what happens to deleted files

  • Thread starter Thread starter Jspeedo
  • Start date Start date
J

Jspeedo

what happens to deleted files? where do they go after you empty your
recycle bin? Is their away to wipe these files away without having to
reinstall everything?
 
Jspeedo said:
what happens to deleted files? where do they go after you empty your
recycle bin? Is their away to wipe these files away without having to
reinstall everything?



The files are still there...but simply marked as free space...so could be
recovered.

If you want to make them essentially un-recoverable there are plenty of
third party "wipe" utilites that will shred them to the point where they'd
only be recoverable
with expensive and time consuming lab work.
 
what are some of these "wipes utilities" called. I just want to mak
sure Windows, my document, ect will remain on my computer.
 
philo said:
The files are still there...but simply marked as free space...so could be
recovered.

If you want to make them essentially un-recoverable there are plenty of
third party "wipe" utilites that will shred them to the point where they'd
only be recoverable
with expensive and time consuming lab work.

That "...[they] can only be recoverable with expensive and time
consuming lab work" can officially be classified in the "Urban Myths"
category. Nobody has ever been able to recover overwriten files, not
even Dr. Gutmann himself, he has told me so in an email conversation. I
challenge anyone reading these groups to offer concrete proof that they
can recover zero written/wiped files or to give us the names of data
recovery firms who can do it.

John
 
The files are still there...but simply marked as free space...so could be
recovered.

If you want to make them essentially un-recoverable there are plenty of
third party "wipe" utilites that will shred them to the point where they'd
only be recoverable
with expensive and time consuming lab work.

That "...[they] can only be recoverable with expensive and time
consuming lab work" can officially be classified in the "Urban Myths"
category. Nobody has ever been able to recover overwriten files, not
even Dr. Gutmann himself, he has told me so in an email conversation. I
challenge anyone reading these groups to offer concrete proof that they
can recover zero written/wiped files or to give us the names of data
recovery firms who can do it.

John


I've done some experiments and have tried *numerous* undelete utilities on
drives that had been deleted, formatted and reloaded
and have *NEVER EVER* found any remnants of previous files.

So there is no practical way of retrieving them...

HOWEVER if one had access to a lab with an electron microscope... in
theory...old data could be recovered...

but it would take tens of thousands of dollars worth of lab time (probably
more actually)
and possibly weeks or months of work.

So I'd imagine that most any "wipe" software would be plenty good...
as I have never heard of anyone actually retrieving wiped data either.
 
philo said:
The files are still there...but simply marked as free space...so could
be
recovered.

If you want to make them essentially un-recoverable there are plenty of
third party "wipe" utilites that will shred them to the point where
they'd
only be recoverable
with expensive and time consuming lab work.

That "...[they] can only be recoverable with expensive and time
consuming lab work" can officially be classified in the "Urban Myths"
category. Nobody has ever been able to recover overwriten files, not
even Dr. Gutmann himself, he has told me so in an email conversation. I
challenge anyone reading these groups to offer concrete proof that they
can recover zero written/wiped files or to give us the names of data
recovery firms who can do it.

John



I've done some experiments and have tried *numerous* undelete utilities on
drives that had been deleted, formatted and reloaded
and have *NEVER EVER* found any remnants of previous files.

So there is no practical way of retrieving them...

HOWEVER if one had access to a lab with an electron microscope... in
theory...old data could be recovered...

They would use Magnetic Force Microscopy or Scanning Tunneling
Microscopy (STM), not electron microscopes.
but it would take tens of thousands of dollars worth of lab time (probably
more actually)

NO! It cannot be done! Not at any price! It has never been done, not
even by Dr. Gutmann himself, and he is the one who first advanced the
theory that it might be possible to recover data from overwritten
drives. The best that Dr. Gutmann could do with MFM was to show that
there "might" be a possibility that some bits of data might be
recoverable, he was never able to recover actual files and he has never
been able to publicly demonstrate that he actually could recovery files
on zero written drives, and nobody else either ever could. In anything
science and research when you advance theories you then have to be able
to prove them and you then have to be able to replicate the experiments,
then others have to also be able to prove and replicate the
experiments, no one has *ever* recovered files on zero written drives,
no one! The whole purpose of Dr. Gutmann's paper was not to try to
recover files in the first place, it was to make sure that they were
securely deleted and absolutely not recoverable, some reading his paper
incorrectly assumed that he had found a method to recover data on zero
filled drives, he hadn't and that wasn't his intentions, his intentions
were to suggest "software" means of securely deleting data.

