When did you last delete a file? Back when hard disks were measured in megabytes, it was common to delete files as soon as you’d finished with them, in order to free up disk space. In these days of terabyte-sized hard disks, however, it’s easy to accumulate huge archives of documents, emails, data files and program caches.
This can be a godsend if you need to dig out a reference from years ago. But this information could be a liability if it fell into another’s hands. For example: your email archive may contain login and payment details for online services; browser caches and system logs can reveal what you’ve been up to online, and even store private information that’s been displayed on a web page. The temporary files created by programs such as Word and Excel may also contain confidential data – even if it’s been removed from recent versions of documents.
Most of us understand the importance of wiping all these personal files before disposing of a PC, whether you’re passing it on to a friend, selling it or simply taking it to the dump. But deleting files doesn’t erase the sensitive data as permanently as you might hope.
If you’re unlucky enough to have your PC stolen, you might not even get the opportunity to erase your data. And it would be easy for a hacker to create malware that collects potentially valuable data from infected PCs.
Clearly, it isn’t realistic to try to keep your PC completely free of personal files. For sensitive files that you use regularly, it’s worth using encryption – a subject we’ll return to in a future How To. As a general rule, keep only as much private information on your PC as necessary, and regularly purge anything you don’t need.
INSECURE DELETE
An easy way to start this process is by clearing out old caches and temporary files. There are plenty of free programs that can help you with this: the Disk Cleanup tool that’s built into Windows can remove all sorts of system logs and unneeded files created by Internet Explorer. The free CCleaner tool from Piriform can additionally clean up the files left behind by a wide range of applications. For obvious reasons, these programs won’t touch your personal files; but once they’ve worked their magic you can delete remaining sensitive documents by hand.
Of course, deleting files doesn’t mean simply sending them to the Recycle Bin. It’s well understood that, so long as you haven’t emptied the bin, “deleted” files can be easily recovered at a later point in time, by you or anyone else.
It’s also important to realise that even after the bin has been emptied, and the deleted files are seemingly gone for good, it may still be possible to recover them. The same applies to files that are deleted by disk cleanup tools that bypass the Recycle Bin.
This is because of the way files are stored on a hard disk, and the way they’re deleted in Windows (and in many other operating systems, too). When you write a file to hard disk, the data is written across multiple sectors of that disk, and an entry is made in the Master File Table (MFT), recording among other things the name of the file and details of which sectors on the disk contain its data.
When you delete a file, however, Windows doesn’t bother removing all the data from the various sectors of the disk. It simply removes the MFT entry. The sectors are de-allocated, ready to be overwritten next time you write a file to the disk.
This approach has an obvious benefit: it’s almost instant, regardless of the size of the file you’re deleting. If deleting a file actually removed all its data from the hard disk, deleting large files would end up taking several seconds or more, tying up the hard disk and making your PC less responsive.
But since the “deleted” data remains on the disk, it can be recovered. Indeed, before the Recycle Bin was introduced in Windows 95, if you accidentally deleted the wrong file, your best chance for recovering it lay with an MS-DOS utility called Undelete. This tool scanned the hard disk for data that had been de-allocated but not overwritten, and recreated file table entries so it could be seen and accessed once more.
Is this a good thing? We’re sure the ability to recover accidentally deleted files has saved more than one career in the past. Even today, 16 years after the arrival of the Recycle Bin, we still regularly hear of people accidentally wiping important files, and as a result there remains a healthy market for data recovery tools. There are free options, such as Recuva, again from developer Piriform.
Unfortunately, the ability to undelete files cuts two ways. If you can recover files that have apparently been wiped, so can someone else: for example, the person who buys your old laptop on eBay, or the person who pulls your old hard disk out of a skip. You might therefore think of Windows’ deletion function as “insecure delete”
QUICK FORMATTING
It’s also worth noting that Windows’ Quick Format function works in a similar way. Rather than writing blank sectors across the entire surface of the disk, a Quick Format simply creates a new, empty MFT. In this way, even a huge 2TB drive can be formatted in seconds.
One hazard of quick formatting is that the hard disk isn’t tested for errors: if there are any physical problems with your disk, you’ll only discover them at some inconvenient point down the line, probably when you’re in the middle of writing or reading an important file.
More to the point, if a disk has files on it before you perform a Quick Format then – just as with the regular delete function – the data isn’t removed. It remains in place, and with the right tool the old files can be recovered. The MS-DOS Undelete tool had a counterpart called Unformat, which could restore a formatted drive in exactly this way.
This doesn’t mean there’s no point in deleting temporary files on a regular basis, or wiping all your personal data before putting your PC in a situation where someone else might be accessing the hard disk. It just means it’s unwise to put all your faith in Windows’ built-in delete and Quick Format tools.
RECOVERING DATA
If you want to be sure your deleted files can’t be recovered, it clearly isn’t good enough to leave the data sitting on the disk, where a free program can recover them. The question is: what, then, is good enough?
To defeat data recovery software, you simply need to overwrite your old data with new, non-sensitive data. One way to achieve this is by erasing your private files, then writing junk files to your hard disk until it’s completely full, thus ensuring that the areas of the disk holding the deleted data have been overwritten. Another approach might be to defragment your hard disk: as your files are shunted into one contiguous area of the disk, any gaps left by deleted files should be filled up with new data.
Clearly, though, it’s impractical to go through such time-consuming processes every time you want to securely delete a file. And if you do defragment your drive, it’s possible that some fragments of deleted files may remain scattered in unused areas of the disk. This data may be out of reach of simple tools that merely try to reconstruct the file table, but it can still be found by programs that scan the whole surface of the drive to recover fragments of information. For example, a thief might opportunistically search your drive for any disk sectors containing the string “password”, to see what other data appears nearby.
Snippets of old data such as this can also be left behind when a large file is deleted, then overwritten by a smaller one. So if you want to be sure there’s no orphaned data hiding away, you also need to wipe the unused space on your disk. (Many defragmentation tools can do this automatically after the defragmentation process is complete.)
NEXT PAGE: Physical data recovery, wiping SSDs, securely delete software
