I have created a word document on my computer, or any other file like txt, image, PSD etc. Now, I then take that file and move it to an external device, would that file leave a trace on the computer? Is it recoverable on the computer?
Asked
Active
Viewed 1.2k times
2
-
2The situation is exactly the same as normally deleting the file. – Arminius Apr 08 '17 at 15:32
-
Using `chattr` to add the `s` secure delete option will cause the OS to over-write the file immediately (as opposed to the usual, when the blocks are reused). However this does not prevent disk level exploits, such as ghosts left on the harddisk, or ware levelling on ssd causing block rotation, and thus the zeroing not zeroing the correct blocks. Have a look at shred, it can do destroy files when you ask it to, it also has a list of caveats in the manual. – ctrl-alt-delor Apr 11 '17 at 21:09
3 Answers
10
YES, the files are recoverable even when they are moved or deleted from the disks. Let's begin with how OS places files in the hard disks. Files are saved on the hard disk in small chunks. These chunks may be scattered all over, rather being placed in contiguous manner.
Your File Manger of the Operating System keeps track of the files by knowing the addresses of all the chunks. These are inodes number, you can think of them as pointers.
When you delete a file, what your OS does is simply remove the data it has stored about these inode values. So, what really happens is that all the links are removed from the table of File Manager System that keeps tracks of the file. The important thing to observe is that the data is still there. HDDs never delete the data, they are always overwritten.
On a general level what recovery tools do is simply check for data on the disks that have no inode values pointing towards them. They use complex algorithms that help them to create something meaningful, such as a file with those small chunks.
It is even possible to recover the data even when you have overwritten the particular block with some other data. In case you are using Hard Disk Drives (HDD) data is stored in the form of magnetic waves. This is binarized prior to being processed by the processor. There are four possibilities when data is overwritten once. Two are when, initially the bit was 0 and then written with 0 or 1, two more when initially it was 1 and then overwritten with 0 or 1. These four values will give different traces on the disk. So, what usually a recovery tool does is simply create four regions via different thresholds and decide what the previous value was. This can be extended when data is overwritten multiple times.
You might have observed that the while formatting your disks or USB you are given two options, one is the fast format and one is the slow format. In the case of fast format, only the links are removed. In the case of slow format, the OS rewrites all the blocks multiple times with random data. This is a secure way of formatting a disk. A number of times this iteration goes can vary with OS and command (or utility) you are using. You can use UNIX command shred, which is a part of GNU core utilities.
shred -n 100 filename
By default, shred overwrites 25 times, but by using -n you can decide the value.
Edit: Solid State Disks (SSDs) have a very different mechanism of working when compared with HDDs. In SSDs whole storage unit is divided into blocks or pages, and each block can be asked to read/write. These blocks are index-addressable just like an array. Thus there is no overhead for data access as it was the case in HDDs. In order to write anything in these blocks, you need to delete the data first. OS of your device don't access all these blocks directly, instead, it talks to the microcontroller present in the SSD or Flash drive. This microcontroller keeps track of all these blocks using a table (or map). Since deletion takes a lot of time thus, the microcontroller of the Flash drive dynamically maps the requested location for write on some other block which is empty and keep a log for itself to delete the data in the block (that was asked) sometime later. This is what allows the room for recovery even when you have deleted your data. For more details, you can go over this paper.
Ugnes
- 361
- 2
- 3
- 15
-
shred should work on any Gnu or Unix system, including cygwin or mingu (Microsoft's Windows), and other legacy systems. – ctrl-alt-delor Apr 11 '17 at 21:12
0
Moving a file to another computer is just copying it to another system and then deleting it locally. The usual way of deleting a file by the OS is just either mark it as deleted or remove any references to it so that it is no longer associated with a file name. This means that the data itself get not deleted immediately but usually only if the disk space needs to be reclaimed to write new data (and worse on SSD). In short: it is often possible to recover the original file content.
Steffen Ullrich
- 184,332
- 29
- 363
- 424
0
In Windows( or infact any OS ), there is always a MFT table (Master File Table) that maps the address space in the hard disk to the associated file. So when you either delete the file or move the file, both the operations just remove the address associated with the file, so the OS believes that the space is empty but it still holds the data and can be easily retrieved.
In order to completely delete or remove the data, you should also fill in the associated address location with another file or any garbage value so that the original file cannot be retrieved. You can use tools such as eraser to do so.
Skynet
- 598
- 5
- 12