Dr. Gutmann himself later said that many were making much more of his
work than what was advanced or intended in his original research and
white paper. Furthermore, Dr. Gutmann made it clear that the research
was done on a different class of hard drives than today's drives, please
read his paper:

Secure Deletion of Data from Magnetic and Solid-State Memory
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

In particular read the Epilogue where he states:

"Looking at this from the other point of view, with the ever-increasing
data density on disk platters and a corresponding reduction in feature
size and use of exotic techniques to record data on the medium, it's
unlikely that anything can be recovered from any recent drive except
perhaps a single level via basic error-cancelling techniques. In
particular the drives in use at the time that this paper was originally
written have mostly fallen out of use, so the methods that applied
specifically to the older, lower-density technology don't apply any
more. Conversely, with modern high-density drives, even if you've got
10KB of sensitive data on a drive and can't erase it with 100%
certainty, the chances of an adversary being able to find the erased
traces of that 10KB in 80GB of other erased traces are close to zero."

The chances are not only close to zero, they are zero because no one has
ever been able to recover any files on a wiped drive. The whole thing
is tantamount to saying: "We (humans) can go to Mars because we have
sent probes there so we know that we can go to Mars." Oh sure, in
theory that is true, in reality it's false.

Some (incorrectly) assume or state that some governments or spy agencies
(read Uncle SAM and the CIA) have magic machines or the capability to
recover information on zero filled/wiped drives, that also falls in the
realm of "urban legends", there are no such magic machines and the US
government nor any of it's appendages have the capability of recovering
data on wiped drives. In his 2004 paper, Recovering Unrecoverable Data
- The Need for Drive-Independant Data Recovery, Charles H. Sobey wrote:

"It is very telling that the US Department of Defense's Combating
Terrorism Technology Support Office placed a "Broad Agency
Announcement" seeking just such a [magic] machine for damaged, erased,
or overwritten media."

ActionFront Research
Recovering Unrecoverable Data - The Need for Drive-Independant Data Recovery
http://www.actionfront.com/ts_whitepaper.aspx

To date that request has not been filed, no one has yet been able to
recover overwritten data, let alone invent a "magic" machine that can do
it automagically. Just two days ago I called Seagate Recovery Services
and asked to speak to one of their data recovery specialists. I posed
the question to him, "Can a world class and foremost data recovery firm
such as Seagate Recovery Services recover data from zero filled/wiped
drives?", to which he categorically, unequivocally answered "NO". He
told me that Seagate Recovery Services cannot do it and that any firm
making such claims either misunderstood the question or they are
outright lying. He said that if any data recovery firms make such
blatant claims to make sure that they only be hired on a "No recovery,
no charge basis, else you will only be wasting your money".

Now, this brings us to another "urban myth" that is often mentioned in
these groups:

"There are professional file recovery companies which can often recover
data from files that have been overwritten, sometimes even if its
been overwritten multiple times.

For this reason, when the US government wants to get rid of
really sensitive data, it doesn't trust any deletion or
overwriting techniques. It physically melts the drive in a
furnace."

(Sorry Ken, but I have to take a kick at this one too ;-) )

The reason that the US government or any other entities who work with
very sensitive data might melt or destroy drives instead of securely
overwriting them is not because of the possibility of data recovery on
these drives, it is because of the possibility of user or software
errors when doing the wiping. The data is so sensitive that they cannot
take a chance that a drive "thought" to be wiped gets disposed, or that
the person doing the wipe thought that the drive only needed to be
formatted. If the drives containing sensitive data are destroyed then
there is no risk of operator error. This is really what these entities
are worried about, not that the data can be recovered after a secure
wipe, but rather that the secure wipe was actually done, destroying the
drive takes care of possible operator errors. In highly sensitive
environments like that errors are not supposed to happen, but at times
they do, along the same line that surgeons aren't supposed to leave
sponges inside their patients but sometime they do, we have all heard
these horror stories, so in highly secure environments additional
measures are taken to eliminate the risk that improperly wiped or
unwiped drives fall into unwanted hands, this measure has nothing to do
with the possibility that data actually be recovered on securely wiped
drives. That is the mundane reason for destroying hard drives, not that
someone has magic data recovery tools to recover overwritten files.
and possibly weeks or months of [lab] work [to recover data].

