The specific scenario involves Linux servers on VMware hosts with SAN storage. If files containing sensitive data are deleted by Linux, can they be recovered by a low level tool similar to what might be done with local storage? I think there are a number of scenarios that probably have different answers:
- "Shortly" after deletion. The Linux instance has not been rebooted since the deletion and no explicit relocation of the VMware workload has occurred. The rest of the environnemnt has been stable during the intervening time
- "Long" after deletion. The Linux instance has not been rebooted since the deletion and no explicit relocation of the VMware workload has occurred. Normal operations have occured around the instance that might have included relocation of other workloads and reallocation of SAN storage for other workloads.
- An OS level restart has been performed, such as to force re-initialization of an updated service.
- A full OS shutdown was performed and some time later the image was restarted. [What if the image is moved to a different host before restart?]
- Workload was shifted to new VMware host without OS shutdown.
There are a few other cases I can imagine, but you get the idea. So, can data be recovered from within the OS in various scenarios? How about from the virtual host or SAN management console? From the media? How difficult are these vectors to exploit? What protection is there against recovery of deleted data in a SAN based virtual environment?