Does deleting a file on a computer really mean its lost forever?
Short answer: no. Longer answer: it depends, but probably
not.
Given you are still reading this that must mean you are
wondering “depends on what?”.
Deleting a File
Deleting a file in most current operating systems does not
actually modify any of the data contained in that file. Operating systems
maintain an internal list of where files are physically and logically located within
the hard disk and file system. Different file systems have different names for
these lists including:
- Master
File Table (MFT) for NTFS
- File
Allocation Table (FAT) for FAT16 and FAT32
- Catalog
File for HFS
When you the user choose to delete a file, the operating
system will remove that files entry from this internal list and mark the space
on the hard disk (called clusters) as empty and available. However, the actual
file contents are still sitting on the disk unchanged! The delete files
contents will remain on the disk until a new file is created and the OS chooses
to use the clusters of the old file to store the new information.
The process of recovering deleted files and information is
known as data carving. Two freely available data carving tools are Foremost and Scalpel.
Using either of these tools it is
extremely easy to search for and extract out any deleted data left on a hard
drive or other storage device (including USB thumb drives).
A Little Experiment
To find out just how
effective these tools are I decided to experiment on an old USB thumb drive I
found in a drawer. It’s only a 256 meg stick and hasn’t been used in a couple
years. Plugging it into my Windows workstation and viewing its contents showed
no files on the drive and all 256 megs of space available. So it appears there
is nothing on it… right?
I booted up my forensics
laptop using the Helix3 Forensics LiveCD, plugged in the USB stick and created an image file
containing an exact copy of the entire drive using the dd utility.
Now it was time to find out if the disk really had nothing on it.
Moment of Truth
I ran the image files through
both Foremost and Scalpel and instructed each tool to extract as much
information as possible. This included all possible types of files and even
partial remains of files. The results were slightly different between the two
tools but each one found almost 100 files and file fragments! Everything from Office
documents to music files and even installation executables for some small
utilities I had once used was extracted.
Moral of the story is even though your files may be
out of site they really aren’t gone for good. So remember this, the next time
you decide to toss out an old hard drive or USB stick you might want to look
into a secure wiping tool like Eraser.