What happens to a file when it gets deleted?

http://linuxawy.net/archive/2012/09/what-happens-to-a-file-when-it-gets-deleted

A lot of people don’t known, but when we delete a file from a computer in fact it isn’t really deleted. The operating system simply remove it from the file list and makes the space the file was using available for new data to be written. In other words, the operating system doesn’t  ”zero” (i.e., doesn’t clean) the space the file was using.,

 

The operating system acts like that in order to save time. Imagine a large file that occupies lots of sectors on the hard drive. To really delete this file from the disk the operating system would have to fill with zeros (or any other value) all sectors occupied by this file. This could take a lot of time. Instead, it simply removes the file name from the directory where the file is located and mark the sectors the file used as available space.

This means that it is possible to recover a deleted file, since its data wasn’t really removed from the disk. Recovery data software works by looking for sectors with data in them that are not currently used by any file listed.

This leads us to a very important security question: if you have really confidential files, that cannot be read by anyone else, deleting them from the disk simply by hitting the Del key and then removing the recycle bin contents isn’t enough: they can be recovered by an advanced data recovery tool.

There is a command called ‘shred’ that solves this problem. Deleting your files using this command it really “zeroes” all sectors that the file was using.

shred – overwrite a file to hide its contents, and optionally delete it

$# shred --remove file

With disk formatting it isn’t different. When we format a hard drive, the data that was there aren’t deleted, making it possible to recover data with an advanced data recovery tool even after formating your hard drive. A lot of people that have a hard disk full of confidential data think that by formatting the hard drive they are killing any chance of data recovery. This is far from being true.

When you format a disk, the operating system only “zeros” the root directory and the tables containing the list of sectors on disk that are occupied by files (this table is called FAT). Pay attention when you format a hard drive, a message “Verifying x%” is shown. The hard drive isn’t being formated; the format command is only testing the hard disk magnetical surface in order to see if there is any error and, in case if a error is found, mark the defective area as bad (the famouse “bad blocks” or “bad sectors”).

So, in the same way it happens when we delete files, the hard drive isn’t really “zeroed” when we format it. In order to really “zero” your hard drive, use utilities like Zero Fill from Quantum (click here to download it).

This utility fills all sectors from your hard drive with zeros, making it impossible to recover any data after this utility is run, what doesn’t happen when you use the normal format procedure. You can also use the so-called “low-level format utilities”. These programs fill all sectors with zeros as well.

How to recover data lost?

*Notice:

Simply after using command ‘rm -f’ OR ‘SHIFT Delete’, not after shreding or reformatting.

Testdisk, Scalpel

TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software

yum install testdisk 
 == OR == 
wget http://www.cgsecurity.org/testdisk-6.14-WIP.linux26.tar.bz2 

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery. This short article shows how you can use Scalpel to recover deleted files.

Scalpel is a standalone tool file system. It is available on Linux and Mac OS, but can also be used in Windows, although it is necessary to compile it.

Scalpel Installation:
Ubuntu user can install Scalpel by using following command:

apt-get install scalpel

Using Scalpel:

Important note: The default configuration file, “/etc/scalpel/scalpel.conf”, has all supported file patterns commented out–you must edit this file before running Scalpel to activate some patterns. Resist the urge to simply un-comment all file carving patterns; this wastes time and will generate a huge number of false positives. Instead, un-comment only the patterns for the file types you need.

After that go to the terminal and follow the syntax :

sudo scalpel /dev/sda1 -o ouput_directory

For input you can specify your device name (/dev/sda1) or a directory name,Output directory is the directory where you want to restore your deleted files. It should be empty before running the command, otherwise you will get an error. You can also input the deleted filename directly by using -i option. look at the scalpel man pages for detail

The time taken by scalpel to recover your deleted files depends upon the total disk space that you are tying to scan and the amount of deleted data in your machine and the speed of your system.