A controller for protecting data on a data storage medium is disclosed. A single physical data storage device is divided into a protected data space, a virtual data space and an unprotected data space in an installation mode. Subsequently, the protected and unprotected data space are presented as two separate physical data storage devices and the existence of virtual data space is concealed. The two data storage devices are respectively represented as having capacity equal to that of the protected and unprotected data space only. A set of protected data (which may include software and data) is initially installed in the protected data space. During use, data transmitted to the controller for recording in the data storage space is recorded only in the virtual data space. Data may be read from either the protected data space or the virtual data space, depending on whether the virtual data space contains newer data. In one embodiment, the contents of the virtual data space are discarded at the beginning of each session of the computing system in which the controller is installed. In another embodiment, the virtual data space is discarded only when the controller is instructed to do so and the contents of the virtual data space may be made permanent by copying them to the protected data space. The protected data space and virtual data space may be located on different data storage devices. The controller may also receive read data and write data requests for an unprotected data space, which may be used to record data permanently, independent of the protected and virtual data spaces.