PC Magazine - October 1, 2003
Here's how to get back data you thought was long gone-or how to delete it for good.
By Sheryl Canter
If the only tools available to you are those bundled with Windows, a deleted file that's been removed from the Recycle Bin appears to be gone forever. But it's not. With specialized hardware and software, you can recover virtually any file—even if the data is overwritten, the drive is reformatted, the boot sector is trashed, or the disk controller has stopped functioning. This is good news if you need to recover a crucial file and bad news if you want to prevent others from reading your private data. The right solution depends on how much time and money you're willing to spend.
To understand how deleted data is recovered, you must first understand how it's stored. A hard drive comprises a stack of platters. Data is stored on the platters in concentric circles called tracks. Read/write heads move across the surface of the platters to access different parts of the hard drive. Because data can be accessed directly anywhere on the hard drive, files - or pieces of files - can be stored anywhere on the disk, according to convenience. They don't have to be laid down sequentially.
Data is stored on hard drives in clusters. Cluster sizes vary according to the operating system and the sizes of the logical volume. If a hard drive has a cluster size of 4K, even a 1K file takes up 4K. A large file may consist of hundreds or thousands of clusters, scattered all over the disk. The separate pieces are tracked and managed by the file system component of an operating system.
There are currently three hard drive file systems used by Microsoft Windows. The first, file allocation table (FAT), was introduced with DOS. FAT32 was introduced with Windows 95, and new technology file system (NTFS) was released with Windows NT 4.0. All three systems use the same basic strategy. A directory lists the files on the disk and contains a pointer to the starting cluster, which holds the beginning of the file. The starting cluster's FAT entry contains a pointer to the next cluster, and so on until an end-of-file marker is reached.
It's Still There
When you delete a file through a normal Windows operation, it's not actually erased. If you delete it through Windows Explorer, it will generally end up in the Recycle Bin. But even if you empty the Bin or bypass the Bin, the file is just ignored. The first letter of the filename is changed to a special character, and the clusters containing the data are marked as available, but the data is still there. The next time you save a file, these clusters may be used to store the new data, overwriting the old data. Until this happens, however, the data remains fully intact. You can retrieve it using a utility that bypasses the OS and reads the hard drive directly. We looked at four such utilities in our recent roundup of data recovery tools. We awarded Editors' Choice to Kroll Ontrack's EasyRecovery Lite 6.0 (www.ontrack.com).
If you want to recover a crucial file that you've accidentally deleted, you must be careful not to overwrite it. Stop using your computer immediately and do not save anything to disk. Do not even install a recovery program, because anything written to the hard drive may use the clusters of the file you want to restore. If the recovery program isn't already installed, run it from a floppy disk.
When Data Is Overwritten
Once you overwrite a file's data, you can no longer access it through software. But that doesn't mean the data is irrecoverable. There are two ways that overwritten data on a hard drive can still be read.
When a read/write head writes a bit to a disk, it applies just enough signal strength to set the bit, but not so much that adjoining areas are affected. Because the signal isn't strong enough to saturate the media, the absolute signal strength is affected by the data previously stored in that location. When a 0 bit is overwritten with a 1, the signal strength is weaker than it would be if the previous value were a 1. Specialized hardware can detect the exact signal strength. By subtracting a perfect version of the signal, you can obtain a ghost of the previous data. This process can be repeated up to seven times, so to guarantee the elimination of ghost images, data must be overwritten more than seven times, each time with random data.
The second data recovery technique takes advantage of the read/write head not being positioned in exactly the same place for each write operation. This allows experts to detect the previous setting around the edges of the track—called shadow data. Repeatedly overwriting data also tends to overwrite these border areas.
Knowing that your data can be recovered is comforting. Unless you really wanted it gone for good. The U.S. Department of Defense's standard for sanitizing hard drives is detailed in the National Industrial Security Program Operating Manual, also called DOD 5220.22-M (http://www.dss.mil/isec/nispom_0195.htm). The manual calls for overwriting data three times—first with a single 8-bit character, then with the character's complement (0s for 1s and vice versa), and finally with random characters. This method is not approved for sanitizing media that contains top secret information, however. Such disks must either be degaussed (demagnetized) or physically destroyed.
For most people, however, the overwriting method is good enough, and there are numerous utilities that employ this method.
Deleting and overwriting files won't remove all sensitive data from your hard drive. You must wipe every sector—the 512-byte segments that make up a cluster—because data can hide in unexpected places. Random data, called file slack, often resides in the last cluster of a large file. When the last portion of a file is written to the hard drive and the data doesn't completely fill the sector, it's padded with random data drawn from memory, called RAM slack. This can be any information created, viewed, or modified since the computer was last booted. The remaining sectors making up a cluster contain the remnants of whatever data was previously stored in that location—called drive slack. Many secure deletion programs do not properly wipe file slack, which can contain a wealth of private information.
On NTFS (available on Windows NT 4.0, 2000, and XP), files contain multiple streams. One stream holds information about access rights and a second holds the actual file data. NTFS can also have Alternative Data Streams (ADSs), which hold just about anything. The most common use of ADSs is to store thumbnails of image files. Because many secure deletion programs fail to wipe ADSs, the thumbnail images can remain retrievable even after a stream containing an image file has been wiped. For details on how to prevent thumbnails from being saved, see the Microsoft Knowledge Base Article 319300 (http://support.microsoft.com).
Criminals have been known to use ADSs to hide data or viruses on hard drives. There are other areas on hard drives where data can be deliberately hidden. Sectors are created on a hard drive during its low-level format—usually done at the factory. Bad sectors are marked so the hard drive controller won't attempt to write to those areas. Clusters, which are composed of sectors, are defined during the high-level format. If a bad sector is found during this format, the entire cluster is marked as bad. But this bad cluster contains good sectors in which criminals can hide data.
On older hard drives, data also can be hidden in what's called the sector gap. Each track had an equal number of sectors, but the circumference of the outside tracks is much larger than that of the inside tracks. The larger gaps between the outside sectors could be used for covert data storage. Modern hard drives eliminate this wasted space through a technique called zoned recording, which adjusts the number of sectors depending on the position of the track.
To access such hidden areas on a hard drive, you need a program that bypasses the OS, as we mentioned. Professional forensic software can be expensive. Guidance Software's EnCase Forensic Edition (www.guidancesoftware.com) costs $2,495. Briggs Softworks's Directory Snoop (www.briggsoft.com/dsnoop.htm) offers low- level disk access for just $29, but it doesn't support NTFS.
Play It Safe
It's important to remember that recovering data is easier than deleting it permanently. If you've ever deleted an important file accidentally (and who hasn't), this is a blessing. But if you are selling a used computer or hard drive, use a secure delete utility to overwrite every sector on a hard drive. Remember that reformatting does not overwrite every sector, and private information can remain retrievable.