… goes to your hard drive and stays there, right?
Meaning that if you DELETE something and it goes to RECYCLE BIN and you empty that, you really have NOT deleted ANYTHING?
Internet AND offline.
No exceptions, right?
Hoping y’all can settle a friendly argument I am having with my wife.
Me pro, she con.
I use as an example the FBI’s ability to confiscate a person’s hard drive to support a case.
So who’s right?
Thanks,
Quasi
depends on how the file is deleted. using basic windows recycle bin, the data is not deleted, just the entry the computer uses to identify the file, therefor opening the space for other use. the data can be retrieved (easily in some cases) unless there has been other data written into the physical memory space that the previous data resided in.
some programs will permanently delete files by re-writing over the data with 0’s and 1’s, multiple times (9 i think is fairly standard.)
so you are both right
I’m sure someone who can explain it in better detail will be along shortly, but basically it’s true that a file deleted from the recycling bin can still be recovered from the hard drive. However, there are utilities out there which claim they can overwrite those sectors on the hard drive so many times that the data is rendered truly unrecoverable. I’d be curious to know if these types of programs have been put to the test, and just how unrecoverable the data can become.
Some things you do on your PC may not be written to your hard drive at all - for example, posting something on the SDMB - depending on how the browser works, the post I’m now composing may be held in volatile memory and may never be committed to the hard drive (until and unless it appears as a cached version of the page after posting, maybe)
Some things you do on your PC may be written only to parts of your hard drive that are routinely and frequently overwritten - this is called virtual memory or swap space.
Discrete documents saved to your hard drive then sent to the recycle bin are not gone - they might not even have changed location on the physical disk surface - all that needs to happen to move a file on a disk is to change some references in the file allocation table, or its equivalent.
Discrete documents saved to your hard drive, then deleted may or may not be gone - generally speaking, the operating system tells the filesystem to forget that the file is there and mark the space as available - the actual file contents may remain on the disk. Over time, that space will be re-used by other files, during which process the file contents become progressively less completely available for recovery.
Even after a file has been overwritten, there are advanced techniques that may enable partial recovery of its contents - the recording surface of the disk is organised in little magnetic patches called domains that can record a state equivalent to a binary 0 or 1, but the process of changing a 0 to a 1, or vice versa, may leave a residual ring of the previous state around the edge of the domain, or a set of nested rings showing several previous states.
By dismantling the disk and scanning the platters with highly technical equipment that I don’t know the details of, I understand that recovery experts are able to recover fragments of data even when the disk space in question has been overwritten.
There are utilities that attempt to defeat any such recovery attempts by repeately and aggressively overwriting with 000s, 111s and random or shifting patterns of bits - this process is often referred to as ‘military grade’ file deletion. I think there are utilities that integrate into the standard delete functions of the OS to add this secure deletion (they might even be built in for some OS/filesystems)
Edit on preview: Ninjaed by Mangetout
If you delete something via the recycle bin, the OS basically just knows that the space taken by that object is now free to overwrite. Until it’s overwritten, it can be recovered through a variety of programs. Of course this can be easily overcome; using a file shredding program like this basically overwrites the file so that it can’t be recovered.
Images of web pages are typically saved in your cache so they load faster next time. When you delete your cache, you’re basically doing the same thing in that the files can be recovered until they’re overwritten again. File shredding programs also fix this by “shredding” your empty space by overwriting everything with random data.
The ability of the FBI to recover information from you hard disk depends upon the tv program you are watching.
And the power of their magical, all-mighty “Enhance” or “Decrypt” button.
You can run the OS from a cd and memory only. No hard drive so no chance of recovery from the hard drive. Not everything you do on a PC always goes to a hard drive.
And, of course, on how high a priority they set on getting that information. Those techniques of microscopically examining the platter to find traces of previous values are extremely expensive, so they might use them for the computer of a Mafia kingpin or captured spy, but they’re not going to bother for yours.
If you know the FBI is coming, and destroying the drive would be suspicious, you can use an OS running from a thumb drive or a DVD to fill the hard drive with random bits a few times, overwriting all of the previous contents, and then install an OS and put some innocuous files on the drive. Given current bit densities (how many bits per square millimeter are stored on the drive platters) it’s likely impossible to resurrect any of the data that was on the drive before. Resurrecting overwritten data from older drives, with lower densities, was indeed possible.
I can find cites for that if anyone is curious, but I’m just going from memory now.
There are several issues here:
Moving something to the recycle/trash is pretty much the same as just copying it to a different directory/folder in the file system. The data is trivial to recover.
Deleting something involves changing pointers in the file system. The data still exists on the drive and can be accessed by reading the drive in ‘raw mode’, but you may have lost the ‘structure’ of the data; i.e., it probably won’t show up in the right order and be organized into files. There may also be enough information in the ‘deleted’ data to recover the organization of it as well.
