Whenever you want to secure something – doesn’t matter what it is – it’s all about managing risks. So, you start by determining what might happen if you fail to protect something, and balance that against the cost, in time, effort, &/or money, that you’re willing or can spend on keeping it safe. And that holds very true when you want &/or need to protect files. It’s best to think of it not as any absolute protection, but rather as a series of steps, with each step you take making it more expensive for someone(s) else to get your stuff.
Hiding whatever it is you want to secure also makes sense… if a potential adversary can’t find it, or better yet, has no idea it exists, they can’t even begin to try and get access. And the best way to hide anything generally is to keep it somewhere that no one would think to look. When it comes to securing files, the 1st place anyone would look for them is on your PC, so maybe don’t keep them stored on an internal hard drive.
Most people start with encryption, which is fine, but you should remember that the file [or files] you’ve encrypted existed in their unprotected form beforehand, and will every time you access them after decrypting that archive. You might securely erase the original, but when edited during creation, or decrypted, copies may exist in temporary folders, and possibly in memory. And of course, if the device has been compromised, someone could in effect [or literally] be watching as you encrypt & decrypt your files.
When it comes to hiding an encrypted archive [file], traces, tracks, and apps etc. found in that copy of Windows can give a potential adversary clues on where to look and what to look for. A stenography app used to hide data in an image tells them to examine every image that they find. VM [Virtual Machine] host software tells them to look for VMs, and look inside them. Even if you remove those apps, traces that they were used will likely be found in Windows registry. One strategy is to provide something that’s intended to be found, in hopes that no one will look further.
Another strategy uses VirtualBox VMs [Virtual Machines], which are a single virtual hard disk with an OS [e.g. Windows] installed, same as if on a PC. You can copy those VHDs [Virtual Hard Disks], storing them pretty much anywhere. So you can run a VM, do whatever you want, install & run whatever you want, shut that VM down, optionally erase the VHD it used, and copy the original VHD to that folder. There won’t be any traces whatsoever in that original VM because whatever you did never happened there.
Using software intended to find lost files [like what’s often on GOTD] is standard forensic practice when looking for something. If they have lots of resources, e.g. a government agency, they might be able to pick up clues from the unused space in clusters storing the last portions of files, which is often not included in a secure erase of a conventional hard drive. If the drive is an SSD, they may find stuff by accessing the memory chips directly. One option is to use a RAM drive, since its contents disappear with a restart or reboot. Another potential option is to use microSD cards, which can be both easily hidden & destroyed.
And another option is to use an encrypted drive, either real or virtual, where anything recovered would be encrypted, and so of no use. One potential negative is that it’s obvious you had an encrypted drive [or drives], and you might be compelled [or forced] to open [decrypt] them. VeraCrypt offers the option to nest a 2nd undetectable encrypted virtual drive inside another. Their thinking is that you can give up the 1st, and whomever wouldn’t have a clue about the 2nd.
There are other ways that you might use VeraCrypt, which can either encrypt an existing drive partition, or create encrypted virtual drives, which are single files that can be mounted to work as a real, physical disk. The main negative is that using virtual drives adds overhead, as does encrypting & decrypting contents on-the-fly, which means slower. As a single file, a VeraCrypt virtual drive can be copied or stored anywhere, including in cloud storage, or on a SD card. VeraCrypt itself can also be used portably with its encrypted virtual drives. For the really paranoid, there’s no reason you couldn’t run VeraCrypt portably or installed in a VM, then replace the VM’s VHD with a copy of the original, leaving no possible traces that VeraCrypt had been ever run.
Hiding files can be as easy as renaming them to blend in with other files in one of the C:\Windows folders, e.g. something.dll with the file dates changed to match Windows files. They probably won’t stay hidden if a file recovery app is run, or someone could probably easily write a script checking file headers, but a more casual user isn’t going to do either of those things. You could bundle files in an encrypted zip or 7-zip file, name it pictures or something, & store it in the cloud, e.g. to the OneDrive account set up when you install win10, and that would probably be good enough for lots of people. If you wanted to hide it so no one would know about it, use an account that cannot be tied to you.
A VPN that doesn’t log everything hides your online activities from anyone that might be watching. The TOR Browser further hides activities by running your online destinations through several anonymous proxies. Set up a fake email, use that to set up an account with a cloud storage provider, using fake data. For the really paranoid, you might create an encrypted zip or 7-zip archive of a file, then split it, storing each piece in a different cloud account that cannot be tied to you. Depending on the original file type, even if they managed to break the encryption, it can be very near impossible to get anything meaningful from just a part of a file. When you wanted to access the file the same software you used to split it would rejoin the halves together.