How is it possible for the IT experts to recover data that was erased from a hard drive when the storage of said hard drive appears empty?

⁨76⁩ ⁨likes⁩

Submitted ⁨⁨2⁩ ⁨months⁩ ago⁩ by ⁨Dop@lemmy.world⁩ to ⁨nostupidquestions@lemmy.world⁩

And additionnaly, isn’t there a way to exploit this so we can store more stuff on PCs?

source

Comments

Sort:hotnew top

zeppo@lemmy.world ⁨2⁩ ⁨months⁩ ago
Because of how filesystems work. There’s basically an index that tells the OS what files are stored where on the disk. The quickest way of deletion simply removes the entry in that table. The data is still there, though. So a data recovery program would read the entire disk and try to rebuild the file allocation table or whatever by detecting the beginning and ends of files. This worked better on mechanical drives than SSDs.

source
- pearsaltchocolatebar@discuss.online ⁨2⁩ ⁨months⁩ ago
  Yup, and many security suites will include a tool that writes all 0s or garbage to those sectors so the data can’t be recovered as easily (you really need multiple passes for it to be gone for good).
  
  source
  - zeppo@lemmy.world ⁨2⁩ ⁨months⁩ ago
    right, i’m super out of date but you;d want to do shred or some dd dev/random > device thing to securely erase them.
    
    source
CameronDev@programming.dev ⁨2⁩ ⁨months⁩ ago
You have a notebook. On the first page, you put a table of contents. As you fill in pages, you note them down in the table of contents at the start.

When you want to delete a line, instead of erasing the whole page now (there are hundreds free still, why waste the effort), you erase the entry in the table of contents.

Now if someone finds your notebook, according to the table of contents there is no file at page X. But if they were to look through every single page, they would be able to find the page eventually.

This is loosely how file systems work. You can’t really use it to boost storage, the number of pages is finite, and if you need to write a new page, anything not listed in the contents is fair game to be overwritten.

source
muntedcrocodile@lemm.ee ⁨2⁩ ⁨months⁩ ago
Cos ur computer is lying to u. When u delete a file it doesnt actually delete it it just marks that section of disk as deleted that will eventually be overwritten at some point in a future.

source
lurch@sh.itjust.works ⁨2⁩ ⁨months⁩ ago
it’s inefficient to really erase the data, so what happens usually is: it gets marked as deleted. the data only gets overwritten when another file is written in the same data area, which often doesn’t hapoen immediately. even if a drive gets formatted the empty metadata structures of the new partitions and file systems are just written on top. since they have no file entries yet, the previous data just sits there invisible and inaccessible until new files are created and maybe overwrite a bit of the okd data.

source
jimmydoreisalefty@lemmy.world ⁨2⁩ ⁨months⁩ ago
IIRC: Data has not been overwritten yet; it is just shown to be open to being rewritten.

It can still be recovered with minimal corruption if the device was not used too much, where open storage would be eriten over.

source
- over_clox@lemmy.world ⁨2⁩ ⁨months⁩ ago
  eriten
  
  source
NutinButNet@hilariouschaos.com ⁨2⁩ ⁨months⁩ ago
Think the best analogy I can give you is this:

If you write a check and give it to someone, the money has not yet been taken out of your account until they turn that check into cash or deposit it into their bank account.

Until that time, it is something you are keeping a record of to say “I wrote a check for $700 so I am down $700 in my checking account.” Even though the total balance today says $1700, you know that it really is supposed to be $1000 that is available to be used for other expenses.

If you wanted to recover that $700, all you need to do is shred the check before it gets to the bank or check cashing place or contact your bank to tell them to not process this check. Thereby, you have essentially “recovered” the $700 you intended to give to someone else.

This is similar to how your hard drive works. When you tell your computer to delete a file, your computer’s operating system basically tells you that it’s been deleted and no longer lets you access it by normal methods, but that data still exists in a form awaiting an actual deletion. Once you create a new file, your operating system remembers that it had deleted 100MB earlier in the day, so it can now use 25MB of that 100MB it reserved to overwrite some of that file that was deleted, in a sense. However, this whole time, your operating system told you that you had an extra 100MB immediately after you deleted that file, even though it was really being reserved to eventually be replaced.

Your operating system speaks in binary language of 1’s and 0’s and this file existed as a bunch of 1’s and 0’s. When something else got overwritten, it took some of these 1’s and 0’s from the old file to be turned into space for the new file that is to be created.

So as long as it’s recent, no new data has been written to the drive, and the computer hasn’t been restarted, the file is still effectively there in the binary language, just not in plain text to you. However, as time goes on, new data is written, or the computer is restarted, then it becomes much more difficult to restore the file. This is mainly because data is always being written to the drive due to the computer doing other things in the background in addition to the things you do on the computer.

