A lot of people don’t know, but when we delete a file from a computer, it isn’t really deleted. The operating system simply remove it from the file list and makes the space the file was using available for new data to be written. In other words, the operating system doesn’t “zero” (i.e., doesn’t clean) the space the file was using.
The operating system acts like that in order to save time. Imagine a large file that occupies lots of sectors on the hard drive. To really delete this file from the disk, the operating system would have to fill with zeros (or any other value) all sectors occupied by this file. This could take a lot of time. Instead, it simply removes the file name from the directory where the file is located and mark the sectors the file was using as available space.
This means that it is possible to recover a deleted file, since its data weren’t really removed from the disk. This is how specialized software can recover delete data. Even if the area that was used by a file is overwritten with data from other files, the area around the sector can still store portions of the original data, as this area in magnetic. With specialized data recovery equipment it is possible, in some cases, to recover the original data, in particular on older hard disk drives (on newer drives, with sectors getting smaller and smaller, the probability of the magnetic charges around the sector to hold part of the data stored in the sector is lower).
This leads us to a very important security question: if you have files that are really confidential, which cannot be read by anyone else, deleting them from the disk simply by hitting the Del key and then emptying the recycle bin isn’t enough: they can be recovered by an advanced data recovery tool.
With SSDs, however, the story is a little bit different. When a file is deleted, the process happens in the same way as in hard drives. However, in order to increase the unit’s life span, all SSDs have two important mechanisms, called wear leveling and garbage collection. They make the data stored on the SSD to be moved quite frequently, in order to balance data across all memory flash chips. The goal is to prevent one chip from being used more often than the others. (One analogy we can think of is that an SSD has an embedded disk defragmentation tool.)
Therefore, on SSDs the probability of an area that a deleted file was using to be overwritten with data from another file is far greater than on hard drives, lowering the success rate of deleted data recovery. Thus, even if you don’t use a tool to fill with zeros (or any other pattern) the area that was used by a deleted file, the natural tendency is for the abovementioned mechanisms to enter in action, overwriting this area with data from other files in a short time period.
With that in mind, we can conclude that deleting files on SSDs is more “secure” than on hard drives. Nevertheless, data recovery is still possible if the area a deleted file wasn’t using isn’t overwritten and/or the data is still stored in the system reserved area, which is used by the garbage collection mechanism.
There are several programs for deleting files securely, and one of them is Eraser. This tool allows random data to be overwritten several times over the area that a sensitive file that you want to delete is using. (It is important new data to be written several times so the magnetic areas around the sector that stores fragments of the original file are also erased, making the recovery of the file impossible even with the use of special data recovery equipments.) The use of this program makes it impossible to recover the sensitive file or any part of it.
The process of formatting a disk isn’t different. When we format a hard drive (either through the operating system installation menu or through the Format command), the data that were there aren’t deleted, making it possible to recover data with an advanced data recovery tool even after formating your hard drive. A lot of people that have a hard drive full of confidential data think that by formatting the hard drive they are killing any chance of data recovery. This is far from being true.
When you format a disk, the operating system only empties the root directory and the tables containing the list of sectors on disk that are occupied by files. When you perform a “full format”, a message “Verifying x%” is shown. The hard drive isn’t being formated; the format command is only performing a magnetic surface test in order to see if there is any error and, in case if an error is found, mark the defective area as bad (the famous “bad blocks” or “bad sectors”). This is the only difference between the “quick” (without media verification) and “full” (with media verification) format options.
So, in the same way it happens when we delete files, the hard drive isn’t really erased when we format it.
The ideal process to eliminate any possibility of data recovery of a hard drive consists in demagnetizing the magnetic disks (process also known as degaussing) and destroying the hard drive using a special shredder, which you can see in action in the video below. (There are smaller and more portable models available.) As for SSDs, you will have to make sure that all memory chips have been completely destroyed, as there are machines for recovering data from SSDs where you desolder the chips from the SSD and install them on the machine.
In case you want to reuse the hard drive, you can use a program to safely wipe out all data, and this process must be performed several times (with different values being used at each pass), as magnetic charges around the sectors can still store fragments of the original file, as we discussed. Hard drive manufacturers usually provided this functionally through utilities available on their websites, also known as “low-level utilities.” For Seagate drives, the program is called DiscWizard and offers the safe wiping of the hard drive (i.e., several writing rounds, with different values at each pass). For Western Digital drives, the program is called Data Lifeguard, which only writes zeros and therefore less secure than Seagate’s solution. DBAN is a program that also only writes zeros, but it has a paid version that performs the secure wiping of hard drives.
We’d like to emphasize that filling the hard drive with zeros is enough for preventing data from being recovered with the use of standard data recovery software (goal of 99.99% of regular users), but in order to prevent data from being recoverable through the use of special equipment that reads magnetic charges around sectors, you must use a program that is able to securely wipe the hard drive, i.e., fill all sectors with different values at each pass.
The problem of using this kind of software on SSDs is that they reduce the SSD’s life span. A smarter (and faster) solution, if you are going to deal with confidential files, is to use an SSD that supports encryption. When you want to make data inaccessible, you just need to delete the current encryption key and to generate a new one. This process is done through a utility provided by the manufacturer. (For instance, the “Intel SSD Toolbox,” for SSDs from this manufacturer.) With this simple procedure, nobody will be able to access data that was previously stored on the SSD. Using a data recovery tool, no file will be found, and using a disk editor, only scrambled data will be seen.
For those willing to study this subject in more depth, we recommend the following academic articles:
- https://www.vidarholen.net/~vidar/overwriting_hard_drive_data.pdf
- https://www.usenix.org/legacy/events/fast11/tech/full_papers/Wei.pdf
- https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
Leave a Reply