On a regular Hard Drive a secure delete of a file is possible by overwriting it, does simply overwriting the registry key is enough to secure delete the key ?
If not how I can proceed to secure delete my registry key ?
Add a comment
|
1 Answer
It is very difficult to securely delete something from the registry:
- the registry hives are synchronized with persistent files
- these hives may be subject to logging, so that overwriting a value is not necessary sufficient
- if the hive files are on an SSD, then it will anyway be very difficult to remove every trace from the old value
- in addition the hive file is organized in bins and cells, which are managed somewhat like a free-store (e.g. if you write a new value with a larger data content, it could be written in another location, and the old value is still in its old place.
In the forensic wiki, there is an article about the registry structure . You'll find in the bibliography an article about recovering past values which demonstrates that it is extremely difficult to securely delete such registry keys.
So don't store there sensitive data. Or if you have to, encrypt the value.
-
Good answer however I think that a part of the answer is missing, anything that I can do even with full admin rights ?software– software2017-03-25 15:06:06 +00:00Commented Mar 25, 2017 at 15:06
-
@software no, nothing: the constraints I expose are structural to the registry, and not depending on authorisations.Christophe– Christophe2017-03-25 15:08:26 +00:00Commented Mar 25, 2017 at 15:08