But there isn’t any way to exploit this as this is all due to how much data is available. You have a 1TB drive in your computer and your computer will only ever report 1TB of available storage. It will never report to you that you have more storage unless you’ve done some trickery and even then, it’s just playing with the numbers that you see. Fake USB drives do this where someone sells you what they tell you is 2TB but is actually 16GB and the file has been written to trick the operating system into thinking it has 2TB. If you try to copy more than the actual 16GB of available space, you get an error.

source
bradsmybro@lemmynsfw.com ⁨2⁩ ⁨months⁩ ago
From my limited understanding deleting something on a hard drive is just letting your computer know that that space is now available for other data to be stored there. Until something is actually stored there the data isn’t changed.

You can’t use this to increase storage in a computer because the total amount of data allowed on a hard drive doesn’t change when data is deleted. It just moves that stored data to the available section.

source
transientpunk@sh.itjust.works ⁨2⁩ ⁨months⁩ ago
Often times when you delete something off a computer, the computer simply deletes the address of the data, but doesn’t overwrite the data.

Think of a map for a city. If you delete a house off the map, you may not be able to find it anymore, but the house is still there. It’s the same for computer storage

source
hddsx@lemmy.ca ⁨2⁩ ⁨months⁩ ago
No, there is no way to store more stuff on PCs.

Hard drives are devices that store 1’s and 0’s. There’s a bit more complication, but the short answer is that you can wipe a file system, but the files are still there.

source
orcrist@lemm.ee ⁨2⁩ ⁨months⁩ ago
Generally speaking, writing new data is what actually erases old data. So no, you can’t exploit it for extra storage space.

source
TESTNET@lemmy.world ⁨2⁩ ⁨months⁩ ago
Because as long as it isn’t overwritten it can sometimes reside in a residual way in the storage sectors on the drive, these hdd scanning software’s check through the sectors for data hiding in them some sucxessfully some not as successfully, there for some will find more or less data than others do as well.

This is why data disappears on drives as well when a physical issue causes the sectors of the drive to begin to stop working aka “bad sectors” this makes the data start to seemingly magically vanish or corrupt if it’s still operating and booting into windows you can at times witness the data/folders and or files present in folders one moment and missing fron the OS the next, that’s an indictator often of an imminent drive failure due to bad sectors often.

source
SnotFlickerman@lemmy.blahaj.zone ⁨2⁩ ⁨months⁩ ago
The only way to truly securely delete data is disc destruction. Remove the drive and drill through the hard disk platter or the SSD memory chips.

source
- FuglyDuck@lemmy.world ⁨2⁩ ⁨months⁩ ago
  Even a single overwrite process is sufficient to stop most attempts at recovery- the only people who might be able to reconstruct that data are… like top FBI forensic labs, and similar.
  
  Even then, most of the data would be coming back corrupted and mostly useless.
  
  2 or 3 overwrites are sufficient to prevent that as well.
  
  For SSD’s, a single overwrite renders it impossible, simply based on how the data is physically stored- there’s no residual “footprint” or “ghost”- the NAND flash memory used floating-gate transistors to store the data. Either the gate is flipped or it’s not, there’s no way to know if it was previously flipped, only what its current state is.
  
  Physical destruction is usually only recommended for extreme cases, where that drive held extremely sensitive data- where the consequences of any amount of that data being recovered would be catastrophic, even then the process begins with overwriting data. (Also keep in mind just breaking the platers aren’t enough- they have to be shattered into ittybitties.)
  
  source
pixeltree@lemmy.blahaj.zone ⁨2⁩ ⁨months⁩ ago
If I tell you all the boxes in a warehouse are empty, that doesn’t mean they are. It just means I think they are. You can go and check them manually to see if they’re actually empty or if I was lying or forgot there was stuff in them. The metaphor breaks down a little bit here but if you look at the boxes closely, the ones with dust on top were probably empty for a long time and the ones without were probably emptied recently.

source
1rre@discuss.tchncs.de ⁨2⁩ ⁨months⁩ ago
Storage forensics can look into variations in charge to suggest “this used to be a 1” or “this used to be a 0”

To store more data that way, it’d have to be analog data in reality, as otherwise data loss due to charge decay would be immense so you’d need so much error checking you’d lose most of the storage savings

source
InFerNo@lemmy.ml ⁨2⁩ ⁨months⁩ ago
On ext4 drives 5% is reserved for the system in emergencies. Since disks are getting larger over the year, 5% is a pretty big chunk. It’s possible to tell the system to use a lower reserve. It’s the only instance I know where you can seemingly gain more storage out of thin air. I’ve used it in moments of emergencies when a servers’ disk was too full to function.

source
dodgy_bagel@lemmy.blahaj.zone ⁨2⁩ ⁨months⁩ ago
Follow up question: If I write my drive with 0s, how reliable are the mechanisms to read off of:

An hdd

A ssd
source
- pixeltree@lemmy.blahaj.zone ⁨2⁩ ⁨months⁩ ago
  dban is kind of the standard for wiping data, which iirc is 3 cycles of overwriting everything with 1s, then 0s.
  
  source