How are data/files recoverable off of a computer after they have been “deleted?” Is this just Hollywood trickery?



Fantastic answers, thanks all for the insight!

In: Technology

When you delete something, the operating system marks it to be overwritten on the hard drive and hides it from being seen or accessed. If it never gets overwritten, then special software can go in and unmark it and allow it to show up again. Deleting something by overwriting the bits with ones or zeroes is called “wiping” the information and is done with sensitive or classified material.

When A file is deleted off of the computer hard drive, most times all that is happening is that the title of the file and its location on the disk are erased from the File Allocation Table. The file itself still resides on the disk and can be recovered with the right software. This is why the department of defense Recommends that you wipe the drive completely three times in order to destroy any and all information that is on it before donating, or even destroy the disk completely to prevent the information from ending up in the wrong hands.
Edit to add: DOD Specs 5220.22-M specifies that you should write a random character in every space on the drive 3 times to assure that it is not recoverable. I worked in the Justice Department and we would wipe all drives three times random and then one MORE time with all zeros as some software would view ‘random’ as ‘not wiped.’ All zero’s in every space took care of this bit.

For mechanical hard drives, to save time, instead of writing zeroes or random data on top of an existing file, typically just the reference in what essentially is a giant table if contents is erased. To the OS, the results in the same effect: that space now contains no data of any importance and is available for future use.

However, unless something else is written to that space, the physical location that file formerly resided in the disc surface will contain the data that previously was that file. Software tools can instruct a drive to go to that specific location and read what’s there even if the OS thinks there’s nothing of importance, and the previous file can be recovered if it is still there.

For an analogy, think of just erasing a single line out of the table of contents of a notebook, instead of also going to that specific page and erasing the data itself.

Imagine your hard drive as a big notebook. When you want to write something, your operating system finds either a blank page or one that has junk it can erase and writes the data there. But in order to find that file later, it needs to write a “table of contents”, a list of each file with the page number it belongs on. When you go and delete a file, your OS is lazy and just erases the filename from that table of contents. That means that the data’s still written in the book, the OS just doesn’t know where. So data recovery folks will just ignore the table of contents and go look through the pages one by one till they find the data they want to recover.

There’s also ways to recover data even if you told the OS to go erase the actual data, very similarly to how using an eraser on pencil still leaves indentations and smudges where the writing was.

When you delete a file, all you’re really doing is saying “this isn’t needed, it’s OK to overwrite” but that doesn’t mean it immediately is reused. Think of it like checking out of a hotel room. You’re key no longer works, but the room remains as you left it until housekeeping needs the room and makes it up again.

Usually, when a file gets deleted, the only thing the computer does is it throws a tarp over the data and hangs a sign on it saying “VACANT”. All the data is still there. This is why deleting even really huge files is basically instant, because nothing actually got deleted, it just got flagged as vacant space.

When you use programs that inspect your computer’s storage, they have to trust the operating system to tell them which files are actually there or not. When the OS sees the “VACANT” sign, it skips it over and reports no files there to programs. If a program wants to write new data there, the OS will happily write new data completely over the old stuff as if it wasn’t even there.

There are special programs that don’t go through the operating system’s normal channels and check the storage directly themselves. They see the “VACANT” sign and instead of pretending there are no files there, they cast off the tarp and find all the old data.

If you want to truly delete a file, you have to tell the operating system to not only mark the data as vacant, but to write new data over top of all the old stuff. Manually erase it. You can write whatever you want, but customarily one would write a bunch of binary zeroes over the old data. Doing this is often referred to as “zeroing” the drive.

In some cases even this doesn’t fully delete the data, though. On spinning hard disk drives, the platters that store the data store it as tiny magnetic charges all next to one another. Writing new data on the disk over top of old data in theory should flip the charges around perfectly, but it’s not always so perfect. A shadow of the old data can be found on the old drive if you inspect it with very special tools. This technique can be used to recover data from platters that have even been zeroed out the long way.

One also has to be worried about so-called “bad sectors”. That is, chunks of the disk are reported to the computer as corrupted, failed, or damaged, rendering them inaccessible by normal means. Any data that is in a sector that goes bad will basically stay there (assuming it isn’t damaged by whatever caused the sector to fail). Special tools can scan these failed sectors and recover data left on these too.

If you want to defeat these kinds of data necromancy from ever bringing your data back, you may want to zero-out up to a dozen times in a row or more. Or you can just straight up physically shred your drive platters into bits or destroy it by other means. Completely destroying the physical disk is the only way to ensure beyond any doubt that the data is truly gone. It’s just more time consuming to do, especially at the scale of a large office that could be dumping hundreds of these things all at once, so it rarely gets done.

So no, this isn’t entirely Hollywood trickery. If it’s the first kind of deleted data I mentioned, this is something you can easily do at home with some readily available software. The other, more specific kind of data recovery is also possible, but I understand it is very expensive and doesn’t always work. The exact nature of the recovery might be embellished for a show narrative, as all things often are, but it is rooted in some reality.

They are not really deleted but more like marked as “okay to overwrite” – so when you delete all your stuff and your computer looks like brand new with nothing installed, you can recover the files because there was nothing to overwrite them. But if you delete everything and fill your computer with a lot of everything new, it will overwrite the old places with new information. Just like you had a notebook and were writing in pencil. When you erase everything you have written in your notebook, you will probably still have some traces visible and be able to write the exact thing again just going on these traces. But erase and write something over it again, and it will be unreadable.