When a file is deleted on a computer’s hard drive, the data itself is not actually erased from the physical storage device. Instead, the reference to the file’s location on the disk is removed from the file system index, making it seem like the file has been erased. The actual data remains intact until it is overwritten by new data.
There are a few different ways files can be deleted from a hard drive:
- Performing a standard delete operation in the operating system, which removes the file reference from the index.
- Formatting the hard drive, which resets the file system and erases all file references.
- Using secure delete methods that overwrite the actual data to make it unrecoverable.
So in summary, standard file deletion only removes the index reference, not the underlying data itself. The deleted data remains on the hard drive until it gets overwritten or the drive is formatted.
File Systems
File systems are responsible for organizing data storage and providing a systematic way to store, locate, and retrieve files on a drive. Some common file systems for hard drives include FAT (File Allocation Table), NTFS (New Technology File System), and ext filesystems used in Linux.
FAT was introduced in 1977 and later evolved into FAT32. It uses a file allocation table to keep track of the clusters that make up each file. FAT is simple but has limitations like a maximum 4GB file size. FAT is well supported across devices but less efficient for larger drives.[1]
NTFS was created in the 1990s for Windows NT and newer Windows versions. It uses a master file table to index and organize files. NTFS supports larger partition sizes, encryption, compression, permissions, and other advanced features.[2]
Linux systems like ext (extended filesystem) handle file storage through structures like inodes which point to data blocks. This enables Linux filesystems to efficiently manage large volumes while maintaining reliability and performance.
So in summary, various file systems have their own structures and logic to keep track of file storage and retrieval on a hard drive.
[1] https://hetmanrecovery.com/recovery_news/practical-hints-on-choosing-between-fat-and-ntfs.htm
[2] https://hetmanrecovery.com/recovery_news/choosing-the-right-file-system-fat-and-ntfs.htm
File Allocation Table
The File Allocation Table (FAT) is the system used by operating systems like Windows to keep track of files on a hard drive. Each hard drive is divided into clusters or allocation units. The FAT contains entries for each cluster, with information on whether that cluster is used or available.
When a file is saved to the hard drive, it gets written across one or more clusters. The FAT keeps track of which clusters belong to each file. For example, file A may be stored in clusters 35-40. The FAT would contain entries mapping those specific clusters to file A.
As more files get written to the disk, they are allocated free clusters according to the FAT. The FAT gets updated continuously to map used clusters to their corresponding files. This allows the operating system to keep track of where every file is physically located on the storage device. Without the FAT, the operating system would be unable to locate files or determine which clusters are free or in use.
Master File Table
In the NTFS file system, every file and folder on a volume is represented by a record in the Master File Table (MFT) [1]. The MFT keeps track of information like the file name, time stamps, location on disk, and file attributes.
Each MFT record contains attributes that define the file or folder. The most important attributes are $FILE_NAME which holds the name of the file, $DATA which points to the actual file contents on disk, and $BITMAP which keeps track of the clusters allocated to the file [2]. By scanning the MFT, NTFS is able to locate files on the hard drive.
When a file is deleted, NTFS simply marks the file record in the MFT as deleted but does not remove the file contents immediately. This allows deleted files to be recovered until the clusters are overwritten by new data. The MFT ensures that NTFS keeps accurate track of all files on the volume.
Delete Process
When you delete a file in Windows, the file is not immediately removed from the hard drive. Instead, Windows removes the file entry from the file allocation table (FAT) or the master file table (MFT), depending on the file system used. The FAT and MFT keep track of which clusters on the hard drive are allocated to each file. Removing the file entry frees up the clusters occupied by the file so they can be overwritten with new data.
The actual file contents remain on the hard drive in the previously allocated clusters until those clusters are needed for new data. At that point, the original file contents will be overwritten. This is why deleted files can often be recovered using data recovery software – the contents still exist on the drive until the clusters are reused. [1]
When you delete a file and skip the Recycle Bin by pressing Shift+Delete, the same process occurs – the file record is removed from the FAT/MFT but the contents remain until overwritten. This prevents easy undelete, but does not wipe the data right away. [2]
So in summary, file deletion just removes the file entry and frees up its clusters. The original contents remain intact on the hard drive until overwritten by new data.
