26

As far as I know, there is a table of files present in the hard drive that does not contain the data of each file but can point you to it.

When you delete a file, the record of it gets deleted from the file table, but the data remains on the computer.

So the question is: If you overwrite a file's data with, let's say, just using WriteFile Win API to overwrite all data with zeros, will that become unrecoverable?

Machavity
  • 3,766
  • 1
  • 14
  • 29
GuestBro
  • 277
  • 3
  • 3
  • 1
    this may answer your question https://security.stackexchange.com/questions/5749/how-can-i-reliably-erase-all-information-on-a-hard-drive – elsadek Apr 19 '20 at 20:36
  • 4
    Does this answer your question? [Overwriting hard drive to securely delete a file?](https://security.stackexchange.com/questions/35725/overwriting-hard-drive-to-securely-delete-a-file) – ThoriumBR Apr 20 '20 at 04:18
  • 1
    Not completely unrelated but interesting reading is "[how they <> disposed of Edward Snowden laptop](https://www.theguardian.com/uk-news/2014/jan/31/footage-released-guardian-editors-snowden-hard-drives-gchq)". It gives an idea of how complex is safe erasure. – usr-local-ΕΨΗΕΛΩΝ Apr 20 '20 at 09:12
  • 3
    This definitely a duplicate question, if you use the search function you will find lots of related questions. The short answer however is that there is no guarantee that the file will be completely overwritten, because there are too many layers of abstraction between your software and the hardware (caches, OS, firmware, all kinds of optimizations, etc.) – reed Apr 20 '20 at 12:38
  • 1
    I set the drive on my driveway and then drive the car over it. After which I put it on a charcoal fire and cook until done. – Hot Licks Apr 20 '20 at 18:24
  • 1
    And I will note that if you want to erase the data by overwriting, and don't want the CIA to retrieve it, you should write random digits, not zeros. – Hot Licks Apr 21 '20 at 22:26

5 Answers5

44

Yes, most likely. However there can always be edge cases:

  • SSDs are doing wear leveling etc., and will most probably not write your zeroes to the same cells your original data was written to. How the attacker will find and access that data is another matter altogether of course.
  • On a traditional spinning HDD, the original data may exist on other sectors because the disk got defragmented. Or the OS may decide to relocate your file on write, to consolidate the file. At least OS/2 used to do that, I am not sure if current windows version still do that.
  • NTFS stores small files directly in the directory structure btree, that may lead to your data getting copied around the disk.
  • the OS may have created a system snapshot, etc.
manduca
  • 1,111
  • 7
  • 10
  • 3
    I see, so it's not very reliable. Thanks for your answer! – GuestBro Apr 19 '20 at 21:18
  • 1
    @GuestBro overwriting disks is much more reliable, though that's not available for alot of cases. – Legorooj Apr 20 '20 at 08:38
  • 10
    SSD (can) use the [Sanitize command](https://superuser.com/questions/1518253/ssd-what-is-the-difference-between-sanitize-secure-erase) which guarantees erasure – Rsf Apr 20 '20 at 09:42
  • 4
    Great answer. However, the summary contradicts it - it is not "most likely", that's at most a "probably" :-). – sleske Apr 20 '20 at 13:00
  • 4
    I wouldn't really classify SSD wear-leveling as an "edge case". If your system has an SSD or other non-magnetic storage, odds are good the data will persist after basic overwrite at the OS level. – MooseBoys Apr 20 '20 at 18:02
  • Of course, the only way to _really_ guarantee erasure involves power tools... it's also the most fun way. – Sebastian Lenartowicz Apr 21 '20 at 13:05
  • There's also a possibility of the data persisting on magnetic discs due to sector remapping. Such data would be rather challenging to access (you would probably need to remove the actual platters and access them through specialized 9and every expensive) equipment), but it's not impossible. – Austin Hemmelgarn Apr 21 '20 at 17:20
  • To add to your list. The save process of some software happens by making a new copy of the file, and deleting the old and renaming the new. – Zoredache Apr 22 '20 at 16:47
17

So the question is: If you overwrite a file's data with, let's say, just using WriteFile Win API to overwrite all data with zeros, will that become unrecoverable?

Don't use the WIN API WriteFile to try and securely delete. Instead use a secure delete tool like SysInternals sdelete.

If you just use WriteFile the operating system/file system has the option of writing the new data (e.g., a bunch of null bytes or whatever) to a new block on the disk and then updating the master file table to point to the new block not the old block. You will not be assured that you have overwritten the original file data (unless you use WriteFile to, say, write a file as large as the entire disk).

hft
  • 4,910
  • 17
  • 32
  • Does sdelete understand solid state drives, thin provisioned media, etc.? The web page seems to imply that it only works (properly) with directly attached spinning rust. – Michael Hampton Apr 22 '20 at 22:53
  • No, I don't think it understands solid state vs any other underlying drive. So, for example, it probably doesn't know about stuff that the solid state drive might be doing like wear leveling or other solid state devices specifics that could potentially preserve data. But it is definitely a lot better than using WriteFile. – hft Apr 23 '20 at 00:34
13

One way to dispose of a file in a 100% reliable manner is to keep it on a separate HDD partition you can purge, or, better yet, on a separate medium you can afford to destroy.

If that's not practical, a good compromise is to make sure the file is only stored encrypted. When you need to "destroy" it, all you have to do is to forget the key. You don't have to care about edge cases leading to the file not being fully overwritten.

The next less secure alternative is to use a file shredder that you trust. If it's implemented correctly, it will track every sector on the disk associated with the file and overwrite it. Of course, it will not be able to destroy any copies of data that you, your OS, or your storage controller have made that it doesn't know about (think temporary files, swap, disk defragmentation, etc.). In general, it only makes sense to pay for a tool that was subject to a security audit.

Then comes your idea of simply overwriting the file. It's not 100% secure, but it will for sure make the data unrecoverable using off-the-shelf undelete tools. That's actually sufficient in many practical situations.

Dmitry Grigoryev
  • 10,072
  • 1
  • 26
  • 56
11

Effectively, yes, overwriting the blocks used by a file will make it unrecoverable.

This can be done using sdelete on Windows, or shred on Linux.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 9
    But note the numerous limitations mentioned in the shred documentation: https://www.gnu.org/software/coreutils/manual/html_node/shred-invocation.html – dhag Apr 20 '20 at 14:18
4

In order to do that securely you have to know what you are doing and the task can be quite hard depending on the OS, filesystem type, filesystem options (journaling, compression, self-defragmentation, redundancy, TRIM support), existence of automatic backup, the type of storage media (SSD, honest-to-god HDD, HDD w/ SMR), the need (or lack thereof) of plausible deniability...

and most importantly, the abilities and the motivation of the potential adverse actors.

See the links in the first comments.

fraxinus
  • 3,425
  • 5
  • 20