Updated: Jul 16, 2020
Of course you can search for them in trash or recycle bin, and perhaps even restore the files. When you first delete a file, the respective file is moved to the trash directory or recycle bin (in case of Windows) or something similar depending on your operating system. The files in the Recycle Bin still occupy disk space. They continue to stay in this directory and occupy the disk space until you empty the trash or delete the file permanently.
“Permanently?” Is permanently deleted data ever gone from your device?
A common misconception is that deleted files are completely removed from the hard drive and that they’re never recoverable. But let’s first closely see how the deletion process works internally.
In common file systems, when deletion occurs, information that points to the file location being deleted is erased. The operating system uses pointers to build directory tree structure, consisting of pointers for every other file on the hard drive (at least in the case of FAT file system). When this pointer is erased, the file is no longer accessible by the operating system. However, the file content or data remains intact in the drive.
To be more specific, when a file is deleted, the data blocks containing the data of this file are marked unallocated for further use. The data remains in these unallocated spaces until a new file uses the same location. The fact that these files are still present in the drive means that they can be possibly recovered and nothing is ever deleted. And what are the odds that in an entire disk the next allocation would take place in these same blocks. In fact, searching for unallocated spaces differs in different operating systems.
As mentioned above, the deleted files are present but essentially invisible to the operating system. The OS will see it as an empty space. Different file systems use slight variations of the same technique where data block locations are unlinked in an attempt to make the file location inaccessible.
With an appropriate software designed to rebuild the file header and allow the computer to see the file again, it is relatively easy to recover deleted files. Some of the freely available data recovery softwares are listed below.
Software Operating System/File System Compatibility
Stellar Data Recovery - NTFS, FAT16, FAT32, exFAT
- Macintosh (macOS) supported APFS, HFS, HFS+
- Linux supported Ext4, Ext3, & Ext2
FTK Imager - Windows primarily
We used the Stellar Data Recovery tool on an APFS (Apple File System) formatted pendrive, which initially contained FAT file system. Stellar Data Recovery tool recovers Mac files losdue to emptied Trash, permanent deletion & formatting.
To our surprise, we found almost everything that was ever stored in the pendrive. The tool can recover volumes from the disk and in our case it recovered 5 volumes. The first 2 volumes had FAT file system and the next 3 volumes contained APFS. Now the question is, why did it find so many volumes of the same size (roughly 983.96MB).
We had formatted and erased the pendrive several times which led to the creation of “lost volumes”. The previously existing file system structure and data before formatting was recovered by the tool in the form of lost volumes.
And not only did it contain recently deleted files, we recovered images, documents, audio and videos files which were once there in the pendrive almost 3-4 years ago.
Most of these recovery tools do a raw analysis on the disk, which means it reads the disk sector by sector, and sometimes also reconstructs the file from the information stored in metadata(inode) and data blocks.
This made us very curious to find out if we could delete any file permanently such that it’s not recoverable in any circumstances. So how do we securely delete sensitive or confidential data such that tools like Stellar are not able to recover them?
One common way to delete data permanently is to overwrite the disk either with random data or no-ops instruction such as sequences of 0’s and 1’s. We wrote a python script to overwrite files with random hexadecimal data and 0’s (zeroes) before they were deleted.
As you can see in the above screenshots that the first file was overwritten with 0’s and the second file was overwritten with random data before it was deleted.
We used stellar data recovery tool again to see if we could recover these files.
Even though we were able to recover these files (in terms of the structure and file name), the data inside the files was of no use as it was overwritten.
The secure deletion method described above was on a file level. To completely erase the disk, one can use disk level deletion technique and delete all the sectors in the partition by overwriting it with hexadecimal/binary data directly.
-Skanda C S