So you think you deleted that private file
So you really think that you can just delete a file and no one can ever see its contents again! Well are you going to be surprised!
Did you know that any file can be recovered, even after formatting the hard drive? Deleting the file to the Recycle Bin and emptying the Recycle Bin does not get rid of the file.
Let me first explain what deleting a file really is. If you delete the file MyFile.txt (for example), which contains all your secrets, it will be placed in the Recycle Bin and renamed to something like DC12.txt, even though you still see it named there as MyFile.txt. Now when you empty the Recycle Bin the file is deleted, but not really. MyFile.txt is still there, you just cannot see it.
All files are stored in clusters, and the information of the location of each cluster of a file is stored in the File Allocation Table (FAT).
To help you understand this you will first need to understand how files are stored on the hard drive. Envision a huge room with the floor filled with little cereal boxes, neatly packed one next to the other leaving no space between them, this room with the cereal boxes is your hard drive. The size of the room represents the size of the hard drive partition (ie. the size of C drive). Each cereal box represents a cluster. The cereal flakes inside of each box represent all the bytes of information the drive can hold. Each ounce the box weighs represents a sector. If 512 flakes weigh one ounce than 513 flakes weigh more than an ounce. An ounce is an ounce, so an ounce can only have 512 flakes, all sectors contain 512 bytes. Obviously if your cereal box is 8 ounces it is smaller in size than an 16 ounces box, each box taking up less room and having more boxes in the room.
For our example, let's use a FAT32 file system on a 7 GB hard drive partition. The drive will hold 7,278,206,976 bytes. So it will have 1,776,906 clusters. Each cluster will have 8 sectors, each sector holding 512 bytes, the cluster holds 4096 bytes.
Are you with me so far? The number of sectors of each cluster is really important to the deleting of a file, so let me explain how the size of each cluster (cereal box) is determined. The number of clusters on your hard drive and size of each cluster depends on the size of your hard drive partition. If the partition was between 8 GB and 16 GB each cluster would hold 16 sectors instead of 8. If the partition was between 16GB and 32 GB the cluster would hold 32 sectors.
Since our example drive partition is smaller then 8 GB, each cluster will contain 8 sectors. Therefore each box of cereal (cluster) will weigh 8 ounces (sectors), containing 4096 flakes (bytes). There are 1,776,906 boxes of cereal in the room, or 1,776,906 clusters in our partition.
For your information, FAT16, commonly know as just FAT, uses 32,768 byte clusters, each cluster has 64 sectors, and as always each sector is 512 bytes. There are some programs out there that can customize the size of the clusters when re-partitioning, like Partition Magic.
So now you are ready to see why you cannot delete a file so easily. Let's say you just got a promotion at work and you are moving to a new office. Your current computer will be used by the next person taking your job, however, all of your private information is in the file MyFile.txt. So, you delete it and empty the Recycle Bin. No, as mentioned previously, you cannot just empty the Recycle Bin and get rid of the file forever! Read on and I will tell you why.
Let's say that MyFile.txt was 5000 bytes, it needs 2 clusters to store the file. The clusters do not need to be stored next to one another. The first cluster of the file could be in cluster number 400 and the second cluster can be at cluster number 1,000,000.
When you delete Myfile.txt it goes to the Recycle Bin. Here, Windows does not delete the file or reassign new clusters, it merely renames the folder name and the file to something like Recycled\DC133.txt in the FAT. The Recycle bin contains a hidden file "info2" that contains the original file names, which is what Windows displays.
The file is not deleted until you empty the Recycle Bin. When you do empty the Recycle Bin the clusters that stored MyFile.txt are not erased, but rather, the clusters are marked as free space in the FAT by adding the Hex value "E5h" in front of the file name. So cluster #400 and #1,000,000 are now marked as free space in the FAT and the operating system now knows that these clusters can be used by a new file(s) when needed.
This does not mean that if you open up Wordpad and create a huge letter to your best friend and save it as MyFile.txt that it will overwrite cluster #400 and #1,000,000. No, in fact, Windows is going to just randomly pick the cereal boxes (clusters) it wants to store your new flakes (bytes of information) in. With millions of boxes available to use, the odds of overwriting either of them are very slim.
However, if you simply modify Myfile.txt and save it, it is saved to the same clusters; overwriting the same two clusters with the new information. Then when you delete the file your information may still be recoverable.
According to the National Industrial Security Program Operating Manual (NISPOM), even when the operating system overwrites the clusters some of your private information could remain in the cluster and be recoverable. If you created a new file that was 1000 bytes and overwrote cluster #400, there could be 3096 bytes of old information still in cluster # 400. Cluster number #1,000,000 was not even used, so it is now free space and completely recoverable. You cannot see your old information in the new file because at the end of the 1000 bytes in sector 2 there is an end of file marker, so no more of the cluster is read by the operating system. Don't be misled into thinking that the old information cannot be read. There are tools out there that are able to recover the entire cluster.
Using our example, Myfile.txt was only 5000 bytes, and it used 2 clusters to store the file. There was 3192 bytes not used by Myfile.txt. That is 6 sectors that will not be overwritten when you created MyFile.txt, possibly leaving someone else's 3072 bytes of information from an older file in the cluster. If the cluster size had been 32 sectors or 32,768 bytes, as it is on FAT16, there could be 27,648 bytes of information that could be recoverable. And as long as MyFile.txt is not modified or deleted, no other file can be stored in MyFile.txt's cluster. The larger the cluster the better chance of recovering some deleted information.
So how do you completely delete MyFile.txt so that your private information is unrecoverable? You cannot format because formatting is just telling the FAT how many sectors to a cluster, and marking each cluster with E5h. So this will not work.
You could low level format, this will work, writing zeros to the entire hard drive. This will remove partitions, the FAT, all clusters, everything, including all your files you wanted to keep; and it takes a long time to do a low level format.
There is a better way. There are some file shredders on the market, QikFix, Winsafe and PC Secure have one built into it. A file shredder can make the information in MyFile.txt unrecoverable, it can do it faster and easier than you can.
So what are you waiting for? An Internet Worm or Virus to read all your clusters and send all your private information back to some hacker? Someone to recover all your files when you least expect it?
. End of File marker
MasterCard 4567890123456789 expires 01/05