This is a guest post series written by Elena Pakhomova, Marketing and Development for the data recovery software company www.ReclaiMe.com.
There are three articles to this series that examines the method(s) of deletion at the user-level, at the operating system level, and at the hardware level. Please visit again to capture the rest of the story…
In light of recent high profile espionage events, subject of personal data protection has become very popular. In this article I will try to shed light on the subject of data deletion and answer the question how does one delete the data so that even the FBI fails to restore it.
There are three parts involved in data management on every device, be it a PC, phone, or some other gadget.
User who creates content, manages it, and finally deletes it. – (SEE ARTICLE #1)
Operating system or more specifically a certain component of operating system called filesystem, which based on user commands stores, deletes, and performs other operations with data on the logical disk level. - (SEE ARTICLE #2)
Hardware – hard disk or other physical device which is responsible for storing data at the lowest level of electromagnetic fields and electric charge. (SEE ARTICLE #3)
The behavior of each of the above parts determines how data is being deleted on a particular device and therefore what are the chances to restore it.
Data Deletion In Different Operating Systems
Each operating system stores user data in a specific way. A method of data organization is called filesystem. Each filesystem, in turn, stores and deletes data differently. However, for many filesystems the following principle is true – if you actively use the disk to write new files after the deletion the chance to recover the deleted files decreases.
Microsoft has developed not so many filesystems, the most famous being FAT, NTFS, and ReFS. NTFS is the most “recoverable” filesystem meaning that if you delete a file from an NTFS volume and then do not write new data to the volume you have a great chance to recover the deleted data. As for FAT filesystem, only non-fragmented files can be recovered (typically these are small files).
ReFS is a comparatively young filesystem (about a year old); however, our research revealed that ReFS is about the same as NTFS in terms of recoverability.
Most well known Linux filesystems are ext2/3/4. Only with ext2 filesystem you have some chance to recover deleted data. Due to specifics of storing data on ext3 and ext4, the probability to get the deleted data in acceptable condition is very small. Surely, searching the disk directly for fragments of certain files can bring some result but it’s impossible to recover the deleted data in original state as it was on the disk before deletion. If you know what you are after, you can detect data traces; get the data as it was before deletion is impossible.
Apple Mac OS uses HFS and HFS+ filesystems. A file deletion in these filesystems as usual boils down to the deletion of information about where file content is located on the disk, rather than actual deletion of file content. Technicalities of these filesystems make it impossible to predict in advance whether data is deleted immediately or the filesystem postpones the deletion for some time. Anyway, deleted file contents on the disk will not be actually erased until the filesystem needs the place occupied by these files to write new data.
Thank You to Elena Pakhomova, Marketing and Development for the data recovery software company www.ReclaiMe.com for this GREAT ARTICLE!