Why some recovery tools are still able to find deleted files after I purge Recycle Bin, defrag the disk and zero-fill free space?

10

1

As far as I understand, when I delete (without using Recycle Bin) a file, its record is removed from the file system table of contents (FAT/MFT/etc...) but the values of the disk sectors which were occupied by the file remain intact until these sectors are reused to write something else. When I use some sort of erased files recovery tool, it reads those sectors directly and tries to build up the original file.

In this case, what I can't understand is why recovery tools are still able to find deleted files (with reduced chance of rebuilding them though) after I defragment the drive and overwrite all the free space with zeros. Can you explain this?

I thought zero-overwritten deleted files can be only found by means of some special forensic lab magnetic scan hardware and those complex wiping algorithms (overwriting free space multiple times with random and non-random patterns) only make sense to prevent such a physical scan to succeed, but practically it seems that plain zero-fill is not enough to wipe all the tracks of deleted files. How can this be?

UPDATE, addressing the questions that came up:

  • I've tried the following wipe tools: Sysinternal's SDelete, CCLeaner, and a simple utility the name of which I can't remember which starts from command line and creates a growing zero-filled file until the whole free space is taken and then deletes it.
  • I've tried the following recovery tools: Recuva, GetDataBack, R-Studio, EasyRecovery.
  • I can't exactly remember which tools have given specific result (as far as I can remember trial versions of some of them only show files names and can't actually recover).
  • Probably in most (but not 100% all) cases they've only seen the names and could not recover the data, but this is still a security threat to be addressed as file names can still be pretty informative (for example I've seen a guy that stored passwords in text files which were named as the passworded resource name plus the login name, while login names should be secured too).

Ivan

Posted 2011-03-06T07:53:44.187

Reputation: 6 173

1Is the "reduced chance of rebuilding" greater than 0? – Daniel Beck – 2011-03-06T08:53:32.877

1What recovery program have you used to successfully recover a zero-overwritten file as I've never come across one (not that I've looked very hard or tried many)? – Neal – 2011-03-06T13:25:01.443

1Does the recovery software actually recover a usable file? or is it just finding an old entry in the master file table. – Moab – 2011-03-06T17:55:18.483

Answers

9

If you overwrite erased files, you shouldn't be able to retrieve anything from them.

My best guess is that either your wipe tool has not done everything it is supposed to or you have some sort of cache issue.

update - if you are using solid state drives, you may find that secure delete tools do not work as expected due to the way data is read/written on SSDs.

Rory Alsop

Posted 2011-03-06T07:53:44.187

Reputation: 3 168

3

It is not enough to delete the data and to format the hard drive(which deletes the adress tables). This only removes the link to the data. For the data to be erased, new data must be written on top of it.

Just writing on top of the data once is not enough. This is why the more secure method of disk wiping writes different types of data to the disk multiple times. The more times new data is written onto the disk, the more secure it is. For more information read this: http://www.headresist.com/how-computer-programs-that-wipe-hard-drive-work.htm

A really good program which lets you apply many different hard drive wipes is DBAN.

Leebeloola

Posted 2011-03-06T07:53:44.187

Reputation: 171

3

I notice you asked about the filenames staying behind, as well as the data; that's normal, no disk wiper will overwrite directory entries because the only way to do so is create and delete files in the containing directory until the old entry is overwritten. Depending on how fancy the filesystem is (ext4, ntfs, reiserfs, hfs+, others with non-linear directory structures) this may take multiple attempts.

Another possible suggestion for file data being recoverable on some filesystems is that it could be in the journal. Many disk free space wipe utilities wrote directly to the device, avoiding the filesystem; and a sufficiently smart journal might detect writing all zeroes into a file until it's full (more precisely, writing the same block of data multiple times) and only save it once, leaving other things in the journal still. And then some smart filesystems may stuff sufficiently small files into the filesystem's file metadata (inode in Unix filesystems) making them impossible for any kind of disk wipe to touch the data.

geekosaur

Posted 2011-03-06T07:53:44.187

Reputation: 10 195

3

because as geekosaur said, these tools only wipe file data and do not reorganise the file table index. if you want to completely remove traces of file from the index, find a tool that will wipe that, too, or backup the filesystem, wipe the disk and restore from backup. i found some clarification here: http://www.broadbandreports.com/forum/r19572516-Removing-names-of-deleted-files-from-MFT~start=40

user80758

Posted 2011-03-06T07:53:44.187

Reputation: