locked
Does Windows Disk protection "securely" delete its cache? RRS feed

  • Question

  • When a WDP cache is removed, are the blocks on disk overwritten or can they still be recovered from disk?

    I am evaluating products and one requirement is that deleted user data (meaning data deleted from the cache) be securely deleted so the files can not be recovered by common forensics tools.
    Wednesday, September 10, 2008 3:09 PM

Answers

  • Hi Michael, I'd like to quote the paragraph in Windows SteadyState handbook on this question:

     

    Windows Disk Protection On

    When Windows Disk Protection is turned on, it creates a cache file to retain all of the modifications to operating system or program directories. Histories, saved files, and logs are all stored in this cache file that has been created on a protection partition of the system drive. At intervals you can designate, Windows Disk Protection deletes the contents of the cache and restores the system to the state in which Windows Disk Protection was first turned on.

     

    Clearing the Cache

    When Windows Disk Protection is turned on, all changes to the hard disk and program files are cleared and the cache file is emptied at the specified interval you set. As users use the computer, the cache file fills with all changes to the operating system and program files. If the cache file fills to 70 percent capacity, the user will receive a warning message.

    Windows Disk Protection created the cache file at 50 percent of the free disk space (up to 40 GB) to give shared users plenty of disk space to use. However, if the warning appears, you can clear the cache manually.

     

    For detail information, you can download handbook via the link:

     

    http://www.microsoft.com/downloads/details.aspx?FamilyId=F829BB8B-C7A9-426B-A7A4-2B504A6238D2&displaylang=en

    Monday, September 15, 2008 5:42 AM

All replies

  • Allow me to bring this back to the top by adding another related question - can the WDP cache be cleared on logoff instead of at the next boot?  If not is there a compelling reason for that?
    Thursday, September 11, 2008 8:49 PM
  •  

    Hi Michael, do you mean after turning off Windows Disk Protection? Yes, we can still use the blocks if the WDP function is turned off.

     

    This is by design that cache will be cleared after restarting. If you want to clear it after logging off, you can use the option "Restart computer after log off" in User Settings.

    Friday, September 12, 2008 5:54 AM
  •  Sean Zhu - MSFT wrote:

     Hi Michael, do you mean after turning off Windows Disk Protection? Yes, we can still use the blocks if the WDP function is turned off.


    I mean while Windows Disk Protection is enabled, how do you define "cleared" when you say the cache is "cleared after restarting"?  My question is if the contents of the cache remain on the hard drive, whether or not the OS knows about them, or if the blocks are zeroed or otherwise "securely erased" so the contents of the cache are removed from the blocks on disk they occupied.


    If the contents of the cache file are not actually erased on restart I wonder if a tool like Eraser or some such could be used to scrub the contents of the cache file from disk on reboot?

    Friday, September 12, 2008 3:22 PM
  • Hi Michael, I'd like to quote the paragraph in Windows SteadyState handbook on this question:

     

    Windows Disk Protection On

    When Windows Disk Protection is turned on, it creates a cache file to retain all of the modifications to operating system or program directories. Histories, saved files, and logs are all stored in this cache file that has been created on a protection partition of the system drive. At intervals you can designate, Windows Disk Protection deletes the contents of the cache and restores the system to the state in which Windows Disk Protection was first turned on.

     

    Clearing the Cache

    When Windows Disk Protection is turned on, all changes to the hard disk and program files are cleared and the cache file is emptied at the specified interval you set. As users use the computer, the cache file fills with all changes to the operating system and program files. If the cache file fills to 70 percent capacity, the user will receive a warning message.

    Windows Disk Protection created the cache file at 50 percent of the free disk space (up to 40 GB) to give shared users plenty of disk space to use. However, if the warning appears, you can clear the cache manually.