File Recovery
When a file is deleted from a hard drive, the reference to the file’s data is removed from the file system, but the actual data usually remains on the drive until it is overwritten by new data. This allows for undelete utilities to recover deleted files by scanning the drive and rebuilding parts of the file system to reconnect the directories and allocation tables to the orphaned file data.
There are many free and paid undelete utilities available that can scan a hard drive and recover deleted files. Some popular options include: CCleaner, Recuva, EaseUS Data Recovery Wizard, Pandora Recovery, and Disk Drill. The scanning process can take some time depending on the size of the drive.
Success rates for undelete utilities vary depending on how much time has passed since deletion and whether new data has overwritten the deleted files. The sooner file recovery is attempted, the higher the chances of full recovery. However, fragments of files may still be recoverable even after some overwrite has occurred.
Secure Deletion
When a file is deleted on a hard drive, the reference to that file’s location in the file table is simply removed. The actual data remains on the drive and can be recovered using data recovery software. To truly delete a file, the data itself needs to be overwritten.
Secure deletion techniques overwrite the actual data on a hard drive to make it unrecoverable. This is done by writing random data patterns or zeros and ones over the data multiple times. The more overwrites, the more secure the deletion. The University of Michigan recommends using a secure delete program like Heidi Eraser to overwrite data on a hard drive.
The tool will completely overwrite all sectors of the hard drive, eliminating any trace of previously stored files. This is more secure than simply formatting a drive or deleting files normally. Secure erase tools utilize the hard drive’s built-in Secure Erase command to overwrite data at a low level. As CISA notes, this ensures all areas of the drive are overwritten, even unused space.
SSDs
SSDs, or solid-state drives, handle file deletion differently than traditional HDDs. When files are deleted on an SSD, the drive controller marks the blocks containing that data as deleted and ready to be overwritten, similar to HDDs. However, SSDs cannot simply overwrite old blocks of data like HDDs can. SSDs must first erase old blocks before writing new data, a process called “garbage collection.” This involves resetting all bits in a block to 0 before new data can be written, essentially wiping that block clean. The garbage collection process happens in the background and can introduce latency. However, it ensures truly deleted files cannot be recovered on SSDs 1. Another option for securely erasing an SSD is to use the ATA Secure Erase command, which electronically erases all data on the drive by resetting all cells to their factory state 2.
Permanent Deletion
Permanently deleting data from a hard drive ensures that the data cannot be recovered by any means. There are two main ways to permanently destroy data on a hard drive:
Degaussing uses strong magnetic fields to disrupt and randomize the magnetic alignment of bits on a hard drive. This process renders the data completely unreadable and irretrievable. Degaussing is an effective method for permanently erasing data from traditional hard disk drives.
Physical destruction involves physically damaging the hard drive to make data recovery impossible. Methods like drilling holes through platters, shredding, crushing, or incinerating hard drives can permanently destroy the data. While physical destruction is extreme, it provides the highest level of data security.
Software-based deletion methods like formatting or overwriting do not permanently delete data. Degaussing and physical destruction are the only ways to guarantee that deleted files cannot ever be recovered from a hard drive.
Conclusion
When a user deletes a file on their computer, the file is not immediately erased from the hard drive. Instead, the file system marks the file as deleted by removing its entry from the file allocation table or master file table. The actual data remains on the drive until it is overwritten by new data.
While deleted files can often be recovered using file recovery software, there are techniques like wiping drives and using SSDs that make recovering deleted data much more difficult. Understanding how file deletion works provides insight into best practices for permanently deleting sensitive information.
In summary, deleted files are not instantly erased from a drive when removed by the user. The file system just flags them as deleted. The actual data remains until overwritten. While recoverable in many cases, there are ways to more securely delete files to prevent recovery.
