While it’s true that in computing nothing is ever deleted – it’s also true that computers today, particular modern OSes, have special features that prevent you from recovering deleted files, or at least makes it very very hard.

Generally a computer has a fixed amount of resources. RAM or hard-drive – it doesn’t matter. There’s X number of bits that can be turned on or off, all the time. All you can do is read and write those bits – they aren’t going away. It’s if you had a very large ruler, and you use colors or Xes to mark inches on the ruler. You can put Xes or remove them, but the ruler stays the same length, while you may have 0 Xes or nothing but Xes. It’s the same with your hard-drive. So deleting things in a computer is NOT a matter of using an eraser and losing the bits. It’s about changing the bits to indicate that it’s no longer there.

And that’s where computers cheat. Let’s say you have a very large PDF file with hundreds of pages in it. When such a large file is deleted, the computer does not overwrite every bit that the file is made of. Instead it changes the “index card” that’s used to know the file by name and where on the drive all the bits are. At the same time, a “this is free” index is changed to point to the blocks of bits that used to be part of the big PDF file, so another file can use that space.

Back in the simple DOS days, you actually only had to change a single character in the directory entry for the file to un-delete it. It meant DOS could very quickly delete files – it also meant it was very easy to un-delete them. It’s a bit more complicated today but the idea/concept is exactly the same.

To you, the user, if there’s nothing in the index – or something is marked as deleted in that index – you cannot see the file. But if you just deleted it and nothing else has needed the space, there’s a very good chance that the actual bits that are the content of that file are 100% intact and can be recovered. Over time, parts of the data can be used by other files and eventually it’s completely overwritten.

Old recovery tools are able to recognize file data in the vast number of “free” data on the disk – it guesses a bit, but many times it’s fairly reliable restoring images and documents; but in some cases some detective work is required.

What modern systems can do is to require all data of the file to be actually changed before it’s marked as deleted. For really high security it’s overwritten many times with different patterns. Back when everyone used magnetic plates to store data on, very sensitive equipment could measure “old values”, old magnetic signatures, from before the last write. So when you have secrets stored on the drive, even though you’d overwritten the whole disk bit for bit, it was technically still recoverable with the right equipment. That’s a bit different with the solid state disks and static RAM reality, but you still find systems that you can require to spend time on physically changing the bits that make up the data when deleting a file.

With disk encryption it’s even harder if you don’t have the key to unlock the disk – although still possible.