SEARCH

How-To Geek

HTG Explains: Why Deleted Files Can Be Recovered and How You Can Prevent It

hard disk head

When you a delete a file, it isn’t really erased – it continues existing on your hard drive, even after you empty it from the Recycle Bin. This allows you (and other people) to recover files you’ve deleted.

If you’re not careful, this will also allow other people to recover your confidential files, even if you think you’ve deleted them. This is a particularly important concern when you’re disposing of a computer or hard drive.

Image Credit: Norlando Pobre on Flickr

What Happens When You Delete a File

Windows (and other operating systems) keep track of where files are on a hard drive through “pointers.” Each file and folder on your hard disk has a pointer that tells Windows where the file’s data begins and ends.

When you delete a file, Windows removes the pointer and marks the sectors containing the file’s data as available. From the file system’s point of view, the file is no longer present on your hard drive and the sectors containing its data are considered free space.

However, until Windows actually writes new data over the sectors containing the contents of the file, the file is still recoverable. A file recovery program can scan a hard drive for these deleted files and restore them. If the file has been partially overwritten, the file recovery program can only recover part of the data.

Note that this doesn’t apply to solid-state drives (SSDs) – see below for why.

Image Credit: Matt Rudge on Flickr

Why Deleted Files Aren’t Erased Immediately

If you’re wondering why your computer doesn’t just erase files when you delete them, it’s actually pretty simple. Deleting a file’s pointer and marking its space as available is an extremely fast operation. In contrast, actually erasing a file by overwriting its data takes significantly longer. For example, if you’re deleting a 10 GB file, that would be near-instantaneous. To actually erase the file’s contents, it may take several minutes – just as long as if you were writing 10 gigabytes of data to your hard drive.

To increase performance and save time, Windows and other operating systems don’t erase a file’s contents when it’s deleted. If you want to erase a file’s contents when it’s deleted, you can use a “file-shredding” tool – see the last section for more information.

Solid-State Drives Work Differently: None of this applies to solid state drives (SSDs). When you use a TRIM-enabled SSD (all modern SSDs support TRIM), deleted files are removed immediately and can’t be recovered. Essentially, data can’t be overwritten onto flash cells – to write new data, the contents of the flash memory must first be erased. Your operating system erases files immediately to speed up write performance in the future – if it didn’t erase the file data immediately, the flash memory would first have to be erased before being written to in the future. This would make writing to an SSD slower over time.

Image Credit: Simon Wüllhorst on Flickr

Recovering Deleted Files

If you’ve accidentally deleted a file and need to get it back, there are some things you should bear in mind:

  • You should recover the file as soon as possible: As Windows continues to write files to your hard drive, the chances of it overwriting the deleted files increases. If you want to be sure you can recover the file, you should perform a recovery immediately.
  • You should try to use the hard drive as little as possible: The best way to recover a deleted file from a hard drive is powering the computer down immediately after the file is deleted, inserting the hard drive into another computer, and using an operating system running on another hard drive to recover it. If you try to recover a file by installing a file-recovery program on the same hard drive, the installation process and normal use of the hard drive can overwrite the file.

Windows doesn’t include a built-in tool that scans your hard drive for deleted files, but there are a wide variety of third-party tools that do this. Recuva, made by the developers of CCleaner, is a good option. Recuva and other utilities can scan a hard drive for deleted files and allow you to recover them.

image

Preventing Deleted Files From Being Recovered

If you have confidential, private data on your computer, such as financial documents and other sensitive pieces of information, you may be worried that someone could recover your deleted files. If you’re selling or otherwise disposing of a computer or hard drive, you should exercise caution.

You can use a utility that automatically wipes your hard drive’s free space – by writing other data over the free space on your hard drive, all deleted files will be erased. For example, CCleaner’s integrated Drive Wiper tool can do this.

To make sure that a single file can’t be recovered, you can use a “file-shredding” application such as Eraser to delete it. When a file is shredded or erased, not only is it deleted, but its data is overwritten entirely, preventing other people from recovering it. However, this may not always protect you – if you made a copy of the file and deleted the original at some point, another deleted copy of the file may still be lurking around your hard disk.

Note that this process takes longer than deleting a file normally, so it’s a bad idea to delete every file this way — it’s only necessary for confidential ones.

image

To really prevent someone from recovering any of your data, you can use a disk-wiping program, such as DBAN (Darik’s Boot and Nuke.) Burn DBAN to a CD, boot from it, and it will erase everything from your hard drive, including your operating system and all your personal files, overwriting them with useless data. This is very useful when getting rid of a computer — it helps you ensure all your personal data is erased.

While some people think that files can still be recovered after they’re overwritten, the evidence shows us that one wipe should be good enough.


You should now understand why deleted files can be recovered and when they can’t. Remember this when getting rid of a computer or hard drive – your confidential files may still be present on your hard drive if you haven’t properly erased them.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 09/29/12

Comments (23)

  1. gifi4

    I ran CCleaner’s drive wiper when I was getting rid of my old pc. I knew most of the information here already though, just being cautious =D

  2. Nexusfactor

    I know it takes some time, but how about using a truecrypt container and placing all the files you want to delete in there, and then deleting the container itself. Even if the container is recovered, you have a long password protecting the container and would take awhile to guess.

  3. MJ

    @Nexusfactor Not 100% sure (have not used truecrypt), but I think that would leave the original, unencrypted files in the HDD just as if they had been deleted. It would work if you created the files inside the encrypted container in the first place. As long as they are always encrypted they will not be recoverable without the key, deleted or not.

  4. Nexusfactor

    @MJ – If you copied the files, they be in the container and on the hard-drive unprotected. Truecrypt allows a user to create a container, think of it as a special encrypted folder. You can move all your files in there(By Cutting and Pasting). My idea was, create container, place all the files you want to delete in there and then delete the container it self.

