We now understand that files are stored physically in the hard drive in the form of 0s and 1s. They are located physically on a hard-disk. So, what happens when you delete a file? Does the file get deleted physically from the hard-disk? If not, then how to securely delete data?
Usually deleting a file moves that file to the Recycle/Trash Bin which is just a different folder location where files are stored indefinitely. Files in the recycle bin can be recovered and restored by just click of the mouse. Deleting a file from the recycle bin too or just Shift+Deleting the file (i.e. deleting it permanently) does not actually delete it from the hard-disk.
The data on hard-disk cannot be deleted, it can only be changed or overwritten. On storage drives like hard-disk, the bits of data that make documents or pictures or videos are scattered on the drive. Thus, the operating system uses something known as index to find those pieces of information on the disk (in NTFS or New Technology File System it is called Master File Table). Deleting a file only removes the master file table or the index which points to the pieces that makes up that file and registers the space that it used to take up as empty. This gives the operating system permission to overwrite the previous bits if needed. Thus, deleting the file from your operating system does not delete the data from the hard-disk physically.
As mentioned previously, the operating system can overwrite any previous such data which has been marked as deleted, and if it has been overwritten, it cannot be recovered. But if the file has been deleted and the data has not been overwritten by the operating system yet, it can be recovered by data recovery tools which look for such data on hard disks for which there is no entry on the file index or master file table.
Thus, if someone needs to completely remove a file they need to follow one of these steps:
- Data wiping: Data wiping tools usually delete the data on the disk and overwrite the disk with random bits of data many times which makes it impossible to get back the original data that has been destroyed. There is a very good tool for that purpose called DBAN or Darik’s Boot and Nuke, which either wipes the drive or it has another option where after wiping it sets all the bits of the hard drive to 0 (zero).
- Physical destruction of the Drive: Physically destroying a drive is the most effective way to get rid of the data. But in embedded systems there is a thing called JTag, which can have some metadata, so the destruction of the drive should be done properly. Just destroying the platters (in case of HDD) or the embedded memory chips (in SSDs) can still lead to some amount of information from its JTag.
For Wikipedia entry on Data Erasure, click here.
For more posts on Cybersecurity, click here.
For more posts in The Cyber Cops project, click here.