Question: As far as I understand, when I delete (without using Recycle Bin) a file, its record is removed from the file system table of contents (FAT/MFT/etc…) but the values of the disk sectors which were occupied by the file remain intact until these sectors are reused to write something else. When I use some sort of erased files recovery tool, it reads those sectors directly and tries to build up the original file.
In this case, what I can’t understand is why recovery tools are still able to find deleted files (with reduced chance of rebuilding them though) after I defragment the drive and overwrite all the free space with zeros. Can you explain this?
I thought zero-overwritten deleted files can be only found by means of some special forensic lab magnetic scan hardware and those complex wiping algorithms (overwriting free space multiple times with random and non-random patterns) only make sense to prevent such a physical scan to succeed, but practically it seems that plain zero-fill is not enough to wipe all the tracks of deleted files. How can this be?
UPDATE, addressing the questions that came up:
- I’ve tried the following wipe tools: Sysinternal’s SDelete, CCLeaner, and a simple utility the name of which I can’t remember which starts from command line and creates a growing zero-filled file until the whole free space is taken and then deletes it.
- I’ve tried the following recovery tools: Recuva, GetDataBack, R-Studio, EasyRecovery.
- I can’t exactly remember which tools have given specific result (as far as I can remember trial versions of some of them only show files names and can’t actually recover).
- Probably in most (but not 100% all) cases they’ve only seen the names and could not recover the data, but this is still a security threat to be addressed as file names can still be pretty informative (for example I’ve seen a guy that stored passwords in text files which were named as the passworded resource name plus the login name, while login names should be secured too).
Answer: If you overwrite erased files, you shouldn’t be able to retrieve anything from them.
My best guess is that either your wipe tool has not done everything it is supposed to or you have some sort of cache issue.
update – if you are using solid state drives, you may find that secure delete tools do not work as expected due to the way data is read/written on SSDs.