Helping people with computers... one answer at a time.
When data security is important, such as when file encryption vaults are used, it's equally important to understand that something as simple as a file move might leave unexpected file remnants.
I am worried about a potential security loophole when using Truecrypt. Basically, if I move a file into a Truecrypt volume, doesn't the data still exist in unencrypted form in its original location? The analogy I am thinking of here is that deleting a file just deletes the file index but not the data.
What do I need to do ensure that no unencrypted remnants are left behind when I move a file into a Truecrypt volume?
You raise a very important point for the security minded among us. Moving a file into a TrueCrypt volume almost certainly leaves behind the very thing you're trying to secure.
In fact, your analogy isn't an analogy at all - it's pretty much exactly how the scenario plays out.
To understand why that is we need to examine the whole concept of "moving" a file, how it works, and why it works the way it does.
And, of course, give you an extra step to keep your information secure.
As it turns out there are two different ways that a file move might actually happen:
A simple directory listing update
A file copy followed by a delete
Let's look at both, and dive into why the second one has to exist, and why it's technically a security issue if not understood.
If you move a file from one folder to another, and both folders exist on the same disk drive - specifically the same volume on the same disk drive - then Windows doesn't need to touch the file's data at all.
For example, let's say you want to move the file c:\documents\example.doc to a different folder: c:\backup\saved_documents.
Since the actual data for the file would be on the same disk (C: in this example) before and after the move, there's actually no need to move the data at all.
Instead, Windows simply updates the information in the c:\backup\saved_documents folder to say "the file example.doc is here", and then removes that same information from the c:\documents folder.
It's a very quick operation, since the data doesn't move at all.
Now let's say you want to move a file from one disk to another. Perhaps you want to move c:\documents\example.doc to d:\anotherfolder.
In this case the actual data associated with the file must be moved from one disk to another. The process is:
The file c:\documents\example.doc is copied to the folder d:\anotherfolder.
c:\documents\example.doc is then deleted (but only if that copy suceeded).
That's why a move between drives often takes longer; it's not enough to just update a couple of folder entries, the actual data in the file needs to be copied.
And therein lies the security concern.
As you problably know by now, deleting a file doesn't actually delete the data that the file contained. In fact all that really happens is the information in the folder that says "the file is here" is simply removed. The disk space occuipied by the file's data is now considered "empty", but the contents are not overwritten.
When a move operation is a copy followed by a delete that's exactly what happens; the original file in its original location is deleted, but the data is not overwritten.
Until it is overwritten - typically by some other file being written to the same location on the hard disk - that data is potentially recoverable.
Truecrypt mounts encrypted volumes as virtual drives. When you "mount" a Truecrypt volume for access by provided the appropriate passphrase, another drive appears on your system that you can then use to access the unencrypted files contained within the container.
It's another drive.
Which means a move of a file from aother drive into the Truecrypt drive is implemented as a copy and delete.
Leaving the original unencrypted file potentially recoverable on the original drive.
Fortunately the solution is actually pretty simple.
Wipe the free space on the original drive after moving your files around.
Wiping the free space does nothing more than write data to all the areas on the disk that are currently unused, and thus in the process would overwrite the space formerly occupied by your moved file(s).
There are several solutions, two of the simplest are SDelete, a free command line utility from Microsoft that includes a free space wiper, or CCleaner, a free disk cleaning tool that includes a free space wiper as well.
Deleted files are just the tip of a larger iceberg when it comes to possible unexpected exposure of sensitive data.
For example depending on what program you're using simply editing a file on an encrypted drive could cause an unencrypted copy to be placed in a temporary file on a non-encrypted drive. Even when the temporary file is deleted is might still be recoverable like any other deleted file.
If security and/or secrecy are important then it's equally important to understand not only how Windows works, as in the scenario that brought us here, but how your specific set of tools work as well.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.