In hard drives deleted data can be overwritten. But is it immediately overwritten when new data is stored? For example, I take a picture and deleted it. After sometime, I take a new picture. Is that older picture overwritten? I'm interested mainly in how drives overwrite data.
4 Answers
In general, no, you cannot expect recently deleted hard drive blocks to be the first used for writing new data.
In the case of traditional platter disks, the performance read/write for individual files is affected by where (physically) on the platters the data is written. Some operating systems, and some utilities, will choose where to write data based on complex optimization algorithms (often during Defragmentation). So there are factors other than "what got recently freed up" that go into deciding where to write data.
With newer SSD drives, the problem gets even worse - the hardware controller on the drive itself does the same thing, choosing write locations according to algorithms designed to maximize coverage and minimize rewrites. As a result, you can't even be guaranteed to overwrite the entire disk by filling the disk - you must use ATA Secure Erase to clear the data.
If you're concerned about deleted files being recovered, you need to be proactive:
- Use a secure file wipe program on files instead of deleting them - shred, sdelete, PGP wipe, etc.
- Use whole disk encryption; that way, if the disk is swiped, an attacker can't simply pull (plaintext) raw disk blocks off the drive.
- If on a platter disk, wipe slack space on a disk (e.g, Windows
cipher /w:c:
) regularly
-
-
`shred`, `srm`, `sdelete`, et al don't to my knowledge work reliably on SSDs. Even if you overwrite the contents of a file, the SSD controller may map those writes to somewhere else on the physical media entirely than the block being overwritten. The only way to be certain that (outside of ATA Secure Erase) data isn't on your SSD is to make sure it doesn't go on it in plaintext to begin with: full-disk encryption and encrypted mountable disk images. – Stephen Touset Jan 07 '17 at 07:47
When you delete data, what actually happens is the pointer, reference, or inode to the location of that data is deleted. You won't be able to access it, but it is still there, assuming no additional operation has been done yet. It is, however, marked as unused space and can be overwritten when needed.
Writing data doesn't necessarily mean you overwrite what you previously deleted. It may write to a portion of the location where your file was previously stored, or it may also write to some other part of the disk. The way as to how drives write data is dependent upon the OS and filesystem type, and as Arminius suggested, would be a better question for superuser.
Since we are in security, a proper way to safely delete files would be to use some tools such as shred
in linux, where the contents are first overwritten with arbitrary bytes several times before the inode is deleted.
- 496
- 4
- 7
I am writing this answer as there is one exception which is missed out in answers so far. But as everybody mentioned data is not overwritten immediately. Infact there are tools to recover deleted data from disk. They just remove the reference of data as mentioned in earlier post. Data removal has two forms now a days, deleting and wiping. Deleting is cheaper and wiping is expensive, in computational terms.
However, there is one exception in this case and that is if you are using solid state drives (SSD). SSD's are TRIM enabled. The idea of TRIM is that in flash drives cannot be overwritten. It has to be erased first. So when a file is deleted it deletes the whole data so that writes are faster is future.
- 175
- 1
- 4
-
TRIM tells the drive that it *can* overwrite the trimmed data when its convenient, but there's nothing that says it *will* overwrite the trimmed data at any particular time. AFAICT TRIM doesn't change the answer to this question at all. – Nathaniel J. Smith Jan 07 '17 at 08:48
In general when you delete a file, only the file pointer is deleted. It is stored in a file information table, which has different names on different operating systems. After this pointer / file id / inode number does not exist anymore, you can't refer to the file anyhow without knowing exactly where on the disk it was stored, which is often hidden by the operating system anyways.
The way to go is a process called file shredding, which takes the free space on your disk and overwrites it N times. Important, that one go is usually not enough. To start getting the data unrecoverable, one has to use at least 7 overwrites. Paranoids often use the 35 round Gutmann process.It's absolutely the same shredding, but more goes and more time. (Can take an afternoon.) It might worth noting that it's considered more secure if the shredder works with random data instead of zeros.
File shredding however is not a process you would enjoy doing on a regular basis. It takes way lot of time, and every time it goes through the whole disk. There are shredder applications, which let you delete specific files by shredding them. This does not prevent from sensitive data that is deleted by applications not by you via shredding.
Side note: If you don't mind a bit of extra boot time, HDD encryption is the way to go.
- 2,124
- 11
- 24