When a file is overwritten, the original data in the file is erased and replaced with new data. Overwriting a file can happen intentionally or accidentally in a number of ways. Understanding what happens during the overwrite process and how to recover overwritten files is important for properly managing and protecting data.
How Does Overwriting a File Work?
When a file is saved to a storage device, such as a hard drive or USB flash drive, the operating system records the data in the file to available storage sectors on the device. Each sector, which is typically 512 bytes in size, can store a portion of the file’s data.
The operating system keeps track of where each file’s contents are stored through the file system, which includes metadata about each file like the name, size, creation date, and location on disk. This allows the OS to retrieve the different parts of a file when it is opened or read from disk.
When a file is overwritten, the OS simply takes the updated file contents and begins writing them to the same sectors where the original file was stored, erasing the old data. Any parts of the original file that fit within the same space as the new version will be overwritten. The file system metadata is updated to point to the new data.
For example, say file A is 128KB in size and occupies sectors 1-16 on a disk. If file A is then overwritten with new contents that are also 128KB, those new contents will be written to the same sectors 1-16, replacing the original data stored there.
Here is a more detailed look at how the overwrite process works:
- The operating system receives the updated file contents to be saved, either from an application or direct file edit.
- It looks up the location of the original file’s data based on the file name and directory location.
- It writes the new file contents to the same beginning sectors on disk by erasing and replacing the data stored there.
- If the new file is larger than the old one, additional sectors are allocated to fit the new contents.
- If smaller, the leftover sectors are freed up to be overwritten by other files.
- The file system metadata is updated to point to the new data locations and size for that file.
From the perspective of the operating system, the original file is gone for good once overwritten. The OS has no way to tell what data was previously stored in the sectors that have been erased. However, the original data still exists physically on the disk until it is eventually overwritten by another file in the future.
When Can Files Be Overwritten?
There are a few common scenarios that can lead to files being overwritten with new data:
Manual File Edits
Users may open a file and manually edit or replace its contents, then save the changes back to the original file name. Any text, image, or other files types can be overwritten this way through typical file operations.
Most applications will prompt users to overwrite the existing file when executing a Save command on an open file. The user can approve overwriting or choose to save the updated document to a new name.
Copy and Replace
Overwriting happens if a user copies a file then pastes the copy back onto the original file using the Replace option. Thepaste command overwrites the target file with the copied data.
Programs may generate files as output and be configured to always overwrite previous versions with new output data. Automated processes and scripts can cause unintentional overwrites this way.
File Move and Replace
If a user moves a file into a directory where a file of the same name already exists, the default action is to replace and overwrite the existing file with the moved file.
The operating system itself may overwrite files during certain system functions like software updates. Temporary working files can also be overwritten by applications and OS processes.
Accidental File Overwrites
One common way that users accidentally overwrite important files is by opening and editing the wrong file. It’s easy to open up file B thinking it’s file A, make changes, and save the changes back to the original incorrect file name.
Some other examples of unintentional overwriting scenarios include:
- Copying folder structures between drives and replacing existing files
- Performing a system restore and reverting files back to older versions
- Having two users editing the same shared file at once
- Automated or batch processes that rewrite files
- Incorrectly configuring backup software to overwrite old backups
These types of overwrites can happen easily and are hard to recover from if backups are not available. Using version control systems and file locking mechanisms can help prevent accidental overwrites when collaborating on documents.
Recovering Overwritten Files
Since an overwritten file’s original contents are replaced by the new data, the OS itself provides no built-in protection for recovering the previous version of the file. However, there are still a few options for trying to recover overwritten data:
File History and Backup Copies
If the overwritten file was backed up or stored in a file version history on that drive, you may be able to restore the previous copy and recover the lost contents. Backup systems that take incremental snapshots or archive file changes can help protect against overwrites.
File Recovery Software
Specialized data recovery tools can scan the drive and search for remnants of overwritten files that may still be recoverable. They may be able to reconstruct parts of the original file by looking for leftover data fragments.
In extreme cases, forensic data recovery experts may be able to examine the drive platters at a very low level to find traces of the old data that can hint at some of the overwritten file contents. This is an expensive and complex process.
Earlier Drive Image
If a full disk image or clone was made prior to the overwrite, analysts can mount that old drive image and access earlier versions of the overwritten files from before the changes occurred.
Prevention is the best way to avoid needing to recover from accidental overwrites. Using version control, backups, drive images, and archiving software can all help mitigate the risk of losing data due to overwriting important files.
Why Can Overwritten Files Be Recovered?
In some cases, data recovery tools are able to restore at least partial contents of overwritten files. This is possible because of the way operating systems and storage hardware handle file deletes and overwrites:
Legacy Data Remnants
When a file is overwritten, the OS marks the original sectors as available for reuse, but does not actually erase the data stored on them. Those sectors must be overwritten in the future to clear the legacy data.
