Access Denied: Deleting a File on an NTFS Volume and Erasing the Data

I worked temporarily with confidential files on someone else's computer. Although I deleted the files, can an attacker still gain access to data in them?

Your concern is warranted. When you delete a file on an NTFS volume, NTFS doesn't actually erase the data in the file--it just deletes the reference to the file in the file table. The clusters once allocated to that file are now unallocated, but the data is still there until NTFS uses those clusters for a new file. An attacker could use a low-level sector-analysis tool to view unallocated data on the drive and possibly find your files. Microsoft has released an updated version of the Cipher (cipher.exe) tool that lets you overwrite all the unallocated space on an NTFS drive. You can download Cipher from net/treeview/default.asp?url=/technet/ itsolutions/security/tools/cipher.asp. After you install the new version of Cipher, you can clean up your C drive by simply running

cipher /w:c:

from the command line. Make sure that you follow the installation instructions on the Cipher download page. I also recommend that you read the accompanying FAQ.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.