ctitanic
Well-Known Member
Well, in the way I understand the partition in restored and that deletes the old FAT or whatever is named now. So there is nothing that can be restored.
Secure Erase SSD
- Thread starter jalpert
- Start date
FlySwatter
Active Member
FAT is just a table of contents. Deleting it doesn't delete the data itself, it just deletes references to it, right? I think malberttoo makes a valid point that if the factory reset just re partitions or deletes the FAT, the data is still there to be potentially mined with forensic recovery software.
Having said that, I'm just playing devil's advocate. For a normal home user, I see nothing wrong with using the factory reset option -- MS, or the next owner is unlikely to care about what you had on your hard drive.
However, as someone who supports laptops, desktops, and servers for an enterprise level company, we use a certified data erasure utility on every hard drive and retain an electronic record of the event for security purposes. Obviously, the level of concern here should be based on the nature/importance of the data itself.
ctitanic
Well-Known Member
Agree, but I would not do anything more than wiping the free space. CCleaner can help you with that.
malberttoo
Well-Known Member
Exactly. I've always been fine selling off laptops or whatever, with only deleting the partitions and re-installing Windows. However it's not secure, in that all the original 1's and 0's are still on the hard drive, and aren't truly gone until that sector is written over again at some point with new data.
It definitely is not worth getting into for most people, to be sure. But the point is that even if you've re-installed Windows on a hard drive, and someone gets a hold of that drive, they realistically could retrieve some of your old data.
So in regards to the OP, I don't know that I would consider the restore/reset operation to be secure. You'd definitely want to run through multiple passes of a drive wiping app.
Hmm, lets establish a few facts and if I get any wrong be sure to correct them.
By default on all SP3s the C drive is encrypted with Bitlocker Drive Encryption.
The encryption keys are securely stored in the TPM chip.
Now on with a little speculation because I've not dug into exactly how this is performed:
When you Remove and Restore I'll assume the C partition is deleted and recreated. (perhaps they might actually delete files first but its unlikely they are taking the time to write over the whole partition.)
What we do next is critical from a forensics perspective.
If we generate new encryption keys and prepare the drive then lay the OS image down we have totally obscured all prior information that was on the drive before because we tossed the keys and used new keys for accessing the drive.
If we use the same encryption keys then we lay the OS image down we may write over some prior information but any free unwritten space is available for forensic examination after boot up. There are no files listed in the directory but depending on how we prepared the drive the data is either readable by scanning free blocks or its completely obscured if we changed encryption keys.
Update with additional info:
Bitlocker will encrypt the entire drive including free space in the background when you turn it on. I'd like to assume that restoring causes bitlocker to do just that in which case even without changing encryption keys all blocks would get overwritten with newly encrypted data, in time. but does that happen before the restore completes or during subsequent boot up possibly more than one. Check the event log for the event "Encryption Of Volume Completed" How long that takes depends on the drive.
Therefore, to be sure, before the unit leaves your hand. Delete your files, unencrypt the drive and wait for that to complete then turn encryption back on and wait for that to complete. Run any other program you'd like to overwrite free space if you want a multi pass operation. Then do the Remove and Restore.
By default on all SP3s the C drive is encrypted with Bitlocker Drive Encryption.
The encryption keys are securely stored in the TPM chip.
Now on with a little speculation because I've not dug into exactly how this is performed:
When you Remove and Restore I'll assume the C partition is deleted and recreated. (perhaps they might actually delete files first but its unlikely they are taking the time to write over the whole partition.)
What we do next is critical from a forensics perspective.
If we generate new encryption keys and prepare the drive then lay the OS image down we have totally obscured all prior information that was on the drive before because we tossed the keys and used new keys for accessing the drive.
If we use the same encryption keys then we lay the OS image down we may write over some prior information but any free unwritten space is available for forensic examination after boot up. There are no files listed in the directory but depending on how we prepared the drive the data is either readable by scanning free blocks or its completely obscured if we changed encryption keys.
Update with additional info:
Bitlocker will encrypt the entire drive including free space in the background when you turn it on. I'd like to assume that restoring causes bitlocker to do just that in which case even without changing encryption keys all blocks would get overwritten with newly encrypted data, in time. but does that happen before the restore completes or during subsequent boot up possibly more than one. Check the event log for the event "Encryption Of Volume Completed" How long that takes depends on the drive.
