 |
 |
Deleted Files Still Resident
Name: Kid Joshua J.
Status: Other
Age: 18
Location: N/A
Date: 8/3/2004
Question:
How is data recovery being done? I have read many books
and articles in which data recovery is described or at least mentioned,
and most of them say that almost everything you delete can be recovered,
is this true? If it is, I would like to know what has become of the
deleted data, according to NORMAN it is not only in System Volume
Information which is being used by system recovery. NORMAN even says that
formatting your HD does not erase all the data. Even then they can
recover!(NORMAN provides a data recovery service)
I was also told that if you delete a part of an already saved text file,
save it again and close it, you can recover the deleted part, even if you
copy it to another disk, does this mean that the deleted data is saved
within the file?
At last I would like to ask how you can be sure that the deleted data
cannot be recovered at any rate?
Replies:
So here is a quick description of how file systems work. A hard-disk is
like a
very long line of buckets and each bucket holds a group of bytes. To keep
track all of these buckets, some of the "buckets" are set aside to describe
which buckets hold what file or chunks of a file (point of reference: a
common "bucket" size is 64 kB; if a file is bigger than a bucket, it is
put in
multiple buckets. It's been a while since I last used this knowledge, but I
believe the technical name of a bucket is a "cluster".). When the operating
system deletes a file it usually just goes to the file system and removes the
entry that says "this file is in this bucket". Say you had a file "foo.txt"
that is in bucket #17; when it is deleted, the file system would remove the
statement "foo.txt is in bucket #17". That way, there's no way to get to
foo.txt in the normal way and you don't have to go through the trouble of
writing "0,0,0,..." where foo.txt is.
However, there are tools that allow a person to go to bucket #17 and get
foo.txt out of it if they know what is in there. The file itself was never
removed from the disk. However, if some other file was saved to bucket #17 in
the meantime, the only thing in bucket #17 is the new file. Then, foo.txt is
truly lost for good. How the tools know where to look is another story, and
complicated enough that I am only partially sure how it works. I think it is
similar to what happens when the whole file is deleted as I described above.
What happens when you delete part of a file and save it again is simply that
it is written to another portion of the hard-disk and then the file system is
told "the file is now in this other bucket". If foo.txt were saved again and
put in bucket #19, the old version is still in bucket #17 for the tools I
mentioned above to salvage.
Formatting the disk just removes the whole file system (but not the files)
and
starts over; this is just like deleting all of the files. They are still
on the
disk, but there is no (easy) way to find them.
There are tools to "zero out the drive," as its called. I think fdisk, a
windows utility, can do this, but I'm not certain. I'm sure you can find
something on the Internet if it cannot.
Hope this helps.
Jon Card
Click here to return to the Computer Science Archives
| |
Update: June 2012
|
|
