When a file is deleted from a computer, it is typically not immediately erased from the hard drive. Instead, the operating system marks the space occupied by the file as available for new data. This allows the deleted data to be overwritten as needed. Until that overwriting happens, it may be possible to recover deleted files using data recovery software.
How deleted files are handled
When a file is deleted, the directory entry for that file is removed, and the space on the hard disk occupied by the file is marked as available space. The actual data remains on the disk until it is overwritten. This allows the file to be “undeleted” by restoring the directory entry and clearing the available space designation on the file’s disk sectors.
Some key points about deleted files:
- The data remains intact until the sectors it occupies are overwritten by new data.
- The space is marked as available for new data so it may be partially or fully overwritten at any time.
- The directory entry is removed so the file appears deleted to the OS and user.
- Data recovery software can scan and restore deleted directory entries and file data that has not been overwritten.
This process allows files to be recovered – at least until portions get overwritten by other data. The longer the period between deletion and overwriting, the greater the chance of successful data recovery.
File deletion vs permanent deletion
When you delete a file normally, it goes through the above process – the directory entry is removed but the data remains on disk until overwritten. This type of deleted file can often be recovered.
Permanent deletion is different. It involves taking additional steps to make sure the file data itself is overwritten – not just the directory entry. This prevents the data from being recovered by standard undelete utilities.
Methods of permanently deleting files include:
- Using wipe utilities that overwrite the data with random data patterns multiple times.
- Using the cipher command to overwrite file data with zeros or random data.
- Degaussing or physically destroying the hard drive.
These methods write over the actual file data on disk rather than just removing directory entries. This makes the files unrecoverable even by advanced data recovery techniques.
Factors affecting file recovery
Several key factors affect whether a deleted file can be recovered from a hard drive:
- Time since deletion – The longer the time period between file deletion and drive analysis, the greater the chance of recovery. With a longer time period, less chance of overwrite.
- Drive usage – Heavily used drives get more fragmented and data tends to get overwritten faster than lightly used drives.
- Drive capacity – Higher capacity drives tend to have more unallocated space for deleted files to remain without getting overwritten.
- File size – Larger files are more prone to fragmentation across multiple sectors, so there are more opportunities for portions to be overwritten.
- File system – Some file systems like NTFS keep deleted directory entries in a separate MFT area, allowing undelete until reused.
In general, the most successful deletions recoveries come from recently deleted files on lightly used hard drives with plenty of unused space available.
Can permanently deleted files be recovered?
If a file has been permanently deleted using a secure delete method that overwrites the data, it cannot be recovered even with advanced forensic data recovery techniques. The file data no longer exists on the disk, so there is nothing left to recover.
However, there are some exceptions where permanently deleted files may still be recoverable:
- The secure delete tool was not reliable and did not fully overwrite the data.
- Only portions of the file were overwritten allowing remnants to be recovered.
- Disk errors prevented the overwrite from taking place.
- The delete overwrote file system data but did not affect underlying virtual memory paging files.
In these cases, there may be an opportunity for partial or full file recovery even if secure delete was attempted. But generally speaking, once a file is permanently deleted and overwritten, it is unrecoverable.
Secure delete tools
There are several methods that can be used to permanently delete files by overwriting the data:
- Sdelete – Command line utility built into Windows that overwrites file data.
- Eraser – Freeware tool that overwrites data multiple times with patterns.
- Disk Wipe – Utility that performs multiple overwrites of entire disks.
- GNU shred – Secure delete utility available on Linux and some Unix systems.
- Chip erase utilities – Some disks have built-in chip erase commands to reset all data.
These tools perform multiple overwrites which make the original data unreadable even with forensic analysis. This prevents recovery of permanently deleted files.
Secure delete limitations
While secure delete tools overwrite file data to make it unrecoverable, there are some limitations:
- Most tools can only wipe individual files and not all previously deleted data.
- Overwriting errors may prevent full wiping of data.
- Solid state drives (SSDs) copy data before erasing, leaving opportunity for forensic recovery.
- Wear leveling on SSDs moves data around, so file overwrite may not affect all copies.
- Virtual memory, caches, journals and backups may retain copies of deleted files.
For maximum assurance against forensic recovery on conventional drives, at least 3 overwrite passes are recommended. And even then, portions of deleted files may remain recoverable from system and temporary storage areas.
Recovery methods
If a file is not permanently deleted through overwriting, there are a few methods that may be able to recover it from a hard drive:
Undelete utilities
Undelete utilities scan the drive and rebuild directory entries for deleted files they find. They can recover files until the clusters get overwritten with new data. But they cannot recover permanently deleted files that have been overwritten.
Data recovery software
More advanced data recovery software does not rely only on directory entries. They scan and analyze the raw disk sectors looking for file signatures that indicate the start of files. These can potentially find deleted files even if there is no directory entry.
Data recovery services
Professional data recovery services use specialized tools like electron microscopes to read the low level residual magnetic data on a hard drive platter. This allows them to recover deleted files even if no directory information remains and the file system shows them as deleted. However, if the file data has been overwritten even these advanced methods will not work.
Backups
One of the most reliable ways to recover deleted files is from a backup. If the files were backed up before deletion, they can be restored from the backup media even if totally deleted and overwritten on the original disk.
Tips for minimizing data recovery
If permanently deleting sensitive files, here are some tips to minimize the chance of recovery:
- Use a tool that overwrites data multiple times, not just removes directory entries.
- Overwrite free space areas on the drive to eliminate remnant data from past files.
- Make sure the tool can directly overwrite physical disk sectors, not just operating system files.
- Verify the tool completed the overwrite successfully without any media errors.
- Degauss or physically destroy drives storing highly sensitive data if possible.
Following proper procedures for permanent deletion and drive disposal reduces the already small chances of recovering overwritten data.
Conclusion
In summary, deleted files can often be recovered from a hard drive until their disk space is overwritten by new data. But if a file has been permanently deleted by overwriting the actual data, it cannot be recovered even by advanced forensic methods. The only chance for recovery is if the overwrite failed to fully wipe the data. To minimize this chance, use reliable overwrite tools and maintain good backups of important files.
