Data Deletion: When is it Gone?

TL;DR

Deleted data isn’t immediately gone. It exists in various forms until overwritten. Simple deletion just removes the file’s entry, not the actual data. Secure deletion requires multiple overwrites or physical destruction.

Understanding Data Deletion Stages

1. Standard Deletion: When you delete a file normally (e.g., sending it to the Recycle Bin/Trash), the operating system doesn’t erase the data itself. It simply removes the pointer to that data, marking the space as available for reuse. The data remains on the storage device until overwritten by new files.

   rm myfile.txt  # Linux/macOS - marks file for deletion

   del myfile.txt # Windows - marks file for deletion

2. Recycle Bin/Trash Recovery: Files in the Recycle Bin or Trash can be easily restored because they haven’t been overwritten yet.
3. File System Scavenging: Even after emptying the Recycle Bin, remnants of the file (fragments) might remain recoverable using data recovery software. This is because the space hasn’t necessarily been zeroed out.
   Tools like TestDisk or PhotoRec can attempt to rebuild files from these fragments.
4. Overwriting: The most reliable method for preventing recovery is overwriting the data multiple times with random characters. This makes it extremely difficult and time-consuming to retrieve the original information.
5. TRIM (Solid State Drives): SSDs use TRIM commands to erase blocks of data when files are deleted, improving performance. However, TRIM doesn’t guarantee immediate erasure; it tells the drive that the space is free for reuse.
   The effectiveness of TRIM depends on the drive’s firmware and how often it performs garbage collection.
6. Physical Destruction: The only 100% certain way to make data irrecoverable is physical destruction of the storage device (e.g., shredding, degaussing).

How Many Overwrites?

Historically, seven passes were recommended for overwriting, but modern drives are more complex. One pass with a random pattern is often sufficient for most purposes.
For sensitive data, multiple passes using different patterns (zeros, ones, random characters) provide extra security.

Secure Deletion Tools

• shred (Linux/macOS): A command-line tool designed to securely delete files by overwriting them.

  shred -u -z -v myfile.txt # Overwrites with zeros, then random data, and removes the file

• sdelete (Windows): A command-line utility from Microsoft for securely deleting files and folders.
  Downloadable from Microsoft’s Sysinternals suite: https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete
• DBAN (Darik’s Boot and Nuke): A free, standalone program for wiping entire hard drives.
  Useful for securely disposing of old storage devices: https://www.dban.org/
• Disk Utility (macOS): Offers secure erase options when formatting a drive.

Data Recovery Considerations

• Time is Critical: The longer data remains on the storage device, the higher the chance of it being overwritten or degraded.
• Drive Type Matters: SSDs behave differently than traditional HDDs due to TRIM and wear leveling.
• File System: Different file systems (NTFS, FAT32, APFS) have varying data recovery complexities.