Does deleting a file delete it for good? The answer is almost never—at least not right away.
It is important to remember that a deleted file can be recovered.
When you receive a pop-up notification from your computer that states “Your trash bin is empty”, many people take the computer’s word for it. But just because you delete a file, doesn’t mean that the data is gone forever.
Traditional spinning hard drives store data on polished magnetic metal platters (or glass or ceramic with a thin metal layer) and the store data by magnetizing sectors. A magnetized section represents a ‘1’ and a demagnetized section represents a ‘0’.
When you delete a file, the operating system marks the area where that data resides on the hard drive disk (HDD) as available, and logistically removes it from the file tree structure. The magnetic data still resides on the disk, but the pathway to accessing the data has been removed from the operating system. Data retrieval tools like Recuva by Piriform or Data Rescue by Prosoft can be used to retrieve deleted files by scanning the disk for magnetized sections and attempt to reassemble deleted files—even if only part of the file is restored, this is data that can be retrieved and successfully read.
Recoverability depends on how the drive is formatted.
Let's take a moment to understand what formating your hard drive does to your HDD. When a hard drive is formatted, the operating system loses its ability to reference the data on the disk. Until that drive sector is overwritten with new data, there is still a chance to recover the old data if the pointers leading to the data are recovered.
In essence, “deleted” data remains on the drive. Fully formatting the disk usually involves a process called zeroing that writes ‘0’ across all magnetic sectors of the drive. “Zeroing” erases the data, but due to the nature of magnetization, it can leave small traces as you can see in the image below that can show which bits used to read “1”. Forensic data recovery teams use this trick to read these subtle traces and conclude what the bits used to read, and thereby reconstruct the formatted data.
How to securely delete data from a hard drive.
For organizations tasked with fully sanitizing data stored on IT assets, there are standards that should be followed. The two most widely utilized in the United States are from the Department of Defense (DoD) and the National Institute for Standards and Technology (NIST). The DoD standard –
DoD 5220.22-M is 25 years old, and the NIST standard – NIST 800-88 accounts for more recent technologies and technical advancements.
To effectively erase previously stored data, the simplest technique overwrites HDD storage areas with the same data everywhere—often using a pattern of all zeros. The Department of Defense released their own specifications for secure deletion called . This specification requires three passes of rewriting: First, zeros, then ones, and finally, random data.
Random overwriting takes the process a step further by using random bits (instead of zeros) to overwrite the data on the disk. This process is repeated multiple times to make sure that any residual traces are overwritten to make deciphering the data impossible. With traditional magnetic spinning drives, these erasure methods can be used to remove the data from the entire disk, or a specific part of the disk – if, for example, you wished to remove one file securely.
Now that we covered HDDs, do SSDs and flash devices work the same way?
Unfortunately, no. You can only write to a solid-state drive (SSD) so many times, which presents an issue if you want to wipe the SSD clean. Reliably erasing data from storage media (sanitizing the media) is a critical component of secure data management. While sanitizing entire disks and individual files is well-understood for HDDs, flash-based SSDs have a very different internal architecture, so it is unclear whether the techniques used for hard drives will work for SSDs.
While an SSD uses a file system to communicate data storage locations to the host operating system, it also re-shuffles the data to ensure even wear across all memory blocks. Unlike HDDs that use physically indexable locations that software can target, SSDs have no way of telling your computer where that information was just copied to. SSDs cannot make changes to individual bits and instead write larger blocks together. Adding new data to a SSD requires a complete rewrite of a block. And to prevent overuse of a specific section of the SSD, the drive controller manages the writing time and location through a process called write-leveling.
In conclusion, the deletion process is far more complex than just emptying the trash bin on your computer. ‘Deleted’ data poses no threat if an old computer’s resting place happens to be in your basement collecting dust but understanding how a computer’s storage drive works will help ensure that your sensitive (‘deleted’) data stays secure.