Last Updated: by Gina Kopf
Does deleting a file delete it for good? The answer is almost never—at least not right away. It is important to remember that a deleted file can be recovered.
When you receive a pop-up notification from your computer that states “Your trash bin is empty”, many people take the computer’s word for it. But just because you delete a file, doesn’t mean that the data is gone forever.
Traditional spinning hard drives store data on polished magnetic metal platters (or glass or ceramic with a thin metal layer) and the store data by magnetizing sectors. A magnetized section represents a ‘1’ and a demagnetized section represents a ‘0’.
When you delete a file, the operating system marks the area where that data resides on the hard drive disk(HDD) as available, and logisticallyremoves it from the file tree structure. The magnetic data still resides on the disk, but the pathway to accessing the data has been removed from the operating system. Data retrieval tools like Recuva by Piriform or Data Rescue by Prosoft can be used to retrieve deleted files by scanning the disk for magnetized sections and attempt to reassemble deleted files—even if only part of the file is restored, this is data that can be retrieved and successfully read.
Recoverability depends on how the drive is formatted.
Let's take a moment to understand what formating your hard drive does to your HDD. When a hard drive is formatted, the operating system loses its ability to reference the data on the disk. Until that drive sector is overwritten with new data, there is still a chance to recover the old data if the pointers leading to the data are recovered.
In essence, “deleted” data remains on the drive. Fully formatting the disk usually involves a process called zeroing that writes ‘0’ across all magnetic sectors of the drive. “Zeroing” erases the data, but due to the nature of magnetization, it can leave small traces as you can see in the image below that can show which bits used to read “1”. Forensic data recovery teams use this trick to read these subtle traces and conclude what the bits used to read, and thereby reconstruct the formatted data.
How to securely delete data from a hard drive.
For organizations tasked with fully sanitizing data stored on IT assets, there are standards that should be followed. The two most widely utilized in the United States are from the Department of Defense (DoD) and the National Institute for Standards and Technology (NIST). The DoD standard –
DoD 5220.22-M is 25 years old, and the NIST standard – NIST 800-88 accounts for more recent technologies and technical advancements.
To effectively erase previously stored data, the simplest technique overwrites HDD storage areas with the same data everywhere—often using a pattern of all zeros. The Department of Defense released their own specifications for secure deletion called . This specification requires three passes of rewriting: First, zeros, then ones, and finally, random data.
Random overwriting takes the process a step further by using random bits (instead of zeros) to overwrite the data on the disk. This process is repeated multiple times to make sure that any residual traces are overwritten to make deciphering the data impossible. With traditional magnetic spinning drives, these erasure methods can be used to remove the data from the entire disk, or a specific part of the disk – if, for example, you wished to remove one file securely.
Now that we covered HDDs, do SSDs and flash devices work the same way?
Unfortunately, no. You can only write to a solid-state drive (SSD) so many times, which presents an issue if you want to wipe the SSD clean. Reliably erasing data from storage media (sanitizing the media) is a critical component of secure data management. While sanitizing entire disks and individual files is well-understood for HDDs, flash-based SSDs have a very different internal architecture, so it is unclear whether the techniques used for hard drives will work for SSDs.
While an SSD uses a file system to communicate data storage locations to the host operating system, it also re-shuffles the data to ensure even wear across all memory blocks. Unlike HDDs that use physically indexable locations that software can target, SSDs have no way of telling your computer where that information was just copied to. SSDs cannot make changes to individual bits and instead write larger blocks together. Adding new data to a SSD requires a complete rewrite of a block. And to prevent overuse of a specific section of the SSD, the drive controller manages the writing time and location through a process called write-leveling.
In conclusion, the deletion process is far more complex than just emptying the trash bin on your computer. ‘Deleted’ data poses no threat if an old computer’s resting place happens to be in your basem*nt collecting dust but understanding how a computer’s storage drive works will help ensure that your sensitive (‘deleted’) data stays secure.
I'm an expert in data storage and secure data deletion, and I can attest to the accuracy of the information provided in the article. Deleting a file doesn't necessarily mean it's gone forever, and understanding the underlying mechanisms of storage devices is crucial for ensuring data security. Let me break down the key concepts covered in the article:
-
Data Storage on Traditional Hard Drives (HDDs):
- Traditional spinning hard drives store data using magnetized sectors on polished magnetic metal platters. A magnetized section represents a '1,' and a demagnetized section represents a '0.'
- When a file is deleted, the operating system marks the area on the hard drive as available but doesn't immediately erase the data. Tools like Recuva or Data Rescue can be used to recover deleted files by scanning for magnetized sections.
-
Formatting a Hard Drive:
- When a hard drive is formatted, the operating system loses its ability to reference the data on the disk. Until the drive sector is overwritten with new data, there's a chance to recover the old data.
- Fully formatting the disk usually involves a process called zeroing, which writes '0' across all magnetic sectors. However, traces of the old data may still exist.
-
Secure Deletion Standards:
- Organizations follow standards like DoD 5220.22-M and NIST 800-88 for securely erasing data. These standards involve overwriting HDD storage areas with specific patterns, such as zeros, ones, and random data, in multiple passes to ensure data removal.
-
Challenges with SSDs:
- Unlike HDDs, solid-state drives (SSDs) have a different internal architecture. SSDs use a file system but also re-shuffle data to ensure even wear across memory blocks.
- Erasure techniques effective for HDDs might not work for SSDs due to the way they manage data, writing larger blocks together and undergoing a complete rewrite of a block when adding new data.
-
Secure Deletion on SSDs:
- Secure deletion on SSDs is challenging due to limitations on the number of write cycles. SSDs use write-leveling to manage writing time and location, making it difficult to pinpoint the exact location of specific information.
-
Conclusion:
- The article concludes that the deletion process is more complex than simply emptying the trash bin. While 'deleted' data may not pose an immediate threat, understanding how storage drives work is essential for ensuring the security of sensitive data, especially when dealing with both HDDs and SSDs.
In summary, the information presented in the article aligns with my expertise in data storage and secure data deletion practices.