Destroying data: mission impossible

Wednesday, 20 January 2016 by Matt Prince


Data recovery experts often have to deal with cases where important data has been deleted — by accident or on purpose — by its owner or a third party. Those stories don’t always end the same but more often than not, if the client hasn’t done anything too creative to retrieve it on his own, this data gets recovered. That’s good news for those who had suffered a loss of important data, but bad news for those who need theirs permanently destroyed.

Why is it possible to recover files that have already been deleted? It’s because a file remains on the hard drive until the physical place where it's stored becomes overwritten with another file. The process of overwriting is beyond the user's control (although of course the likelihood of deleted files being overwritten is higher the more files you subsequently save onto your hard drive). Both deleting a single file and formatting a partition are processes that involve system modifications within the file allocation tables (some of the most popular file systems - such as FAT and NTFS - are based on a system of file allocation tables). This process doesn’t include the disk space, which is modified only when another process of writing a file begins, after the file has been ‘deleted’ or the partition has been formatted. So if nothing gets written over the physical space that is occupied by the removed file, it will be fairly easy to restore it (there's a detailed instruction of how to do it on our blog).

The same goes for all system files that I mentioned previously (such as temporary files, paging files, print and hibernation files), even if a file has been overwritten in one place, it could still be restored from some other place on the hard drive. So as you can see, ‘manual’ deletion is more like playing a game of cat and mouse with your data.

Erasing your data — further complications

This is not the full extent of the problem — some devices, such as smartphones and flash drives, will make it even harder for you to erase data. Restoring your phone to factory settings on Android still doesn't work on many devices, so when you buy a second-hand phone or tablet, you often also get its previous owner’s data as well.

An analogous problem exists in flash-based data storage devices (such as SSD drives, SD cards, etc.). Flash memory is divided into blocks (each block is then divided into 128 pages, 4kB each, and they are physically represented as separate frames). Flash memory comprises four types of blocks, each with distinct data storage functions and properties.

  1. System blocks — the user’s data is never stored in those; damaging a system block causes a logical error in the entire drive (leaving you with no option but to wipe the data stored there programmatically)
  2. Active blocks — where the user’s data is stored; it can be written anywhere on the block
  3. Free blocks — where old (‘deleted’) data is stored; this data can also be written into any part of this block
  4. Used blocks — those that have no free space left for writing data, but that still contain data saved by the user

SSD drives often have in-built functions that make them work more efficiently, such as the Garbage Collector, which not only makes them work more swiftly — it also creates multiple copies of each file. This means that a lot more copies of each file exist on those drives, and some of those copies are located within blocks that don’t get overwritten — making it very hard to overwrite them properly when you need to.

PLEASE NOTE: the only way to successfully remove a file is to completely overwrite it!

I’m afraid that’s still not the full extent of the problem. Overwriting your files multiple times still doesn’t guarantee that all trace of them will be removed. I will focus on this problem in my next post.

See you soon!

P.S. If you want to share any questions, doubts or comments about this course you can do so in the comment box below.