Windows File Deletion: Going, Going, Still There

Absence may make the heart grow fonder, but it's becoming much more difficult to achieve in Windows 7 and Windows Vista thanks to volume shadow copy. And that refusal to go away is becoming a real problem for IT security. Deleting a file—even using top security procedures—doesn't make it go away; another copy is squirreled away somewhere, in a manner that makes it almost impossible to delete.

IT needs to remove files for so many reasons, from honorable ones such as removing sensitive personnel-related data when a laptop is transferred from one employee (or a departing employee) to a new employee to less honorable issues such as deleting information before it can be subpoenaed or sought in legal discovery.

Bruce Schneier's excellent security blog recently discussed why Windows 7's and Windows Vista's approach to volume shadow copy (VSC) is so problematic.

"If the original file was stored on a volume protected by the Volume Shadow Copy service and it was there when a restore point was created, the original file will be retrievable using Previous versions. All you need to do is right-click the containing folder, click Restore previous versions, open a snapshot and, lo and behold, you'll see the original file that you tried so hard to delete," Schneier wrote. "The reason wiping the file doesn't help, of course, is that before the file's blocks get overwritten, VSC will save them to the shadow copy. It doesn't matter how many times you overwrite the file, the shadow copy will still be there, safely stored on a hidden volume. Shadow copies are read-only, so there is no way to delete a file from all the shadow copies."

This very real shadow copy problem is just one symptom of the growing "data copies in unexpected places" dilemma. E-mails and files retrieved from the road—and sometimes even at the office—may also be kept on a PDA.

When that PDA is synched to the laptop, those files may not only hide in yet another place on that laptop; copies may exist on a server with that carrier or phone manufacturer, depending on how that particular PDA handles data synch. This problem is all atop the very well known memory stick issue. All told, one sensitive document created on a company desktop machine may, in a matter of minutes, be unintentionally copied in 10 locations: an employee’s desktop; the LAN server that backs it up; a PDA; the carrier/vendor server that synchs the PDA data; a memory stick; the home computer the employee used that memory stick in; the personal external backup drive connected to that employee’s computer; an offsite backup service the employee uses; the shadow copy on that employee's work desktop machine; and the shadow copy on that employee's home desktop machine.

And if that employee happened to E-mail that file to colleagues, clients or anyone else, the number of copies of that file may mushroom by the number of people who were cc'ed and all of the places on theirdevices were it might be stored, plus various E-mail servers and the servers on the ISPs for the entity sending it and the entities receiving it. And their backup systems.

Yep, ridding the world of a sensitive file is suddenly a lot more troublesome than it used to be, assuming it's even possible anymore.