It is believed that a lot of Windows users have saved private or sensitive information on their hard disk or removable storage device, and most of them know it is a must to clear these files when they are no longer useful so as to avoid privacy leakage. Well then, what measures are you taking to erase private data permanently?
Commonly Used Ways to Erase Private Data
Here we list 4 commonly used ways:
1.Right click the useless file, choose “Delete” command, and then empty recycle bin.
2.Select the target file and delete it via key combination “Shift + Delete”.
3.Delete the entire partition which saves sensitive information in Disk Management (Windows built-in disk management tool).
4.Format the partition with “Format” command.
Which way you have used or plan to use? As a matter of fact, all these ways cannot clear files thoroughly, and a piece of data recovery software can make data recovery possible. What’s the reason?
Why Deleted or Lost Data Can be Recovered
To answer this question, we need to know the essence of deleting a file, deleting a partition, and formatting a drive.
How is a File Deleted in Windows
When we save a file in Windows, the real file will be saved to data area while its attributes such as file size, starting cluster number, and creating time will be recorded to file system area. Well then, how is a file deleted from our hard disk or removable device? Under different file systems Windows need to take different operations, and here we just take FAT32 for example. Suppose the file DATA.txt saved under root directory will be deleted. Windows will take the following steps to delete a file on FAT32 partition:
Read boot sector of the volume to locate file allocation table (FAT), root directory, and data area.
Locate the entry which is allocated for DATAtxt in root directory to find the starting cluster number of the file. For example it starts from cluster 5.
Go back to FAT to find all clusters the file takes up according to cluster link (FAT records information of all clusters in this partition) . Supposing the file occupies cluster 5, 6, and 8, information for cluster 5 will show the next cluster the file takes up is 6, and cluster 6 will show the last cluster is 8.
Set FAT entries of cluster 5, 6, and 8 to 0.
Reset the first byte of the entry for DATA.txt to E5 in root directory.
After these steps, we can say the target file is deleted. From this example we know deleting a file just operates root directory and FAT (on NTFS partition, Windows just modifies master file table (MFT)), and the real file is still saved in data area. At this time, a piece of data recovery software can recover it with ease.
How Is a Partition Deleted
After we initialize a hard disk to either MBR or GPT, space for master partition table will be reserved. Here we take MBR disk for example. Master partition table on MBR disk provides 4 entries to record information of primary partitions and extended partition, and one entry is for one partition. To better understand this issue, please see the structure of MBR disk:
After a primary partition or extended partition is created, corresponding partition parameters like partition size, partition state (active or inactive), file system (FAT or NTFS), and starting position will be recorded to the allocated entry in master partition table. Let’s see the master partition table via Winhex:
Tip: to get the following interface, we need to open the target disk in Winhex, then click “View” button on the top, next choose “Template Manager”, and finally apply “Master Boot Record”.
After a logical partition is created in extended partition, the extended boot record and extended partition table will be created, and simultaneously partition attributes for this partition will be recorded to extended partition table. Extended partition table is shown below (EBR functions like MBR, so we use the template of MBR to view EBR):
This partition table also records partition state, starting position, file system, partition size (in sector), and so on.
To delete a partition just changes all or some of partition parameters to 0 or directly empty these parameters so that Windows cannot locate it. As a result, the very deleted partition will be invisible in Windows Explorer and unallocated in Disk Management. But in fact, the real partition like partition 1 and partition 2 shown in MBR disk structure is still intact before new partitions are created. Under this situation, a piece of partition recovery software can recover it as well as its data.
How Is a Partition Formatted
Here we also take FAT32 partition for example. To format a FAT32 partition, Windows needs to take the following operations:
1.Write boot code to sector 0 (boot sector of the partition), write FSINFO to sector 1, and write end signature “55AA” to sector 2.
2.Zero clear sector 3, 4, and 5, and then make a backup for sector 0, sector 1, and sector 2 in sector 6, 7, and 8.
3.Zero clear FAT area and respectively write a starting signature for FAT1 and FAT2 (FAT2 is the backup of FAT1), and set end signature of FAT in FAT2.
4.Zero clear the cluster allocated to root directory. If the partition is set with a label, create entry for label in entry 0.
Now the very partition is formatted successfully. From the introduction above we can see step 1 and step 2 are made in reserved area which is located before FAT1, and step 3 aims at FAT1 and FAT2, and step 4 operates root directory. That is to say all these operations are not made in data area so that real data are still saved completely. At this time, as long as we turn to data recovery software or data recovery companies, data originally saved in formatted partition can be recovered.
