When a file is overwritten, the original contents are erased and replaced with new data. But is the original file actually deleted from the storage device? The answer depends on how file deletion works behind the scenes.
How File Deletion Typically Works
When you delete a file through your operating system, it isn’t instantly removed from your storage device. Instead, the OS marks the file’s clusters or sectors as available for future write operations. The file’s entry in the file table is removed, so it appears deleted to the OS and applications. But the actual contents remain on the storage device until new data overwrites it.
This is done for performance reasons. Deleting files immediately would require reformatting that part of the disk, which is a slow process. Marking file clusters as available for overwrite is much faster. It also avoids fragmentation issues that would occur if parts of the disk randomly became free space after file deletions.
File Overwriting and Deletion
When a file is overwritten, the OS allows the new data to occupy the same physical space (clusters or sectors) on the disk where the original file was stored. The original contents are replaced sector-by-sector or cluster-by-cluster by the new data. This happens at a very low level, below the file system level where filenames and directories are managed.
From the perspective of the file table and OS, the original file is now gone. The clusters it previously occupied are associated with the new file. Even if the new file has a different name and directory location, it’s using the same physical space on the disk.
When the OS wants to read or modify the new file, it looks up its location in the file table and accesses the appropriate disk sectors. The original file is no longer tracked in the file table, so as far as the OS is concerned, it’s deleted. The original data is overwritten at the disk level and rendered inaccessible.
File Recovery from Overwritten Data
Because the original file contents are overwritten at a low level, recovery becomes difficult. Specialized data recovery tools may be able to recover fragments of original files before they were fully overwritten. But complete recovery is often impossible once a new file fully overwrites an original.
Some key points about recovering overwritten files:
- The faster the overwrite process, the less chance of recovery. Quickly rewriting a file makes recovery harder.
- Fragments at the beginning and end of the original file have a better chance of recovery before they are completely overwritten.
- Overwritten files can only be recovered while they are still partially overwritten. Once totally overwritten, the chance of recovery is essentially zero.
These limitations make overwrite operations fairly secure deletion in practice. The new data destroys the original data, even though it’s still in the same physical location on disk.
Secure Deletion Methods
For greater security against recovery, many delete operations specifically overwrite files more than once. Standards like DoD 5220.22-M requireoverwrite passes. This both destroys original data and prevents future recovery.
Some methods used for secure deletion include:
- Simple Overwrite – Overwriting the file data once with new data.
- Multi-pass Overwrite – Writing new data over the original file multiple times.
- Zero-fill Overwrite – Overwriting with all zeros or random data instead of meaningful new data.
- File Shredding – Overwriting portions of a file multiple times to destroy recoverable fragments.
Many operating systems now include secure delete functions that use these methods. For example, macOS has the srm utility that overwrites data multiple times.
Does Encryption Change File Deletion?
On encrypted storage devices, file deletion works differently behind the scenes. When a file is deleted, the encryption keys are removed rather than the raw data being overwritten. Without access to the right cryptographic keys, the original data becomes inaccessible even though it still resides on disk.
The key points about file deletion and encryption are:
- The raw encrypted data is not initially overwritten when deleting a file on encrypted storage.
- The encryption keys required to decrypt the data are discarded, rendering the original data inaccessible.
- The encrypted data may be physically overwritten later as the disk space is reused.
- Without the encryption keys, recovery of original deleted files is not possible.
In this way, encryption offers an alternative method to achieve the same practical effect as physically overwriting the original data. The original contents cannot be accessed without the keys.
Other Keys to Recovering Overwritten Files
In some cases, overwritten files can be recovered without accessing the original data location on disk. If copies of the deleted files exist elsewhere, they can be restored from those locations.
- Backups – Retrieve a previous version of the file before it was overwritten from backups.
- File History – If the OS keeps file history or versions, undelete an older version.
- Temporary Files – Some apps create temporary files that may have copies of lost originals.
- Cached Files – Recover files from cache locations if they were kept there after being overwritten.
However, these methods rely on file copies being available somewhere besides the overwritten original location. If no backups or copies exist, recovering an overwritten file becomes extremely difficult or impossible.
Can Overwritten Files Be Recovered from an SSD?
On traditional spinning hard disk drives (HDDs), recovering overwritten files is challenging because the original contents are destroyed when directly overwritten at the physical level. Can overwritten files be recovered from SSDs?
It depends. Some key points on SSDs:
- SSDs use logical addressing rather than accessing fixed physical locations.
- Invalidated data is marked for erase but may still exist until garbage collection.
- Wear leveling means data is moved around, so original data could still be accessible.
This makes complete overwrite deletion more complex on SSDs. Logical mappings mean the OS doesn’t know exactly where data is stored physically. Invalidated data could still reside in original cells until garbage collection erases it. Wear leveling also migrates data around the physical medium over time.
In theory, this means properly overwritten files could still be recoverable from unused space on SSDs. But in practice, this is difficult and depends on garbage collection not having yet erased the data. Most SSDs today also encrypt data, adding another layer of protection.
Can Files Be Recovered After Formatting a Drive?
When a storage device is formatted, the file system structure is recreated and all existing files are marked for deletion. This makes recovery difficult, but not always impossible.
Some key points on recovering files after formatting a drive:
- Formatting flags all files as deleted and marks space as available for reuse.
- Actual file contents are not immediately overwritten at the physical level.
- File recovery software looks for leftover data in space marked as available.
- The longer the drive remains in use after formatting, the lower the recovery chances.
So in theory, data recovery from a freshly formatted drive is possible if software can find and reassemble original files before they are overwritten. But the likelihood drops significantly as more new data is written after formatting.
Mitigating Risks of Recovering Overwritten Files
If completely eliminating the possibility of overwritten file recovery is desired, here are some tips:
- Use drive encryption tools, such as BitLocker on Windows.
- Enable secure delete functions in your OS, like srm in macOS.
- Overwrite files multiple times to reduce recoverability.
- Physically destroy storage devices when disposing them.
Regularly overwriting free space on a drive can also minimize risks. Sparse file algorithms that zero-fill space as it’s allocated can avoid old data lurking in logically free space.
For ultimate security against overwritten file recovery, physical destruction is foolproof. But encryption paired with secure delete methods also makes data recovery far less likely in most cases.
When a file is overwritten, the original contents are essentially deleted at a low disk level even if the logical directory entry is gone. Actual recovery is difficult once new data replaces the original file. However, fragments can sometimes be recovered if the overwrite is incomplete. To minimize this risk, utilize encryption, multiple overwrite passes, and other secure deletion methods.