This is a guest post series written by Elena Pakhomova, Marketing and Development for the data recovery software company www.ReclaiMe.com.
There are three articles to this series that examines the method(s) of deletion at the user-level, at the operating system level, and at the hardware level. Please visit again to capture the rest of the story…
In light of recent high profile espionage events, subject of personal data protection has become very popular. In this article I will try to shed light on the subject of data deletion and answer the question how does one delete the data so that even the FBI fails to restore it.
There are three parts involved in data management on every device, be it a PC, phone, or some other gadget.
User who creates content, manages it, and finally deletes it. – (SEE ARTICLE #1)
Operating system or more specifically a certain component of operating system called filesystem, which based on user commands stores, deletes, and performs other operations with data on the logical disk level. – (SEE ARTICLE #2)
Hardware – hard disk or other physical device which is responsible for storing data at the lowest level of electromagnetic fields and electric charge.
The behavior of each of the above parts determines how data is being deleted on a particular device and therefore what are the chances to restore it.
Deletion At Hardware Level
At the moment, there are two types of data storage devices differing in how writing, storing, and deleting data on them are implemented.
Rotational hard drives
This group includes familiar to all of us hard drives of various form-factors, vendors, and characteristics. The information on such drives is stored in magnetization which upon read request is transformed into set of bits (basic information units). Magnetized spot of the disk surface is read as 1, while non-magnetized spot produces 0. Although due to the specifics of disk magnetic head, new write does not always destroy the previous data completely, practically it is impossible to recover overwritten data from the modern high density hard drives1.
Thus, if data was overwritten at least once, data recovery for all practical purposes is not possible.
Flash-memory based devices
This group includes the data storage devices based on flash memory – memory cards, USB thumb drives, and solid sate drives (SSD).
Writing, storing, and deleting data on such devices differ from the same processes in the regular hard drives. First, data is stored in the bits as well but now 1 and 0 are the result of voltage in cells rather than magnetization of the surface in a regular hard drive. Unlike the magnetized surface, electronic cells retain no memory of the previous state of each individual bit. This means it is physically impossible to know what data was in particular place earlier.
One more SSD quirk is that new data can be written only to cells zero-filled beforehand. This led to creation of TRIM command which cleans the cells containing unnecessary data when SSD is idle. In case of a typical hard drive, if you do not use the drive for writing new data, most likely your deleted data is still on it. For SSD this trick won’t work because even if you do not use SSD, TRIM process deletes all traces of previous data at the first opportunity. This means that for SSD data recovery is typically useless, although each case has to be considered individually.
As you can see in order to delete files so that even the FBI cannot extract them, it is not enough just to press the “Delete” button. You need to know the specifics of your data storage device such as host operating system (filesystem type as well), what type of the device you deal with – hard drive or SSD, and so on.
Anyway the simplest way to check presence of the deleted data on the disk is to launch any data recovery software and see whether it finds data. You can use different tools and even paid tools (which in practice are more powerful) since in data recovery field demo versions of software fully discover data and often allow either to preview it or to save a small sample.
1. Wright, Craig; Kleiman, Dave; Sundhar R.S., Shyaam (December 2008). “Overwriting Hard Drive Data: The Great Wiping Controversy”. Lecture Notes in Computer Science (Springer Berlin / Heidelberg).
Thank You to Elena Pakhomova, Marketing and Development for the data recovery software company www.ReclaiMe.com for this GREAT ARTICLE!