Deleting and wiping files

When you issue the command to delete a file ("rm file" in Linux, Shift-Del or "Empty Recycle Bin" in Windows), the file is in fact not deleted at all. Usually, all that happens is that the file's name is removed from the disk's index and the space occupied by the file is marked as available for new data. However, as long as no new data is written on those locations, the 'deleted' file can still be recovered. Overwriting the data with random garbage is a popular way to avoid this.

More advanced techniques to recover lost data also exist. Overwriting data once is usually not good enough for these solutions. A popular standard states that you should 'wipe' a file three times with zeros and ones (zero-one-zero-one-zero-one over every byte), and then with random junk. This should even erase the magnetic remains of your data, which still can be detected after it has been overwritten once. Of course, you can overwrite with ones, zeros and random junk many times.

The swapfile poses a special challenge. This file is used by the operating system to temporarily store data that is used by active programs. That data may contain passwords the user just entered or other sensitive data. However the swapfile cannot be wiped, as it is constantly in use by the operating system.

Another difficulty occurs with so-called journaling filesystems (JFS) or log-structured file-system (LFS). Such filesystems store the data in a different way so that the data can always be recovered after a crash. Attempting to wipe a file using traditional means will not be successful with such filesystems.

Articles