So i was enjoying some down time for myself the other night taking a nice warm bath and letting my mind wander when i suddenly recalled a time when i worked at a research station and some idiot managed to somehow delete over 3000 excel spreadsheets worth of recently collected data. I was charged with recovering the data and scanning through everything to make sure it was ok and nothing deleted…must have spent nearly 2 weeks scanning through endless pages…and it just barely dawned on me to wonder…exactly…how the hell do data recovery tools collect “lost data”???
I get like a general idea of like how as long as like that “save location” isnt written over with new data, then technically that data is still…there???? I…thats as much as i understand.
Thanks much appreciated!
And for those wondering, it wasnt me, it was my first week on the job as the only SRA for that station and the person charged with training me for the day…i literally watched him highlight all the data, right click, and click delete on the data and then ask “where’d it all go?!?”
In: Technology
Think of files like patterns on a zen garden(sand designs). Every new file and information is represented by different patterns on the sand. The files you want to keep hold their pattern.
A zen garden doesnt have infinite space, so maybe you now need to delete some patterns to make space. The way that these patterns(files) are deleted is by designating their space as retraceable. So instead of wiping the pattern flat, you can draw a new pattern right over the old pattern.
So if you delete a file, its pattern still might be on the zen garden if no new pattern was re-traced over it.
Your computer has a list of all the files on it so that it easily knows where to find them.
It’s called an index. Much like the index page of a book.
When you delete something, it’s simply removed from the index. This is the quickest method because you don’t need to actually delete any data.
Data recovery tools will scan the drive looking for files that are there but no longer in the index.. then if found intact will simply take a copy or put it back into the index so you can see it.
There’s limitations because generally when something is removed from the index then it will eventually be overwritten when you download something new.. but that might not happen right away.
Normal deletion means the os marks the hard drive space as free, but doesn’t actually remove stuff until something overrides it. So it lives there.
Then there is the more crazy stuff where certain drives basically use magnets to put memory in a certain state (higher capacity HHD are a good example of this), so you code overwrite the memory which for most people is good enough, but someone with special tools can basically still look at how magnetized a bit was to try and figure out it’s old state. Basically the protocol to protect this is you need to overwrite multiple times to make this very hard, but best practice for organizations that can’t afford a leak ever is super strong magnet (way stronger then the hhd would use), then physical destruction of the drive. For normal people get software to wipe it properly aka overwrite the data, no one is realistically going to spend the time to try and recover your memes with the equipment needed to do this.
While it’s true that in computing nothing is ever deleted – it’s also true that computers today, particular modern OSes, have special features that prevent you from recovering deleted files, or at least makes it very very hard.
Generally a computer has a fixed amount of resources. RAM or hard-drive – it doesn’t matter. There’s X number of bits that can be turned on or off, all the time. All you can do is read and write those bits – they aren’t going away. It’s if you had a very large ruler, and you use colors or Xes to mark inches on the ruler. You can put Xes or remove them, but the ruler stays the same length, while you may have 0 Xes or nothing but Xes. It’s the same with your hard-drive. So deleting things in a computer is NOT a matter of using an eraser and losing the bits. It’s about changing the bits to indicate that it’s no longer there.
And that’s where computers cheat. Let’s say you have a very large PDF file with hundreds of pages in it. When such a large file is deleted, the computer does not overwrite every bit that the file is made of. Instead it changes the “index card” that’s used to know the file by name and where on the drive all the bits are. At the same time, a “this is free” index is changed to point to the blocks of bits that used to be part of the big PDF file, so another file can use that space.
Back in the simple DOS days, you actually only had to change a single character in the directory entry for the file to un-delete it. It meant DOS could very quickly delete files – it also meant it was very easy to un-delete them. It’s a bit more complicated today but the idea/concept is exactly the same.
To you, the user, if there’s nothing in the index – or something is marked as deleted in that index – you cannot see the file. But if you just deleted it and nothing else has needed the space, there’s a very good chance that the actual bits that are the content of that file are 100% intact and can be recovered. Over time, parts of the data can be used by other files and eventually it’s completely overwritten.
Old recovery tools are able to recognize file data in the vast number of “free” data on the disk – it guesses a bit, but many times it’s fairly reliable restoring images and documents; but in some cases some detective work is required.
What modern systems can do is to require all data of the file to be actually changed before it’s marked as deleted. For really high security it’s overwritten many times with different patterns. Back when everyone used magnetic plates to store data on, very sensitive equipment could measure “old values”, old magnetic signatures, from before the last write. So when you have secrets stored on the drive, even though you’d overwritten the whole disk bit for bit, it was technically still recoverable with the right equipment. That’s a bit different with the solid state disks and static RAM reality, but you still find systems that you can require to spend time on physically changing the bits that make up the data when deleting a file.
With disk encryption it’s even harder if you don’t have the key to unlock the disk – although still possible.
A computer file is like library. the building is the hard drive. It can fill up. the books are the files and placed neatly on shelves. Some books have multiple volumes like an encyclopedia. Somewhere there is an index of all the books in the library. Lets assume that is a card catalouge index. The hard drive keeps the index, and relies on it to know what shelves have b
Active books. When you delete a file, you are deleting the card In the card index. So the book is still on the shelf. But every once and awhile the librarian will clean out books that are not in the index to clear up shelf space. So a deletion just removes the index and not the contents.
Files cannot be truly deleted, only overwritten. It’s more accurate to say that a hard drive cannot truly be empty, it has to always have some data. Free space in a disc is simply data you’re allowed to overwrite with other data. When you delete a file, all you’re doing is deleting the path to that data, which basically means that you’re giving the system permission to overwrite that data.
This is why the most critical aspect of data recovery is time. The longer a computer operates after the data is deleted, the more corrupted they become and ultimately fully disappear as they’ve been completely replaced. If you delete something critical and immediately start recovery you will recover it intact.
Let’s say you have a fridge with a bunch of food in it. On the door of the fridge is a written list of everything inside and on what shelf it’s on. When you want to ‘delete’ something from the fridge, you can just erase it from the list without actually removing the food. If you need to add more food to the fridge, you can remove anything that isn’t on the list to make room for the new food. After it is removed from the list, but before it is actually removed from the fridge, you can still open the fridge and see what’s there.
Until the part of thw drive is actually overwritten the time ia still there juat the navigation path the OS uses to get there is gone.
Think like if you have a huge block of land with your house hidden by trees. Then deleting your driveway but leaving your house there . People wont be able to find your house but ita still there until you demolish it and rebuild a new houseman
Imagine a library with a bunch of books and a catalogue telling where all the books are located in the library. When you delete a file, only the books entry in the catalog is deleted. The book is still sitting on the shelf until the library buys another book and replaces the actual “deleted “ book.
It’s a little more complicated than that because chapters of the book are stored in different parts of library and the catalog tells where all the chapters are stored. Sometimes if you wait too long before trying to recover your deleted file one chapter of your book is overwritten and then your entire file doesn’t make sense anymore.
Permanently deleted means “we no longer promise that you can get it”. It does not mean “we promise that you can not get it back.”
If you toss something in the recycle bin in the kitchen, it’s probably still there if you change your mind. Once you take it outside and put it on the curb, you no longer have a promise. But it you really want it back, you can dig through and it might still be there and intact.
Latest Answers