the following at a command prompt:

C:\> cipher /W:c:\

When using cipher.exe to wipe free space, old MFT entries may remain. Two additional tools will allow the user to purge and/or overwrite these entries. Directory Snoop (www.briggsoft.com) is a multipurpose application that, among other things, will purge records of deleted files from both NTFS and FAT volumes. Windows Wiper (www.myplanetsoft.com/free) is a command-line utility that will wipe files, free space, and when used with the /M option, MFT records.

Other applications are more configurable and allow the user to overwrite specific files. BCWipe (www.jetico.com) is available for a variety of operating systems and includes additional utilities for encrypting page files. Eraser (www.heidi.ie/eraser) is an open-source application for Windows that integrates with the Explorer shell and allows scheduled operation. It also provides wiping of MFT data, alternate data streams, and cluster tips.

Another potential source of data leakage is the use of virtual memory. By default, Windows will employ a page (swap) file to maximize RAM availability. As memory processes are written to this file, sensitive data may be compromised. Windows 2000 and XP provide a means to clear the page file on shutdown (see Microsoft KB #314834). For additional protection, Jetico provides a utility called CryptoSwap, which is bundled with the Windows version of BCWipe. This application will initialize randomly and encrypt the page file at every reboot using one of several strong encryption algorithms.

While these tools can help to reduce the probability that sensitive data may be recovered from deleted files, they cannot guarantee absolute security. The best option is to prevent data from ever being written, though this may be impractical if not impossible. However, when combined with whole-disk encryption, these corrective measures can significantly improve your security posture.