none
Bitlocker: Encrypt Used Disk space only vs Full encryption RRS feed

  • Question

  • Hi all,

    A customer of mine is looking to deploy Windows 10 in combination with Bitlocker.

    Looking on technet and other forums, I've read that the option "Used Diskspace Only" would be the recommended deployment method for new computers. But you'll still have the risk that previous data located on this disk might be recoverable using special phorensic tools.

    Thanks to this forum post I was able to receive the information that the command "WipeFreeSpace" could be used after installing the computer with bitlocker in "Used Diskspace Only" mode.

    I still have the following questions :

    • If this computer has previously been active in production and is just re-deployed for a new owner.. Can the old data (before the format) be recovered (if WipeFreeSpace wouldn't be used)? Is this only applicable if the disk wasn't encrypted with bitlocker before the format or doesn't it make a difference?

    Thanks in advance!


    • Edited by Silencer0001 Tuesday, September 22, 2015 6:27 AM Added extra links for WipeFreeSpace
    Monday, September 21, 2015 8:49 PM

Answers

  • Hi,

    First please allow me to explain a bit about how disk handle a Delete action.

    When we delete a file, the file is not just "wiped" - instead it added an attribute to make it as Deleted. The data it still there until new data overwrite the space place on hard disk.

    So back to your question. If the data was not encrypted before a format, though we formatted and installed new system, some of these data may still be there (not overwritten), so we can recover a part of previous data.

    If previous data was encrypted, we can still recover a part - but they are still encrypted which means they will be unreadable.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Silencer0001 Monday, September 28, 2015 12:32 PM
    Monday, September 28, 2015 9:24 AM
    Moderator

All replies

  • Hi,

    First please allow me to explain a bit about how disk handle a Delete action.

    When we delete a file, the file is not just "wiped" - instead it added an attribute to make it as Deleted. The data it still there until new data overwrite the space place on hard disk.

    So back to your question. If the data was not encrypted before a format, though we formatted and installed new system, some of these data may still be there (not overwritten), so we can recover a part of previous data.

    If previous data was encrypted, we can still recover a part - but they are still encrypted which means they will be unreadable.


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Silencer0001 Monday, September 28, 2015 12:32 PM
    Monday, September 28, 2015 9:24 AM
    Moderator
  • Perfect answer to my question! Thanks!!
    Monday, September 28, 2015 12:32 PM