When does deleting a file not delete it?

Answer: Almost always. At least not right away.

“We’ve emptied your trash bin,” said the Computer. Whether you use Windows, OS X, or Linux, many people are too trusting of their computing environments and take the computer at it’s word. Don’t make this mistake. Just because you delete a file, doesn’t mean that the data is actually gone.

What do you mean a deleted file isn’t gone?

Traditional spinning harddrives store data on polished magnetic metal (or glass or ceramic with a thin metal layer) platters and the store data by magnetizing sectors. A magnetized section represents a ‘1’ and a demagnetized section represents a ‘0’.

Magnetized Bits

When you delete a file, the operating system merely marks the area where that data resides on disk available, and logically removes it from the file tree structure. The magnetic data still resides on the disk, but the link to it has been removed from the operating system. A data retrieval tool like Recuva by Piriform or Data Rescue by Prosoft can be used to retrieve these deleted files.

Recuva Screenshot

These tools scan the disk for magnetized sections and attempt to reassemble recently deleted files, even if they can only reassemble part of the it.

Will formatting remove my personal data?

On the surface, yes, but that doesn’t mean it’s irrecoverable. Recoverability all depends on the drive itself, and how you formatted it. A quick format, for example, deletes the files as above, and again, all of the data still exists on the drive magnetically. It takes longer, but you should uncheck the quick format box if you care about security.

Magnetized Bits

“Deleted” data remains on a drive.

Fully formatting the disk usually involves a process called zeroing that writes ‘0’ across all magnetic sectors of the drive. Even this process doesn’t remove all traces of the data.

Zeroed Bits

“Zeroed” sectors on a harddrive.

“Zeroing” erases the data, but due to the nature of magnetization, it can leave small traces as you can see above that can show which bits used to read “1”. Forensic data recovery teams use this trick. Good forensic tools can read these subtle traces and use them to attempt to guess what the bits used to read, and thereby reconstruct the formatted data.

So how do you actually delete something?

You can securely delete data from a harddrive by using multi-pass deletion. Basically, specially designed software writes random bits (instead of zeros) to a harddrive to overwrite all of the data on the disk. It then repeats this process multiple times to make sure that any residual traces are overwritten so well that deciphering which trace resulted from which rewrite is impossible. The Department of Defense has released their own spec for secure deletion called DoD 5220.22-M. This spec requires 3 passes: zeros, ones, and random data respectively.

With traditional magnetic spinning drives, these erasure methods can be used to remove the data from the entire disk, or a specific part of the disk – if, for example, you wished to remove one file securely.

So do SSDs and flash devices work the same way?

Unfortunately, no. SSD and flash memory uses a drive controller to indirectly make reads and writes. SSDs cannot make changes to individual bits directly, and must instead write larger blocks together. Any changes require a complete rewrite of that block, so to speed up the write process and prevent overuse of a specific section of the SSD, the drive controller manages the writing timing and location through a process called write-leveling. Unfortunately, researchers determined that traditional data erasure methods such as those described above will not work in the same way on SSDs as they do on HDDs.1 For example, files cannot be securely erased individually. To securely erase an SSD, you must make a special request of the controller to zero-out, one-out, and erase the cache on the entire disk. Not all data erasure software is able to make these calls or verify the results, so it’s very important to use the right tools when erasing SSD and flash devices.

Now you understand the fact behind the fiction that just emptying the trash can or recycled bin deletes your files forever. This does nothing to guarantee that you delete the files. The deletion process is far more complex and now you know how it works.

  1. https://www.usenix.org/legacy/events/fast11/tech/full_papers/Wei.pdf ↩︎
About the Author