how “permanently deleted” files in a computer are still accessible by data recovery tools?

2.21K viewsOtherTechnology

So i was enjoying some down time for myself the other night taking a nice warm bath and letting my mind wander when i suddenly recalled a time when i worked at a research station and some idiot managed to somehow delete over 3000 excel spreadsheets worth of recently collected data. I was charged with recovering the data and scanning through everything to make sure it was ok and nothing deleted…must have spent nearly 2 weeks scanning through endless pages…and it just barely dawned on me to wonder…exactly…how the hell do data recovery tools collect “lost data”???

I get like a general idea of like how as long as like that “save location” isnt written over with new data, then technically that data is still…there???? I…thats as much as i understand.

Thanks much appreciated!

And for those wondering, it wasnt me, it was my first week on the job as the only SRA for that station and the person charged with training me for the day…i literally watched him highlight all the data, right click, and click delete on the data and then ask “where’d it all go?!?”

In: Technology

35 Answers

Anonymous 0 Comments

Your storage medium (drive) has parts called sectors. These act as little boxes. The sectors are a particular size based on how the drive is formatted (think of this like how you write your papers, with font and such). That’s going to be between 512bytes and 4kb. Bigger drives tend to have larger boxes (sectors).

Files have a particular size. If they take up exactly the same size as a sector, no space other than a single sector is used. If it’s smaller than a sector, exactly 1 sector will be used anyway. There are ways to get data to share sectors, which is what compression does.

Every sector is marked in a list telling the machine where the files are, physically. Every part is listed. when your system wants a file, it consults that list. It goes out and gets all of the parts. On SSDs this is pretty fast, but a hard drive will have to physically move to get them. This is slow. Defragging makes this faster by putting the parts together. They’ll be physically next to each other. SSDs do not need to be defragged.

When you delete a file the parts aren’t erased. That would take FOREVER. Instead, the parts on the file list are marked as “deleted”. The actual data is still there. They’re less accessible, but physically remain. When any new files or other data is written, they can be written in this full, but accessible area. It’ll overwrite the data there.

If not all of the data is overwritten, it’s still recoverable. Not all of it, mind, but enough that it might not matter. The file names are often lost, though. Those aren’t stored in the data, but the file list. Since that’s deleted, you’ll need to name the files found.

In the event the drive itself fails, pretty much all of the data is there, you just can’t get to it. It depends on how the drive fails. A crash is usually catastrophic. That’s when the read-head physically touches the disc. It destroys the disc surface, rendering most, if not all, of the data physically gone. It’s pretty much the worst-case scenario.

An SSD can also fail catastrophically in a few ways, but mostly it just can’t access the data. The chips that actually store the data may be saveable. This doesn’t always work – some come encrypted.

Some hard drives lose their controller. This is usually recoverable, but not easily. The controller is the hardware on the drive that tells the system and the drive how to talk. Just swapping this out for a working one can fix it…but not always.

Basically, data isn’t usually gone when you delete it. There are programs that will go through your drive and just write 0’s on the deleted portions. If you do enough passes this will generally render it effectively deleted. Or you can just encrypt your drive and require a password to unlock it. This comes at a performance cost, but if you’re concerned about security, it works really well. It’s nearly impossible to break it. I mean that. It would take about a million years of brute force hacking to get through. Faster computers reduce this time to a few hundred thousand years.

Guessing the password usually takes less time. Merely decades.

You are viewing 1 out of 35 answers, click here to view all answers.