Access Denied: Deleting a File on an NTFS Volume and Erasing the Data

Learn how to erase the data after you delete a file on an NTFS volume.

ITPro Today

October 28, 2001

1 Min Read
ITPro Today logo in a gray background | ITPro Today

I worked temporarily with confidential files on someone else's computer. Although I deleted the files, can an attacker still gain access to data in them?

Your concern is warranted. When you delete a file on an NTFS volume, NTFS doesn't actually erase the data in the file--it just deletes the reference to the file in the file table. The clusters once allocated to that file are now unallocated, but the data is still there until NTFS uses those clusters for a new file. An attacker could use a low-level sector-analysis tool to view unallocated data on the drive and possibly find your files. Microsoft has released an updated version of the Cipher (cipher.exe) tool that lets you overwrite all the unallocated space on an NTFS drive. You can download Cipher from http://www.microsoft.com/tech net/treeview/default.asp?url=/technet/ itsolutions/security/tools/cipher.asp. After you install the new version of Cipher, you can clean up your C drive by simply running

cipher /w:c:

from the command line. Make sure that you follow the installation instructions on the Cipher download page. I also recommend that you read the accompanying FAQ.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like