Via the SANS Information Security Reading Room RSS feed, I found a paper by John Mallery entitled “Secure File Deletion: Fact or Fiction?”. This paper provides a good introduction to the issue in Windows of deleted files hanging around as well as other places sensitive information can hide such as the Windows Swap and Page Files and temporary files. He provides a good review of available tools for securely deleting files and wiping disks.
ON a related note, the Microsoft Switzerland Security Blog post a link to the article “Forensic Analysis of Microsoft Windows Recycle Bin Records“. The introduction states:
Contrary to popular belief, when a file is deleted from a computer it is not really deleted. This is especially true for Microsoft Windows Operating Systems. Windows utilizes a repository for deleted files called the Recycle Bin. The existence of the Recycle Bin allows a user to retrieve a document he accidentally deleted. In order for Windows to undelete a file in this manner, certain information must be stored in records so that the original information about the file may be restored, such as the file name.
Although it’s not information I expect to need, it is useful information for a forensic investigator.
Update: Jesper Johansson blogged today, 08/25/2006, about using the cipher /w:<drive letter> command which is built into Windows XP and higher and does a three-write pass over a drive to wipe all free space. This was in response from a query in Susan Bradley’s blog. Susan’s blog entry also pointed to a paper by Simson L. Garfinkel and Abhi Shelat on disk sanitation standards.