As part of GN's first 'officially unofficial' Hard Drive Week, we're ready to talk about file deletion and recovery! I previously mentioned in the "how to recover a deleted document" guide that recovering files is exceedingly easy provided the hard drive hasn't yet overwritten the territory previously occupied by the content. Why, though, does deleting a file leave it recoverable? This quick guide walks through the logic of how file deletion works in Windows.
Different operating systems will yield different file deletion tactics - to be sure, some Linux variants are quite comprehensive in their total annihilation of anything so much as clicked in a funny way. Windows, however, doesn't quite work that thoroughly; whether or not you like the safety net of recoverable "deleted" files or you're terrified of it, it's something that we can work with and either recover or hide. Let's answer that "what happens when a file is deleted" question...
The Logic
Stepping through the top-level logic of what happens (on a GUI-end) when a file is deleted, here's what we know:
- User deletes a file.
- The file vanishes from its starting location.
- If permitted, the file goes to the recycling bin (otherwise, skip this and the next step).
- The file is now dormant and compressed, awaiting further orders; it is visible in the recycling bin.
- When emptied from the bin, the file "appears to disappear" from the bin, giving the perception of deletion.
That's what we're seeing on the graphical side, here's the logic Windows is using:
- User deletes file.
- Flag file as overwrite-able space.
- If space is required in the file's location on the drive, overwrite some or all of the file with new data.
Notice how there's one key step missing: The file is never actually "shredded." When pressing the 'delete' key (or shift+delete, if you're feeling violent and merciless), the file is actually flagged with a special character, hidden on the front-end, and then stowed away until future orders are issued. The flag on the file effectively tells Windows, "Hey, I'm deleted," at which point the hard drive may reallocate the space to incoming files or programs if it is necessary.
Programs like ShadowExplorer are able to view "shadow" or residual files that are created while working on a document. Every one of those temporary files that's created in Word or other programs is recoverable. This is also true for saved games: You can find remnant temporary files (and depending on the game's programming, auto saves) scattered through your directories like bread crumbs. It's not as clean-cut as "I haven't saved it, it doesn't exist;" any work done on a file is work that could have been automatically or temporarily saved -- that's where file obliteration and shredding comes in, but that's a different article. Update: Here's that file obliteration article!
Solid State Drives (which are awesome for gaming, if you haven't seen why) may have some slight variations in forensics & file recovery, but that will be discussed in our impending 'obliterate a file' guide.
So what? Is it hurting anyone?
In some instances, that space may never, ever be re-used -- and, technically speaking, computer forensics labs are more than capable of recovering either the temporary files that litter the system or examining the magnetic field residue on the hard drive's platter, potentially finding enough of the old file to recover "useful" information. This, of course, is expensive and cumbersome, so it's only used in the most severe cases.
Even formatting a drive doesn't obliterate the occupying data (depending on what formatting utilities and methodologies you use, of course).
So, what's the best way to remove that precious data and forever feel at ease? Well, this simple tool gives you the absolute best results and requires minimal technical ability. That said, it's not ideal if you want to, you know, keep the hard drive. We're publishing another guide tomorrow on how to permanently delete files (it may involve Oblivion gates), so choose one of the social options in the top right of the page if you want to be notified when it's posted!
Well, that's it, really. Quite simple. It's flagged, shoved in a corner, and may be overwritten if space becomes sparse. I never recommend selling hard drives if they've previously had sensitive data on them; you just don't want that stuff floating around.
-Steve