     

    For detail information, you can download handbook via the link:

     

    http://www.microsoft.com/downloads/details.aspx?FamilyId=F829BB8B-C7A9-426B-A7A4-2B504A6238D2&displaylang=en

    Monday, September 15, 2008 5:42 AM
  •  Sean Zhu - MSFT wrote:

    Hi Michael, I'd like to quote the paragraph in Windows SteadyState handbook on this question:

     

    Windows Disk Protection On

    When Windows Disk Protection is turned on, it creates a cache file to retain all of the modifications to operating system or program directories. Histories, saved files, and logs are all stored in this cache file that has been created on a protection partition of the system drive. At intervals you can designate, Windows Disk Protection deletes the contents of the cache and restores the system to the state in which Windows Disk Protection was first turned on.

     

    Clearing the Cache

    When Windows Disk Protection is turned on, all changes to the hard disk and program files are cleared and the cache file is emptied at the specified interval you set. As users use the computer, the cache file fills with all changes to the operating system and program files. If the cache file fills to 70 percent capacity, the user will receive a warning message.

    Windows Disk Protection created the cache file at 50 percent of the free disk space (up to 40 GB) to give shared users plenty of disk space to use. However, if the warning appears, you can clear the cache manually.

     

    For detail information, you can download handbook via the link:

     

    http://www.microsoft.com/downloads/details.aspx?FamilyId=F829BB8B-C7A9-426B-A7A4-2B504A6238D2&displaylang=en



    I have read the FAQ's on this item and the available Handbooks and Technical guides and find that the original premise of the question still remains unanswered.

    That question being

                           "Does Windows Disk protection "securely" delete its cache?"

    Or to put it another way, WDP "...deletes the contents of the cache"

    but is the data recoverable as the normal "deletion" process just merely flags the file/content/cache nothing is actually removed and can very easily be UNdeleted and recovered through many free tools?

    Therefore the question remains whether and how the Cache of any Windows SteadyState WDP can be 'deleted' in such a way that it is not recoverable in anyway. Or as the question was originally framed, can the WDP Cache be "Securely" deleted?

    Such laws as the USA Health Information Portability and Accountability Act (HIPAA) require secure deletion of data. Now shared computer use at Schools. Cafes etc means that the Cache is likely to retain lots of senstive data. Therefore the question on how to "Securely delete the contents of the WDP Cache still remains outstanding.

    Thanks

    Tuesday, December 2, 2008 12:58 AM
  •  BobJoel wrote:

    but is the data recoverable as the normal "deletion" process just merely flags the file/content/cache nothing is actually removed and can very easily be UNdeleted and recovered through many free tools?


    Hi,

    The data cached by WDP is not securely deleted; rather, the metadata describing the map of the cached data to the "real" disk is simply reinitialized.

    Thanks,
    Rob Elmer
    Development Lead
    Windows SteadyState
    Tuesday, December 2, 2008 5:43 AM
  • We are planning on using SteadyState for Vista loaner machines we provide to our internal (company employees) customers. A concern was brought up about the security of the cache.wdp file... the concern is that a curious or disgruntled employee may try to use the cache.wdp file (that was "wiped"/had the metadata reinitialized as you describe above) to extract data from a previous user of the system. I'm sure this is possible, but is it difficult to do? I suppose I am looking for some basic assurance that the cache.wdp can't be easily reverse engineered to extract the data it contains by a nosy customer. Even though the likelihood of someone internal trying is low, we still need to ask from a risk perspective.

     

    Thanks for any insight.

    Friday, January 9, 2009 12:21 AM
  • Hi,

    Reconstructing the previously cached information manually would be fairly difficult.  First, the structure of the cache file would have to be reverse engineered, then the cached data would have to be interpreted to figure out how it was related to what's on disk in order to rebuild entire files.  On the other hand, someone could simply try to read through the file in hopes of glimpsing something that looked interesting (for example, readable text from a document).  It's possible that portions of a file would be discoverable that way, but I would expect actually *recovering* that file to be much more difficult.  It's not as easy as, for example, undeleting a file.

    Thanks,
    Rob Elmer
    Development Lead
    Windows SteadyState
    Friday, January 9, 2009 5:08 AM