Over time, the space that was used by the deleted files will be used for something else and the data that was there originally is overwritten. The data shredding program mentioned above hastens that.
Even if overwritten, a determined investigator might be able to recover traces of the old data by looking at the the patterns of magnetic charges on the disk. This would be very expensive, and probably only done for national security-type crimes.
Oh hell, I was beaten to the punch for all of the above.
Just picking out the interesting parts of DanBlather’s excellent summary, and ignoring the actions that don’t leave any disk traces at all:
But this does depend on the file system you’re using. Under windows it’s fairly trivial to recover a recently deleted file. On most Unix type file systems (like Linux’s ext systems) it’s more difficult; parts of the file content can still be recovered quite easily, but IIRC it’s harder - but definitely not impossible - to piece them together to get the original file back.
Very expensive is probably right. In fact I don’t know of any system that can do this reliably once the data has been overwritten even once, though I’m not guaranteeing anything if the NSA really wants your data badly. If you really don’t want your data to be recovered, the paranoid geeks advocate multiple writes of random data over the whole disc. This will destroy everything you’ve got on there. Then you take the disc, take it apart, shred the magnetic platters and burn them. Scatter the ashes. 
I’ve seen the principles described in detail - when a domain changes state, the previous state gets pushed out into a ring around the perimeter of the new value, ultimately resulting in a concentric set of rings showing the last n states of the domain… but…
I’m not sure if this applies to domains where a the state being recorded is the same as what’s already there (or indeed if the disk even bothers to explicitly write a 0 over a 0 or a 1 over a 1) - and if it doesn’t then all that can be recovered by this technique is the history of those bits that changed on consecutive writes - which is going to be an seemingly random half of them.
What you can recover depends on the sophstication of the recovery program.
If I empty my recycle bin it is VERY easy to then go to a recovery program and get it back, provided did it immediately after I emptied the bin.
The longer I wait the greater likely hood that the space will be reused. Once the space is reused it may or may not be recoverable. This again depends on the level of sophistication of the recovery program.
Pictures are a lot harder to recover than text because they use so much more space.
Speaking of which, when you delete a picture from your digital camera, you don’t erase it, you simply prevent access to it by normal means. A recovery program can easily get the picture back provided you haven’t rewritten over the data.
Here’s a simple example of how it works
Supposing I have a text, and a brand new hard drive.
The first text I have takes up sectors 1,2,3
The second text I do takes up sectors, 4, 5, 6,7
The third text I do takes up sectors, 8, 9, 10, 11,
Now I don’t need the second text which is taking up sectors 4, 5, 6, and 7
So I delete that and empty my recycle bin.
Sectors 4, 5, 6 and 7 are still there, but now the computer says "It’s OK to write over these sectors.
So let’s say I now do a fourth text. Depending on your computer it may write this fourth text to sectors 12, 13, 14 or it may simply rewrite over 4, 5, 6.
Now this is oversimplified to show how the process works.
Basically when you delete a file you’re really not deleting it, you’re saying the sectors on your hard drive reserved for that file are now available to be overwritten.
Without a keystroke sniffer I don’t see how realtime chats in a chat window would show up on the hard drive if the chat program permits you to elect not to record them, but I do not know this for a fact.
It’s probably effectively impossible to reconstruct any conversation from a chat program that doesn’t explicitly write logs, but it’s possible in theory that the program’s data would get swapped out to a disk cache and leave some ghostly, fragmentary imprint that way.
However, the cache is, by its nature, constantly being overwritten by new data as programs cycle into and out of RAM. The sheer odds against anything from any specific program remaining in readable form are enormous.
(Also, it’s possible, in some OSes, to ‘lock’ a program in RAM so it doesn’t get swapped out. This, in combination with the OS’s use of hardware memory protection, can give some protection for your programs even against people using the same hardware.)
Most of them write some kind of logs, its just a matter of looking for them. For example myspaceIM saves logs in an html format but with a different file tag XXXX.dtml or something like that. if you manually load it with a browser or rename it to logX.html it opens up clear.
There are also programs that do screen captures. I resell Spector for my customers. This program is flat out awesomeness, wrapped in bacon.
Forgive me for seeking clarification on “EVERYTHING”? Most of the discussion seems focused on file recovery - this isn’t everything, with the internet, it’s less then half. Some counterexamples that shouldn’t ever touch your hard drive:
Google Docs. Webmail.
Unencrypted plaintext from encrypted data (the encrypted data may or may not be on your hd)
User input (particularly passwords)
Browser History in a typical “privacy mode”
Video output
Files saved to floppy/usb (though this may possibly touch your harddrive)
Process contents - stack/frame pointers, heap/stack contents, thread info (in hindsight I guess this may actually hit your HD in some cases. Either way, good luck to anyone doing forensics on it)