When a file is deleted on a computer, the data it contains is not necessarily erased instantly. This has led to questions around whether deleted files can be recovered, especially replaced files. In this article, we will focus on explaining file deletion in detail, discussing whether replaced files are permanently deleted.
When a file is deleted on a computer, the reference to it in the file system is removed. However, the actual data may still exist on the storage device until it is overwritten. When a new file replaces an existing file, this raises the question of what happens to the original file contents. We will explore the technical details around file systems, deletion commands, and data recovery to understand if replaced files can be permanently deleted.
File Replacement
File replacement refers to the process of saving a new file with the same name and location as an existing file in a filesystem. When a file is replaced, the new file’s data overwrites the old file’s data byte for byte. The old data is no longer accessible through the filesystem once the replacement is complete.
Some key aspects of file replacement include:
- The new file assumes the same filename and path as the original file.
- Any content in the original file is overwritten and no longer retrievable through standard filesystem access.
- Metadata like creation date may change, but properties like permissions generally remain the same.
- From the filesystem’s perspective, it appears as though the original file has been seamlessly updated with new data.
Overall, file replacement serves as a way to update the contents of a file while maintaining the same location reference and name within a computing system’s storage. It allows overwriting old data with new data without having to change filenames or references that may rely on the original file location.
Filesystems and Deletion
Filesystems like NTFS and ext4 have built-in methods for handling file deletion. When a file is deleted on these filesystems, the space occupied by the file is not immediately wiped or overwritten. Instead, the filesystem simply marks the file’s clusters or blocks as available for future writes. The original file contents remain on disk until new data is written over them.
On NTFS, the Master File Table (MFT) tracks all files on the volume. When a file is deleted, its MFT record is marked as inactive. The clusters allocated to that file are also marked as unallocated in the volume’s bitmap. The file’s data remains intact in those clusters until overwritten.
Similarly, on ext4 filesystems, each file is represented by an inode containing metadata like size, permissions, and pointers to data blocks. Deleting a file clears its inode, marking it as free. The now-unreferenced data blocks are marked as available for allocation to other files. A deleted file’s data remains in those blocks until reallocated.
Therefore, on standard filesystems like NTFS and ext4, deletion is a metadata operation only. The filesystem marks files and their blocks as deleted, but does not actually erase the data right away. This explains why deleted files can often be recovered, until their clusters get recycled and overwritten with new data (Levy, 2022).
Levy, E. (2022, September 10). File Deletion. Schneier on Security. https://www.schneier.com/blog/archives/2009/09/file_deletion.html
File Table and Inodes
Filesystems like ext4 in Linux use both a file table and inodes to keep track of files and directories. The file table contains file descriptors that point to inodes. An inode stores the metadata and attributes for a file, including information like permissions, owner, group, size, number of links, and location of data blocks on disk.
When a file is first created, it is assigned a unique inode number that points to its metadata in the inode data structure. The directory entry for that file then points to the inode number. Opening a file creates a file descriptor in the file table, which contains a pointer to the relevant inode.
When deleting a file, the filesystem does not immediately remove the data or inode. Instead, it decrements the link count in the inode and removes the directory entry pointing to that inode. The data blocks may remain intact until overwritten. The inode is only removed when the link count reaches zero. Therefore, the file contents remain recoverable until the inode itself is deleted and the data blocks are overwritten by new files. This shows the close relationship between inodes, file tables, and file deletion.
Source: Inodes Overview
Delete File Commands
There are various commands available on Linux, Windows, and macOS to delete files and directories. On Linux, the most common command is rm which removes the directory entries for the given file or directory so they are no longer accessible. According to the IBM documentation on Deleting files, the rm command permanently removes the data for those files by unlinking the inodes.
On Windows, deleting a file through File Explorer or the command line del and erase commands will remove the file entry from the file table but not immediately overwrite the data. The space is marked as available to be overwritten. However, until it gets overwritten, the raw data may still exist on the disk and be recoverable with forensic tools. On macOS, the rm command works similarly to permanently delete files.
The key difference is that Linux file deletion with rm fully removes file entries and data immediately, while Windows and macOS just mark the file entry as removed but may not overwrite file contents right away. So deleted files can still be recovered on those systems if the raw disk space has not been reused.
Replacement and Deletion
When a file is replaced or overwritten with new content, the original data is not immediately deleted from the disk. The filesystem simply marks the space occupied by the original file as available for new data. Until that space is overwritten, the original data can often still be recovered using data recovery tools.
