And You Thought DELETE Meant DELETE!
A High Level Overview of File Deletion
by Thomas Rude, CISSP
Before you give those old PCs away to a charity as a tax write off, you better think twice. There just might be confidential and/or proprietary information on those hard drives! What? You may be thinking to yourself that this cannot be. After all, you remember highlighting each file and deleting it. If you have deleted it, then how could it still exist? It cannot, can it? Unfortunately, yes, it can. It can because a file is never deleted - it is overwritten.
Take comfort in your thinking though, as you are not alone. The majority of computer users believe that when they select a file for deletion, it gets deleted, never to be seen again. When in fact, files are never really deleted as you have come to think they are. The word ‘delete’ as it applies to computers gives you the impression that the file has been removed from the system. That it is gone and cannot be found or recovered. However, you now know that the file does not actually get deleted, so what does happen when we delete it?
Remember that a file in its most simple form is just a number of bits. These bits combine to make up bytes. When a file is created, it is written to the system. The bytes of the file are written to available sectors on the system. When you delete a file, the system simply takes the first bit of the file and replaces it with another bit. This bit signals to the system that the file is no longer available to the system and the sectors it was using may now be used by another file.
There are a few problems with this deletion process. The first being that depending on the system and the resources, those sectors may not be overwritten until some point in the future. That means for ‘X’ period of time, the information contained within those sectors is still resident in the system, and therefore can be read. A second problem is that there are software tools created for just this purpose: to be able to read, at a low level, the contents of a system. These tools can find this ‘deleted’ information because they read all of the sectors on a system at a low level. If you have read some of my other work, you will know that I like to make analogies, especially when the audience is end user and/or non-computer users. A simple analogy here is this: think of the hard disk as a cassette tape. You record songs on the cassette tape just like you write files to the hard disk. You can then tape over the cassette with more songs, just like you can overwrite the files on a hard disk with more files. Now, if you listen closely to the cassette tape, you will heard 'noise' in the background - even during the playing of the newly recorded songs! This is known as 'bleeding' - whereby even though you have recorded Song B over Song A, you can still hear bits of Song A if you listen carefully (and via headphones!). If you are nodding your head yes in agreement, you now understand how you can still view 'deleted' files on a hard disk.
With this analogy in mind, you can now see the problems associated with this concept of file deletion. Your information is at risk. No matter whether financial or proprietary in nature, you have information on your system that cannot be made available to those not intended for its use. So, just how do you protect yourself and securely delete files?
There are software programs you can download and use that will securely delete files. These programs will delete the files by overwriting them in such a way that recovery of the original file is either impossible or only possible at a very, very low micro level (which is so expensive financially it is rarely used). Many of these secure delete programs overwrite according to the U.S. Department of Defense recommended seven pass extended character rotation wiping. This means that the file is overwritten and rewritten seven times, so that a software recovery tool will not be able to read the original file. These programs will also delete all information contained in free space and the swap file on a system. These are two areas where information sometimes can be recovered. The system sometimes dumps information in these areas throughout the normal use of the system. In order to be most secure, you want to choose a program that cleans these two areas as well.
So as you can see, a file is not deleted, but merely overwritten. The key is how much time passes before it is overwritten. If you want to be sure a file has been deleted and is not recoverable, install a secure file deletion program and use it to delete your files. Only then will you have some level of comfort.
Back to Papers