  5. Laura Brown

    Very helpful article. Very clearly presented. Thank you.

  6. SatoMew

    What about using Windows’ diskpart utility to zero out the disk? This is possible, I just don’t know how effective it is at it. Here’s a link to an article at the (unofficial) “Windows 7 Forums” site on how to do it: http://www.sevenforums.com/tutorials/52129-disk-clean-clean-all-diskpart-command.html

  7. PhylisSophical

    Recuva is the best. Be careful of other so called ‘free’ Recovery programs. Some will show you the files, but you have to pay to recover them. Or recover only a certain amount. No limit on Recuva.

  8. rishirajsurti

    Is it possible to recover files, even after formatting the hard disk?

  9. Keith

    SDelete (secure delete). For the cmd line. No pretty, but plenty worky. : )

    http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

  10. Dave

    I’m telling you, tube memory is the only way to go. When the filament no longer glows, the bit is gone. Admittedly, you’ll you need a moving van with a 50 ton air conditioning system and a power plant for your backups. I remember rotating 128K drum memory systems that stored data on consecutive, fixed head tracks and were as big as a commercial washing machine and about as noisey. They turned slow enough that you could watch the heads index and the drum turn. We even used a magnetic disclosing liquid application that would show the 1’s and 0’s under a low-powered microscope. Back then, they bits were much bigger. :)

  11. Dave

    Formatting a drive doesn’t do much. Scrubbing a disk with a multu-pass, random data, DoD level wipe program like DBan from Source Forge will render it pretty much useless. And it’s free.

  12. r

    @ rishirajsurti : this depends on what kind of format was done: were any logical drives & partition tables effected, & what space of the HD was used after re-formatting. My experiences have shown that one can get good partial recovery of files, if done immediately after most “quick” formats.

  13. Ushindi

    “Moo0 File Shredder” is a great (free) program for shredding files, having options of once, three, seven, or thirty-five times. “Freeraser” is another.
    CCleaner is excellent for wiping free space on a drive or wiping everything, whether HD or flash drive (and excellent as well for all the other things CC does so capably).

  14. billniceguy

    The Dept. of Defense used to approve only one data deletion program and i own it. This program deletes all data down 7 levels. No other program deletes that low..most only delete 1 or 2.
    Has anyone heard of a different program? tnx Bill

  15. Doh

    Low level format works fine.

    As for TRIM command, the whole point of it is to flip the bits when the drive is idle, not immediately as you suggested. In fact a lot of drivers don’t use TRIM but instead let the drives firmware handle it with a proprietary garbage collection. Otherwise a drive will have to flip bits twice when writing, considerably slowing down the write time.

  16. OldSalt

    I usually set up hard drives with logical partitions and rename the boot drive. To clean the drive, I delete all programs individually and defrag after each uninstall. Once I’m down to the operating system, I delete the logical partitions and the do a reformat. So far, no problems with finding any leftover data…

  17. drevil1200

    Or if the HD is. Being thrown away or recycled, just drill several large holes straight thru the drive.

  18. Dave

    I’ve always found, if you’re getting rid of the drive, then a bath in a bucket of soapy water does the trick (no real need for soap, but that way the drive is clean… sorry)

  19. Ray

    About the TrueCrypt “thing”. If you create a container and store your files in there it won’t be a problem, assuming you secured the container properly and over-wrote the container when you destroy it. There is a chance that the container could be recovered and the passphrase (not key) attacked, causing your data to be made available.

    If you want to win a data security pissing match:

    The best way to remove your data from “being available” is to use programs like TrueCrypt with a strong passphrase, keyfiles, and triple-cascading (AES-Twofish-Serpent) algorithms with Whirpool as the hash. For added insanity lock down the OS first, and then run another OS in a hidden TrueCrypt volume. Using a non-standard file system will also help (a la no NTFS / EXT4 etc.) Then if you need to destroy the data physically by destroying the platters (like with a drill press) after running DBAN. Using a locked tower and a USB network adapter and damaging the physical adapter on the motherboard would make it easy to remove the PC from the network and prevent network cold boot attacks. Physically damaging all but one of the USB ports would also help to slow down someone working on a cold boot network attack. Obv locking down the bios and soldering / securing the bios battery to the motherboard will also help.

    I’m an IT student working toward a Master’s degree with a focus in security ^_^ One of the tasks we had to do was come up with a worst case scenario when attempting to recover data, and that’s what I came up with.

  20. Zaiwah

    ႊေက်းဇူးပါ Thz

  21. WeeWilly

    Sorry people I can think of a much faster and more secure way then any said so far. I’m surprised it was never mentioned. It does requires little effort in equipment and labour, but it has the benefit of doing a clean wipe in seconds without spending a lot of computer time on downloads and running programs to wipe a drive. It has the added benefit of doing many drives in very little time. The only disadvantage may be that the drive may never be used again.
    You simply construct a gauss coil design it to run on a regular 110 VAC potential with out frying it and wah la you have destroyed and demagnetized your hard drive (or drives). Please send a thank you prayer to my old Polish teacher who thought of this (as he is no longer living to receive a message). He did this in my high school class to show students how to demagnetize a ferrous like metal object such as a screw driver.
    You could run a DC current though the coil after to magnify it, not sure what the point would be? Other than to screw up who was ever trying to decode the drive?
    Please note I haven’t actually tried this but see no reason why it would not work thinking in terms of basic physics. Should any like to try this please let me know if it does not work?

  22. Bart

    Degausser or use DD (data destroyer) on linux

  23. Norlando Pobre

    Thanks for using my photo :)
    Good article!

    Cheers
    Norlando

Enter Your Email Here to Get Access for Free:

Go check your email!