This is because on most filesystems like NTFS and EXT4, when you delete a file, the directory entry for that file is removed but the actual file contents remain on disk in the previously allocated clusters. The filesystem marks those clusters as free/available for new data. The original file data remains in those clusters until the OS overwrites it with new data [1].
Therefore, if a file is replaced, the original file still exists in those clusters even though the filesystem treats it as deleted. As long as the original clusters haven’t been overwritten, the original file can be recovered by forensic tools. However, once new data occupies those clusters, it becomes difficult to recover the original file.
Some utilities like INUSE try to prevent recovery by overwriting the original file’s disk space before replacing it [2]. However, advanced forensic tools may still be able to recover fragments of the original data.
Data Recovery
When a file is deleted from a computer, the reference to the file’s data on the disk is removed from the file system, but the actual data still remains on the physical disk. This allows data recovery software to scan the disk and rebuild the file system to regain access to deleted files. However, the longer the deleted data remains on the disk, the higher the chance it could be overwritten by new data. So it’s important to act quickly when trying to recover deleted files.
There are a few challenges around recovering deleted files. First, the file system metadata can become corrupted which makes scanning and rebuilding difficult. Also, solid state drives and flash memory work differently than traditional hard drives, making data recovery more complex. Encrypted disks add another barrier to accessing deleted data. Lastly, easily downloadable recovery software often fails to fully restore files, so it’s best to use a reputable commercial solution like Stellar Data Recovery.
Best Practices for Permanently Deleting Files
When it comes to permanently deleting sensitive files, following best practices is critical to ensure the files cannot be recovered. Here are some key best practices to keep in mind:
Use a secure deletion tool – Specialized secure deletion tools like Eraser for Windows or Permanent Eraser for Mac can overwrite files multiple times to prevent recovery. They utilize advanced deletion algorithms like DoD 5220.22-M to guarantee files are unrecoverable (Source).
Wipe free disk space – Simply deleting files normally doesn’t touch free disk space, which may contain traces of old deleted files. Use a disk wipe utility to overwrite free space and eliminate this sensitive data residue (Source).
Encrypt sensitive data – Encrypting files before deleting them adds an extra layer of protection. Without the encryption key, recovering the raw deleted files would be useless.
Destroy storage media – Physically destroying old hard drives, SSDs, and flash media ensures no deleted files can ever be recovered from that device.
Enable file shredding – Some operating systems like Windows 10 allow enabling file shredding to perform secure deletion automatically on all deleted files.
Mitigation Techniques
There are a few techniques that can help mitigate the risk of deleted files being recovered by unauthorized parties. One of the most effective is encryption. When a file is encrypted, even if an unauthorized person is able to recover the deleted file, they will not be able to access the contents without the proper encryption key. Encryption transforms data into unreadable cipher text so that only authorized parties with the key can decrypt it back into plaintext and access the contents. Some popular encryption algorithms like AES 256 provide military-grade protection. Enabling encryption, especially for sensitive files, can prevent unauthorized recovery even if deleted files can technically be retrieved from the system.
In addition to encryption, there are some other mitigation techniques like securely wiping deleted files that can help. Tools like Eraser for Windows allow you to securely overwrite deleted files multiple times to prevent recovery. For maximum protection, wiping can be combined with encryption. Wiping ensures the deleted encrypted file cannot be recovered, while encryption ensures that even if wiping failed, the contents would remain protected.
Finally, being careful about how deleted files are handled can reduce risk. Avoid recoverable storage like USB drives or cloud storage when deleting sensitive files, as these facilitate recovery. And have strong access controls to storage so that even if files are recoverable, only authorized users have the ability to attempt recovery. With layered security including encryption, secure deletion, and access controls, the risk of unauthorized file recovery can be greatly reduced.
Conclusion
To definitively answer the original question: are replaced files permanently deleted? The answer is no, they are not necessarily permanently deleted. When a file is replaced on most standard filesystems, the reference in the file table is simply updated to point to the new file data. The old file data still physically exists on disk until it is overwritten by new data. While it is inaccessible through standard means, advanced data recovery techniques could potentially reconstruct the original deleted file.
However, there are ways to mitigate this issue. Using secure delete commands and tools can overwrite the original file data to make recovery very difficult. Encrypting files also provides effective protection. Best practices like promptly wiping drives before disposal can help as well. While file replacement alone does not permanently delete, steps can be taken to achieve full and irrecoverable deletion.