Therefore, to be sure, before the unit leaves your hand. Delete your files, unencrypt the drive and wait for that to complete then turn encryption back on and wait for that to complete. Run any other program you'd like to overwrite free space if you want a multi pass operation. Then do the Remove and Restore.
Last edited:
FlySwatter
Active Member
You just had to throw bit locker into the equation, didn't you?! 
I don't have an answer to that scenario. My gut says, if bitlocker was enabled, and you factory reset it, the data is probably (PROBABLY) not retrievable, but I freely admit to conjecturing by the seat of my pants on this point. I will say that in my company we use TPM/bitlocker, and still use certified data erasure before lease returning any media containing data.
Personally, I don't use bitlocker on my personal laptop. I lock it with a password, and that's it. It is rarely out of my sight, never in my car alone, and I don't have to travel for company business, and my important data is on my desktop.
I don't have an answer to that scenario. My gut says, if bitlocker was enabled, and you factory reset it, the data is probably (PROBABLY) not retrievable, but I freely admit to conjecturing by the seat of my pants on this point. I will say that in my company we use TPM/bitlocker, and still use certified data erasure before lease returning any media containing data.
Personally, I don't use bitlocker on my personal laptop. I lock it with a password, and that's it. It is rarely out of my sight, never in my car alone, and I don't have to travel for company business, and my important data is on my desktop.
annabanana
Active Member
I've used the free utility Heidi secure eraser for years, but I don't know if it would work on the Surface.
http://eraser.heidi.ie/
There are a couple of posts on their forum indicating the latest version works on 8.1. I like to securely erase documents that have confidential data. I might try it on my SP 1 before using it on the SP3. This would do what the OP is asking about. It can be used for files and folders or the entire drive.
http://eraser.heidi.ie/
There are a couple of posts on their forum indicating the latest version works on 8.1. I like to securely erase documents that have confidential data. I might try it on my SP 1 before using it on the SP3. This would do what the OP is asking about. It can be used for files and folders or the entire drive.
graye
Member
I'm not sure the C: drive is encrypted by default. Although it is a fact that BitLocker is "enabled" on the C: drive, but that doesn't mean that its contents are encrypted.
- If merely enabled, you should see a drive icon with a padlock overlay and a yellow triangle
- If actually encrypted, you should see a drive icon with just a padlock overlay
The yellow triangle means you haven't yet run the BitLocker setup. When I manually went through the BitLocker setup, it appeared to perform the encryption at that time... so I'm not sure it was encrypted before.
My SP3 doesn't have a yellow icon and I haven't changed anything related to Bitlocker.
In Disk management it shows (Bitlocker Encrypted) in the description of the C Drive.
In Bitlocker Management it shows Windows C: Bitlocker on. my options are: Suspend Protection, Backup Recovery Key, and Turn Off Bitlocker. For the other drives it shows Bitlocker Off and the only option is Turn Bitlocker On.
I never had a Pro 2 or 1 but I see a document and references to enabling Bitlocker on Pro with Windows 8. so it seems like prior versions may not have been encrypted or enabled by default.
Windows 8.1 documentation indicates device encryption is on by default and setup during installation provided the requirements are met. If you upgrade Win8 to Win8.1 it says you'll need to enable device encryption as its off by default when upgrading.
Yes, and Bitlocker Encrypted.
Thanks for the replies guys. For a home user, yes, you can hit the restore button and I'm sure you're okay. Business on the other hand....
Typically when I'm done with a PC I run DBAN and I'm done with it. DBAN won't run, and due to the UEFI requirement a lot of other utilities won't run as well.
Right now, the easiest solution appears to be: reset SP3 via restore partition --> encrypt with bitlocker (and wait for it to finish) --> restore again so it's clean when you turn it in. But does this make everything unrecoverable?
Typically when I'm done with a PC I run DBAN and I'm done with it. DBAN won't run, and due to the UEFI requirement a lot of other utilities won't run as well.
Right now, the easiest solution appears to be: reset SP3 via restore partition --> encrypt with bitlocker (and wait for it to finish) --> restore again so it's clean when you turn it in. But does this make everything unrecoverable?