Tip: please see structure of FAT32 partition to get visualized information about reserved space, FAT, and root directory.
Now that deleted files and files saved in lost or formatted partition can be recovered, do we still have chance to erase private data permanently? Definitely there is, and it is to overwrite original data. That new file takes up space deleted or lost data occupies is called overwriting, and it is almost impossible to recover overwritten data (both data recovery software and data recovery technicians are powerless).
How to Overwrite Private data
Once a file is deleted, new files can be saved to the space deleted file occupies in real data area. After a partition is formatted, new files can be stored to any place in data area of the formatted partition. Therefore, the simplest but most stupid way to overwrite data is contiguously writing new files to the very partition after deleting or formatting. However, this is a piece of much time-consuming and troublesome work since we do not know when or whether the deleted file(s) has been overwritten. In addition, after a partition is deleted, space it occupies will be marked as usable and new partitions can be created. Therefore, users who have certain knowledge of data recovery plan to create new partitions to overwrite the original partition and think it may overwrite original data. This is indeed an effective solution to a certain extent, but some powerful data recovery programs or technicians may recover a part of information since there are traces more or less remained.
Actually, we can ask third party programs, like Winhex and partitioning tool, for help, which is the most effective method. Next, let’s see the following demonstration to get detailed steps.
How to Overwrite Private Data with Winhex
Winhex is a quite powerful and multi-functional tool but requires complex and professional knowledge. Once a minor mistake is made, we may suffer data loss or even system crash. Therefore, when using this program, we should be very careful. Let’s see detailed operations to overwrite a file, and all my operations are done in virtual machine.
First of all, I created a text file named New Text Document, and then wrote numbers 1, 2, and 3 to it and saved.
Next, open the newly created file in Winhex by taking these steps:
1.Click “Open Disk” icon on menu bar.
2.Select the target disk to open.
3.Double click the partition which saves the target file to open the partition.
4.Double click the target file namely New Text Document.txt to open it.
After opening the file we can see all its content below:
5.Write new different data to replace all original values in this file, and then shut down the file. It is suggested that users write random data, because data recovery may be possible if we fill up the target data area with the same value.
After all these operations are done, we can open the file in Windows Explorer to view its content, only to find this:
At this time we can say the file has been overwritten. However, what I erase is just a very simple and small file. If the file takes up dozens or thousands of sectors or there are a huge number of files, we have to cost lots of time to do the overwriting, which is so troublesome and time-wasting. So is there an easy way to erase private data permanently? Of course there is. Nowadays, there is third party partitioning tool which helps write random data like 0 and 1 to data area of a partition to permanently overwrite all original sensitive information. The biggest reason for recommending this kind of software is that all operations will be performed automatically by the program, and users only need to perform several mouse clicks.
How to Overwrite Private Data with Partitioning Tool
First of all, we need to download such a program from the internet. Here, we take MiniTool Partition Wizard for example, which provides 2 modules to erase data, including “Wipe Disk” and “Wipe Partition”. The former aims at erasing data saved on the entire hard disk or device while the latter just wipes files stored on a single partition.
Tip: If you just want to overwrite one or several files, Winhex is suggested. After all, third party tools will erase all data saved on a disk or partition.
After successful installation, we need to launch the program to get its main interface shown below:
All disks and partitions are listed here. To overwrite data in certain partition, we need to select the partition and choose “Wipe Partition” function from the left action panel. To erase a disk, we should select the disk and choose “Wipe Disk”. After that, 5 wiping methods are shown:
Fill Sectors with Zero: write the number 0 to every sector of the partition to overwrite all original data.
Fill Sectors with One: write 1 to replace original data.
Fill Sectors with Zero & One: write 0 and 1 alternately to every sector so as to wipe original data.
DoD 5220.22-M (3 passes): fill every sector with a group of random data for 3 times.
DoD 5220.28-STD (7 passes): fill all sectors with random data for 7 times.
From the top to the bottom, time spent in overwriting data increases, but the effect becomes better and better. We have said data recovery may be possible if we fill up data area with the same value. Therefore, the former 2 methods are not suggested thought they are time-saving. And in general situations, we highly suggest choosing the last one although it costs much time, because data recovery is no longer possible after we are making such a wiping. Please see DOD Standard 5220.28 STD to get more information.
If you do not believe what I said, try wiping a partition or disk with MiniTool Partition Wizard. Then download a piece of data recovery software to check whether wiped data can be recovered.