Possible to configure 7 to auto-wipe files?

Hello folks,

I'm in the process of transitioning to Windows 7 and exploring the new capabilities that come with it. One feature I've long wondered about and considered potentially useful (but never actually ran into in the real world) is a OS/filesystem option which if enabled would cause the OS/filesystem to automatically perform appropriate wiping in response to events such as file deletion, the shrinking of files, shortening the name of files, completion of journaling steps, perhaps some other cases. Is it possible to configure Windows 7 to do that, be it via built-in existing capability or addon?

Note: I'm aware that there are various programs that can be user-invoked or scheduled to wipe specific files, wipe slack/freespace, that sort of thing. The feature I'm attempting to describe is one where wiping is more automated and integrated.

The NTFS filesystem does have a journaling feature called the USN journal, which you can optionally enable for non-system partitions but which is always active on the Windows partition (and can't be turned off there).

There is no provision for wiping deleted files, and doing so would probably be rather inefficient and add a lot of disk accesses - deleting files would take as long as moving or copying them.

The only reason I can think of such a feature as being useful is privacy, and for that you might consider encrypting your system instead, for example with TrueCrypt.

BCWipe has a Transparent Wiping option that does something similar - not sure if it does all that you require as I have not used it and I think there might be a performance hit. There is a forum so a search might give more information. BCWipe has quite a few other features too that might entice some like swapfile encryption and various wiping options.

Thanks for the replies. Since I'm new here it is possibly worth mentioning that privacy and security are interests of mine, so I frequently think in those terms. FWIW, I am familiar with Truecrypt and other tools for creating encrypted drives and containers in which files can be stored. I particularly like encrypted file containers for storing sensitive records. The well known problem with that, of course, is that the OS and applications can effectively copy sensitive data from an encrypted store and write it to a less or not at all secured media. It's one thing if an app creates and leaves a temporary copy of such a file in a known directly where it can be subsequently selected for wiping. It is another thing for an app to make a temporary copy of a such a file and then delete it, leaving nothing for the user to select for wiping. Coupled with other issues such as storage devices internally implementing wear leveling and filesystems being in the best position to know what has to be over-written in order to purge sensitive data, this makes secure destruction something that requires some OS/device support.

That BCWipe Transparent Wiping capability is interesting and I'm looking into it. Ultimately, I will likely again utilize FDE as an outer layer of protection. However, even when using that I would welcome any improvements in the ability to overwrite destroy rather than simply delete file data.

I think this is an interesting question, BitGroomer.
It would be nice to encrypt the entire system, and have only a boot partition unencrypted. I don't think that's an option in Windows 7(but I'm no windows expert for sure), but if I understand what you're looking for then nothing on the drive would be unencrypted except the necessary boot files.
This is possible to implement on a different OS as I have set up my laptop that way, I'm interested in seeing how to do that in Windows 7.

Hmmm... I think I'd have to upgrade for that option.

giblets said:

I think this is an interesting question, BitGroomer.
It would be nice to encrypt the entire system, and have only a boot partition unencrypted. I don't think that's an option in Windows 7(but I'm no windows expert for sure), but if I understand what you're looking for then nothing on the drive would be unencrypted except the necessary boot files.
This is possible to implement on a different OS as I have set up my laptop that way, I'm interested in seeing how to do that in Windows 7.

Truecrypt has been mentioned which does this and is free. From my own experience just using the encryption of partitions and containers this software is very reliable but I have not gone the encrypt-system-partition route as this does have more potential problems than benefits for me personally.

Truecrypt has proven extremely safe and efficient for me, I use it on both my desktop and laptop for full system encryption. It's very well-written software and has never given me the slightest issue. (I donated to them too) :)

There are a few gotchas, mind you: If you boot from your Windows DVD, startup repair won't see any OS obviously. If you want to access it through the command prompt, you have to run Truecrypt in portable mode (say, from a USB stick) and mount the system partition before you can work with it.

It will also slightly complicate your backup strategy - if you image the running Windows system, the image ends up unencrypted. If you image the system offline (from a WinPE environment such as Macrium's rescue disc) you can image it encrypted but will have to image every sector, i.e. save a clone of the full partition into the image file.

Despite these issues, I think it's really worth it. Just takes a bit of planning ahead. :)