Open source software security

Effective File Removal

30 November -0001
Last Updated: 02/21/05

File deletion and recovery is often assumed to be as simple as placing a file in the 'Recycle Bin' and selecting 'Empty' or moving a file back onto the desktop from the recycle bin. This notion is somewhat deceptive. Removing a file from your system is actually much more complex, and is innately tied to how a file, program, or any computer information is stored on your machine. Computers have two basic types of memory, electrical and magnetic. All machine information is stored in binary (one's and zero's). This information is stored in the form of switches, or toggles, that can either be 'on' or 'off'. So in the case of electrical memory, these switches can either be in a state to pass electricity, or to stop the flow. Similarly, magnetic memory is stored in terms of polarity, so switches can either be placed in a positive, or negative state. Even though this storage is magnetic, changing this state actually requires some electricity to function. The reason for the two types of storage is that electrical storage is faster, but requires constant power. Your computer uses electrical memory in the form of RAM (Random Access Memory), and magnetic memory in the form of your hard drive. Information that your machine is actually processing is passed from the hard drive to RAM, and then moved back to the hard drive once it is no longer needed (because a hard drive can store much greater amounts of information). As a side note, this is why hard drive speed is important when choosing a machine, the faster the hard drive, the more quickly memory can be accessed and swapped to and from RAM. This is also why you get disturbing "dumping physical memory" messages during a Windows blue screen of death (the computer is attempting to salvage information stored in RAM and move it to hard disk before the computer shuts down) and why you have to go through a "shut down" procedure before turning off a computer (also to move RAM to disk).

What actually happens when a file is saved is the data to be saved is moved from RAM (Random Access Memory), which is the computer's sort of short-term memory, onto magnetic disk. The file is saved as magnetic binary on the permanent internal disk so that power can be cut but data storage is retained. When material is saved to hard disk from RAM, the computer scans the hard disk to find sectors on the disk that are flagged as free (not being used to store other material), and the new material is written on these sectors. Your computer keeps a sort of log of what sectors are free, what sectors contain files, and what files are stored on what sectors. Files may be scattered across non-adjacent sectors (which is why disk defragmentation is important, moving your files onto adjacent sectors means the hard disk has to spin less to access all of the pieces of the file). This is important to understand because when a file is deleted, the original binary (ones and zeroes) saved on the disk is not removed or altered, only the master list of file storage changes. The sectors that the deleted material is saved on are simply marked as available so that new material can be saved over the older material. Because material saved on hard disk is saved in magnetic binary (in terms of polarity - positive or negative) the loss of power does not change storage. Also, because power is required to alter the sectors, it is simpler to mark sectors as free for overwrite than to change their polarity and actually remove data. What this means is that when a file is deleted, it remains on disk until new material overwrites it. This makes data recovery (whole or even partial file retrieval) possible even long after a file is deleted. In order to insure that files are actually deleted beyond recovery it becomes necessary to use special software to immediately overwrite the space of deleted files to prevent recovery. Software like PGP offers options like 'wipe', which will prevent data recovery. This software will find all the sectors used by a file and set them to one state, making data retrieval much more difficult (although there are technologies that can be used to determine if a state has recently been changed so some data recovery might still be possible). While most material is hardly sensitive enough to warrant this sort of attention, it is important to use a special utility to completely delete files. You should give special consideration to file deletion when getting rid of an old computer. There have been several cases of people and organizations donating old machines or selling them as surplus where the information on the hard drive was only 'deleted', not wiped, and personal and secure information was left on the machines in a recoverable state. Simply scrambling the operating system is not sufficient to remove personal information, nor is "deleting" your personal files. I recommend actually keeping or destroying your hard disk when throwing away a computer, just to be sure your personal information stays that way.