Try years instead of weeks or months! Read Charles H. Sobey's paper.
It would take a machine taking an MFM image every minute 60 weeks to do
*one* surface on a 3-1/5" diks! A 20 GB drive would yield an
astonishing 40 terabytes of information and it would take years to
analyze the data, there are no machines or scanners that can make heads
or tails of the images, it would all have to be done by human eyes! And
once again, no one has actually ever been able to look at the images and
retrieve usable data from them.

So I'd imagine that most any "wipe" software would be plenty good...
as I have never heard of anyone actually retrieving wiped data either.

There is one area which can be of real concern with regards to wiped
drives and where actual "bits" of data recovery could be made, cluster
tips. Cluster tips are areas where data may have been written and then
not over written.

Lets say you have NTFS clusters of 4KB. You save a 4KB file to the disk
and it occupies exactly one cluster. You later delete the file, a
simple delete to the Recycle Bin, not a secure delete. Then you save
another file, lets say a 3KB file, the 3KB file is saved in the same
cluster where the original 4KB file was. The first 3KB in the cluster
is written with the new file but the last 1KB isn't touched, that is a
"cluster tip". In that cluster tip is the last 1KB of data that was in
the 4KB file that previously occupied the cluster, that data has not
been overwritten, although it is time consuming and difficult there is a
very real possibility that the information in the cluster tips could be
recovered and that from these little bits of files some sensitive
information could be retrieved, sort of like only burning the first
three pages of a four page letter, if someone gets their hands on the
fourth page they might obtain information that was not meant to be
released. The problem with cluster tips and disk wiping utilities can
happen if you use poorly designed wiping software. Some of the poorly
written utilities may overwrite the file only, not whole clusters. That
is easily resolved by selecting good wiping software and making sure to
select wiping options that also wipe cluster tips.

So there you have it, the only place where data is recovered from
securely wiped drives is on CSI Miami and it is all done in a whopping
five minutes out of a one hour episode. Everything else that you hear
about data recovery on wiped drives is in the realm of fairy tales.

John

Data remanence
http://en.wikipedia.org/wiki/Data_remanence

Overwitten data: Why even the Secret Service can't get it back
http://blogs.computerworld.com/node/5756

Is overwritten data really unrecoverable?
http://blogs.computerworld.com/node/5687

Can Intelligence Agencies Read Overwritten Data?
http://www.nber.org/sys-admin/overwritten-data-guttman.html

Ontrack Eraser
http://www.ontrackdatarecovery.com/hard-drive-software/ontrack-eraser.aspx
 
The reason that the US government or any other entities who work with
very sensitive data might melt or destroy drives instead of securely
overwriting them is not because of the possibility of data recovery on
these drives, it is because of the possibility of user or software
errors when doing the wiping.



<snip>


Thanks for all the good info.

That reminds me of a funny story which points out the possibility of human
error.

Bay back a million years ago...the company I worked for had a PDP-11

When it was de-commissioned, my boss took a demagnetizer and started erasing
all the tapes.
Then, half-way through he went out to luch...but he left the extention cord
abiut three feet up in the air and strung across the isle that I needed to
walk through
to get to my desk.

I simply unplugged it and walked past.

I later left the building and never bothered to plug it back in...as other
people needed to pass through.

Anyway, when I returned later...there the idiot was "erasing" the
tapes...with the de-magnetizers cord unplugged!

Since it looked like he had been at it for a while...I just decided not to
say anything. <G>
 
philo said:
<snip>


Thanks for all the good info.

That reminds me of a funny story which points out the possibility of human
error.

Bay back a million years ago...the company I worked for had a PDP-11

When it was de-commissioned, my boss took a demagnetizer and started erasing
all the tapes.
Then, half-way through he went out to luch...but he left the extention cord
abiut three feet up in the air and strung across the isle that I needed to
walk through
to get to my desk.

I simply unplugged it and walked past.

I later left the building and never bothered to plug it back in...as other
people needed to pass through.

Anyway, when I returned later...there the idiot was "erasing" the
tapes...with the de-magnetizers cord unplugged!

Since it looked like he had been at it for a while...I just decided not to
say anything. <G>


Thank you for the real life story, that is exactly the kind of user
errors that those who dispose of sensitive data want to avoid at all
cost. If the drives are destroyed then there is no chance that a drive
might have been overlooked or inadvertently left unwiped.

John
 
Thank you for the real life story, that is exactly the kind of user
errors that those who dispose of sensitive data want to avoid at all
cost. If the drives are destroyed then there is no chance that a drive
might have been overlooked or inadvertently left unwiped.

John

How true!
 
Back
Top