Data recovery programs can read deleted data from free space in your hard disk.
The way Windows system deletes a file
When you delete a file it isn’t really removed from the disk. The operating system (OS) only removes the reference to the file from the file allocation table. This is like going into a book or magazine and removing a chapter reference from the table of contents. The actual chapter is still in the book. The only thing removed was the page number reference in the table of contents. With the file location reference removed, the OS now sees that disk space as being available for use.
The DOS and Windows file systems use groups of disk sectors, known as clusters, to store data. These clusters are of a fixed size which is normally determined by the size and number of partitions of the disk volume itself and the file system being used. If the data you’re storing requires less space than a full cluster, the entire cluster is still reserved.
For example, you’ve saved a file that required 15.5 clusters of drive space. Because the OS can’t reserve a half cluster, the allocation table had to reserve 16 whole clusters for the file. That remaining half cluster that was not used may still contain data from a previous file. That unused half cluster is known as “slack space”.
Data recovery programs can retrieve data from free space
Data recovery programs can read slack space and retrieve the data stored there. Even worse, let’s say the file system places your 15.5 cluster file over the “unused” area of a deleted file that originally took up 35 clusters. More than half of the previous file would still be retrievable! You could have thousands of clusters on your hard drive (aka free space) that contain data you thought was deleted! Scary thought, huh?
To test this idea, use a data recovery utility (such as Recuva or PC Inspector File Recovery) and see if it recovers any files.
You can also use recovery programs to check whether an erasing program successfully overwrites your data. Some data gets nicely erased down to 0 bytes, some mixes with other random data to create files of nonsense information, some fails to get erased (whether because it is in use or in a protected area), and some are more difficult and require free space wiping. Very little of consequence is leftover after free space wiping on modern drives.
How do you erase free space?
-
For wiping the free space on large hard drives, a single pass of random data with an eraser program, such as Eraser, should be more than sufficient.The best policy is to wipe the free space regularly. I find almost nothing after a full free space wipe on a sizable drive. With just a single pass of random data, PC Inspector File Recovery only finds 0 byte nonsense files, or many nonsense files full of useless random data in my testing.But on smaller drives, eraser programs tend to leave behind more files of random data, and the data may be recoverable to varying degrees depending on the quality of the erasing pattern.
-
Since free space wiping takes so long, you may want to use file shredding in the meantime. For individual files and folders, note that the files can’t “hide” as easily with an entire drive of erased random data, and some devices use wear leveling that may interfere with the effectiveness of wiping.
-
Erasing the Page File isn’t a normal feature of eraser programs. You can easily set Windows to delete it at shutdown with a registry setting (remember to backup the registry before making changes to it).This tool sets the registry for you to automatically delete it at shutdown: Ultimate Windows Tweaker. But you can also encrypt the paging file with Ultimate Windows Tweaker, with registry or Local Group Policy changes, or from a Command Prompt:Encrypt the Page File:
- Start a Command Prompt as an administrator (Windows+R to open the “Run” box, type “cmd” into the box and press Ctrl+Shift+Enter);
- Key in “fsutil behavior set EncryptPagingFile 1” (without quotes);
- Restart your computer.
-
If you need to erase a drive before getting rid of it, then Darik’s Boot and Nuke (DBAN) is designed for wiping an entire drive, but be ready to spend time installing and updating windows from scratch afterward.