Until another write happens, some of the original data may still reside on the disk and be recoverable by scanning for file signatures and metadata.
Multiple Drive Writes Needed
To completely overwrite a drive sector, the new data must be written to every physical location that comprises that logical 512 byte sector. Drive electronics may require multiple write passes to fully overwrite data.
Recovery tools can look for partially overwritten sectors where traces of old data still exist.
On traditional magnetic hard drives, newly written data does not perfectly align with the old magnetic data encode on the platter. Magnetic remnants of previous writes can still be detected.
There are small gaps between drive sectors that are not normally addressed by user data writes. These gaps can retain original data that give clues about overwritten files.
Securely Overwriting Files
For highly sensitive data that must be securely erased and not recoverable, simply overwriting a file once is not sufficient. Specialized drive wipe tools use multiple overwrite passes with specific data patterns to completely replace all magnetic traces of the original data.
Software tools like Eraser for Windows, SafeErase for Mac and Linux shred commands can securely overwrite files by rewriting the data locations 3+ times. This ensures no remnants are left behind that forensic recovery methods could resurrect. Secure deletion is the only way to fully prevent overwritten data from being recovered by any means.
How Disk Format and Structure Affect Overwrites
The way operating systems manage the disk format and structure files can impact how foolproof overwrites are. Here are some factors that change how overwrite processes work:
Disk Sector Size
If the sector size on a drive is 4KB instead of the usual 512 bytes, it is more difficult to precisely locate and recover remnants of overwritten files smaller than the sector size. Larger sectors leave less easily recoverable space between sector boundaries.
File Allocation and Fragmentation
File systems that scatter files across many small fragmented sectors make recovering overwritten files more complex. Contiguous files stored neatly in a few sectors can more likely be partially restored.
Journaling and Log-Structured File Systems
Journaled file systems like NTFS keep track of metadata changes, making undeletion easier. Log-structured systems complicate data recovery since they sequentially write files and metadata in a dense append-only structure.
TRIM Command Support
Solid-state drives (SSDs) overwrite data immediately when the TRIM command is issued, leaving no remnants behind. TRIM permanently deletes overwritten data to offset wear leveling side effects on SSDs.
Impact of Encryption on Overwrites
If a drive or file container utilizes encryption technologies like BitLocker or VeraCrypt, this adds additional security against overwritten file recovery:
- Full disk encryption protects the entire drive contents, preventing access to any sector remnants.
- Encrypted file containers obscure the original file contents before they touch disk.
- Encryption scrambles the data patterns written to disk during overwrites.
- Without decryption keys, encrypted overwritten remnants are unrecoverable.
Proper use of full or selective encryption provides the most surefire protection against unwanted recovery of overwritten files. Even small amounts of encryption deny access to remnants left behind after typical overwrite operations.
Why SSDs Are More Secure Than HDDs Against Overwrites
There are a few reasons why solid state drives are inherently better protected than traditional spinning hard disk drives when it comes to securely overwriting sensitive data:
- No magnetic layers – SSD cells simply flip voltage states to write new data without old magnetic traces left behind.
- Wear leveling – Constantly changing cell mappings makes overwritten data hard to locate.
- TRIM support – Native command erases deleted blocks before reuse.
- Full drive encryption – Optional SSD feature obscures all contents.
Due to their fundamental technical differences, recovering overwritten documents from SSDs is extremely difficult compared to HDDs. While not completely impossible, typical consumer file recovery methods cannot restore overwritten data from SSDs.
Can Overwritten Files Be Recovered from an SSD?
Because of wear leveling and TRIM operations, successfully recovering an overwritten file from an SSD is highly unlikely in typical consumer scenarios. However, there are some rare cases where fragments of overwritten SSD data may still be retrievable:
- If TRIM was disabled, remnants in unused cells could persist until reuse.
- Startup drive images made before overwrites occur can be probed for old data traces.
- Low-level forensic methods can sometimes decode cell voltage patterns from raw NAND flash.
- Weak or broken wear leveling algorithms may not properly randomized cell usage.
Accessing such SSD remnants demands advanced skills, custom gear, and expensive techniques. In most cases, overwritten consumer SSD data should be considered permanently erased barring these specialist recovery attempts.
While overwritten files may seem permanently gone after saving changes, traces of the original data still remain and recovery is sometimes possible. But due to complex technical factors, overwritten data cannot necessarily be reliably restored. The most effective way to protect important files from accidental overwrites is prevention through backups and versioning.
Understanding how overwriting impacts different storage devices like HDDs vs SSDs helps inform best practices for securely wiping sensitive data. While no single overwrite pass guarantees complete data erasure, overwriting combined with encryption provides a strong defense against unwanted data recovery.