So i was enjoying some down time for myself the other night taking a nice warm bath and letting my mind wander when i suddenly recalled a time when i worked at a research station and some idiot managed to somehow delete over 3000 excel spreadsheets worth of recently collected data. I was charged with recovering the data and scanning through everything to make sure it was ok and nothing deleted…must have spent nearly 2 weeks scanning through endless pages…and it just barely dawned on me to wonder…exactly…how the hell do data recovery tools collect “lost data”???
I get like a general idea of like how as long as like that “save location” isnt written over with new data, then technically that data is still…there???? I…thats as much as i understand.
Thanks much appreciated!
And for those wondering, it wasnt me, it was my first week on the job as the only SRA for that station and the person charged with training me for the day…i literally watched him highlight all the data, right click, and click delete on the data and then ask “where’d it all go?!?”
In: Technology
While it’s true that in computing nothing is ever deleted – it’s also true that computers today, particular modern OSes, have special features that prevent you from recovering deleted files, or at least makes it very very hard.
Generally a computer has a fixed amount of resources. RAM or hard-drive – it doesn’t matter. There’s X number of bits that can be turned on or off, all the time. All you can do is read and write those bits – they aren’t going away. It’s if you had a very large ruler, and you use colors or Xes to mark inches on the ruler. You can put Xes or remove them, but the ruler stays the same length, while you may have 0 Xes or nothing but Xes. It’s the same with your hard-drive. So deleting things in a computer is NOT a matter of using an eraser and losing the bits. It’s about changing the bits to indicate that it’s no longer there.
And that’s where computers cheat. Let’s say you have a very large PDF file with hundreds of pages in it. When such a large file is deleted, the computer does not overwrite every bit that the file is made of. Instead it changes the “index card” that’s used to know the file by name and where on the drive all the bits are. At the same time, a “this is free” index is changed to point to the blocks of bits that used to be part of the big PDF file, so another file can use that space.
Back in the simple DOS days, you actually only had to change a single character in the directory entry for the file to un-delete it. It meant DOS could very quickly delete files – it also meant it was very easy to un-delete them. It’s a bit more complicated today but the idea/concept is exactly the same.
To you, the user, if there’s nothing in the index – or something is marked as deleted in that index – you cannot see the file. But if you just deleted it and nothing else has needed the space, there’s a very good chance that the actual bits that are the content of that file are 100% intact and can be recovered. Over time, parts of the data can be used by other files and eventually it’s completely overwritten.
Old recovery tools are able to recognize file data in the vast number of “free” data on the disk – it guesses a bit, but many times it’s fairly reliable restoring images and documents; but in some cases some detective work is required.
What modern systems can do is to require all data of the file to be actually changed before it’s marked as deleted. For really high security it’s overwritten many times with different patterns. Back when everyone used magnetic plates to store data on, very sensitive equipment could measure “old values”, old magnetic signatures, from before the last write. So when you have secrets stored on the drive, even though you’d overwritten the whole disk bit for bit, it was technically still recoverable with the right equipment. That’s a bit different with the solid state disks and static RAM reality, but you still find systems that you can require to spend time on physically changing the bits that make up the data when deleting a file.
With disk encryption it’s even harder if you don’t have the key to unlock the disk – although still possible.
Latest Answers