This article was originally published in issue 51 of The Crypt Mag
When a file is deleted, only the information that makes the file visible to the operating system is removed. Looking at the raw data on a hard drive would reveal that the essence of the file is still there, at least until it is overwritten by new data. This makes recovery of deleted data a relatively easy task and there are numerous tools available on the internet that can accomplish this.
People are becoming more aware of the sensitivity of certain files on their computer (e.g. internet cache and personal documents) and because of this many employ a type of software known as a file shredder.
Enter The Shredder!
File shredders work by overwriting the file first before carrying out the actual delete. One of the most basic methods is to completely overwrite the file with bit values of zero. If someone was to look at the raw data after this all they would see are values of zero instead of the original contents of the file. However, getting rid of your data completely is not quite as simple as that and it is still quite possible to recover it.
Recovering Shredded Data
Data on a computer is stored as digital information meaning that the data is stored as either zeroes or ones. How this data is recorded onto a storage medium such as a hard drive is generally analogue in nature so values in between ‘zero’ and ‘one’ are possible. Advanced methods of retrieving deleted or overwritten data analyse the magnetic patterns on a hard drive and attempt to reconstruct what data was there previously. As a very basic illustration on how this works have a look at the example below:
The above diagram represents a small section of hard drive that has never had any information stored on it before. After data is written to it the diagram could then look like this:
Now suppose that the data is shredded using the simple method of overwriting data with zeroes. This would produce something similar to this:
As you can see there are residual traces of the original data present. Although the data was overwritten by zeroes the process is never 100% efficient. This is the basis of how some of the more advanced methods of data recovery work. By analysing the analogue value of the stored data rather than the digital value the original data can potentially be recovered.
To make file recovery more difficult most file shredders will have the option of overwriting files numerous times with different patterns of data to further mask the original information.
Gone For Good?
I think that a lot of people put too much faith in file shredding software to completely remove files believing that once it has been done their files are no longer recoverable. There are a number of reasons why file shredder utilities can fail to remove files completely and sometimes they are no better than the standard delete. This list is by no means exhaustive.
Many applications create temporary copies of files as they are being worked on, printed, e-mailed, etc.. Once the application is finished with the file sometimes it is deleted, but sometimes it can be retained for future use or reference.
Probably the most notorious place to find copies of files is in the swap or page files in some operating systems.
Defragmenting data on your hard drive causes the data to move about so that fragmented files become consolidated. Here we have a problem where a file that you have shredded could still exist in the original fragments across your hard drive.
Even if you do not regularly defragment your hard drive some operating systems have the facility to automatically defragment hard drives in the background without the user even being aware that it is happening.
Files can be cached to the computer’s memory or the hard drive’s own cache for reasons of speeding up file operations. This presents another problem when trying to shred files because at worst the files held in the cache could be the ones being shredded and the actual files present on the hard drive only being modified when they are deleted.
Poorly Programmed Software
Another possible and perhaps less obvious problem could be the way that the file shredding software itself has been programmed. If the file to be shredded is opened in the wrong way the file shredder software could inadvertently truncate the file size to 0 bytes. Since in this case there is now effectively no file data from the operating system’s point of view any new data written during the overwrite process can end up being put anywhere on the hard drive and not necessarily over the original file.
File Shredding Tips
For those that are truly paranoid about their data being recovered here are a few tips:
Get Rid Of Your Temporary Files
An excellent program for removing your temporary files is CCleaner and is one that I use regularly. It gives the user the choice of removing internet cache, cookies, logs and other temporary files including what is in your recycle bin. You can also set the options of how the files are removed either as a standard delete or by various shredding methods.
Shred Your Free Space
Some file shredders also have the facility to shred the unused areas of your hard drive. One such utility is File Shredder. This is especially useful because of the reasons mentioned above regarding defragmentation and temporary files that have already been deleted.
Shred Your Swap File
This should be pretty obvious. A lot of temporary data gets stored in the swap file so it makes sense to include this on the shredder hit list.
I will be honest here, but I do not have much experience with file shredder software that also erases swap files (I do not have swap files set up on any of my systems). There are utilities out there that will do this so you may want to research this yourself to see what suits you best.
Consider Not Using A Swap File
If you have a PC with a lot of RAM (e.g. 1GB or more), you may want to consider switching off your swap file altogether. Not only will this prevent potentially sensitive data being stored on your hard drive it can also speed up your system since data is not being paged to the swap file.
Use A Temporary Partition
For some people it may suit them better to use a temporary partition to store data. When the data is no longer needed the whole partition can be shredded.
Shred Your Files Regularly, But Not Too Often!
Obviously it makes sense to shred files on a regular basis, but you do not want to overdo this as constantly writing to a hard drive will cause wear and tear. This goes more so for the more secure shredding methods such as the Gutmann method which will overwrite a file as much as 35 times.
Article copyright © 2007, 2010 Francis G. Loch