Does erasing a file also make previous files unrecoverable

rjo98

Member
Say I erase a file named 1.mp3, which just happens to have overwritten the same spots on the hard drive that files abc.mp3 and def.mp3 used to exist but were deleted by normal deletion. By securely erasing 1.mp3, does that also make abc.mp3 and def.mp3 unrecoverable as well since they were on the same location on the hard drive, or no?
 

DavidHB

Active Member
Does erasing a file also make previous files unrecoverable?

If abc.mp3 and def.mp3 were fully (or in some cases even partially) overwritten by 1.mp3, the original copies were for all practical purposes not recoverable even before you erased 1.mp3. But, other than running a file recovery program, you have no means of knowing whether that is what actually happened. Also, the original deletion will still have preserved any shadow copies that exist (and, in recent versions of Windows shadow copying is enabled by default). Shadow copies are by their nature recoverable.

To be absolutely sure that those original files are gone, you need to turn off System Restore and Shadow copies for the drive(s) in question, which will delete all extant restore points, then run an Eraser free space erase. I try to store sensitive data on non-system drives which do not have System Restore enabled.

David
 

rjo98

Member
Does erasing a file also make previous files unrecoverable?

so would i be correct in saying if a file is erased, files that were previously stored in there entirety on the exact same spots of the hard drive as that erased file are therefore made unrecoverable due to the secure erasing of the current file that has overwritten them and since been erased?

I never use System Restore or Shadow Copy, wasn't even considering them in my example, should have stated that, sorry.
 

DavidHB

Active Member
Does erasing a file also make previous files unrecoverable?

rjo98 said:
so would i be correct in saying if a file is erased, files that were previously stored in there entirety on the exact same spots of the hard drive as that erased file are therefore made unrecoverable due to the secure erasing of the current file that has overwritten them and since been erased?
No, it is the original overwriting that will make them non-recoverable, except for the directory entry, which may still exist in the file table. Erasing the file that overwrote them further reduces the already very low chance that they would be recovered.

That said, the discussion is very theoretical. Users cannot control which sectors are written to, so any overwriting of the kind you describe will be a more or less random occurrence. And quite apart from shadow copies, it does not take account of all the other processes that squirrel away user data in odd places. While shadow copies are the main culprit in this regard, there is still the page file, and whatever is left behind from a defrag operation. I'm sure there are others, but cannot think of them offhand.

David
 

rjo98

Member
Re: Does erasing a file also make previous files unrecoverab

Right, I'm purely talking theoretical here, I know there's no easy way to tell what files get overwritten totally by other ones. I was more curious if, in theory, using an oversimplified example, if file A was written to sectors 1-4 of the hard drive, then deleted normally through Windows (NOT erased), then file B was written in sectors 1-4 and securely erased with Eraser, if that made file A unrecoverable just like File B is unrecoverable due to the secure erasing of the file, which is in the same sectors file A was previously.

Based on how you started your last reply I think you thought I meant if i erased all files, not just deleted the first one.
 

DavidHB

Active Member
Re: Does erasing a file also make previous files unrecoverab

I find the theory fascinating, too ... :)

Current thinking (which I am in no position to question, but which as far as I know has not been disproved) is that, on a modern hard drive, overwriting data only once makes that data non-recoverable. So just (the accident of) writing file B to sectors 1-4 would make file A that previously resided there non-recoverable. File A's entry (marked as deleted) would however probably still exist in the file table. All of that will be true before Eraser comes into play.

Eraser works by targeted overwriting, so in this case, would overwrite sectors 1-4 again to erase file B (and would overwrite the file table entry, and any shadow copy, also). File B would then be non-recoverable, and any remote chance that file A was recoverable would reduce even further.

David
 

Joel

Active Member
Re: Does erasing a file also make previous files unrecoverab

In short, yes.

The big picture isn't as simplified. Files on disk comprise a few components: the file data and the file metadata. The file data is stored on clusters 1-4 (the smallest file system unit is the cluster, comprising one or more sectors, not the sectors per se) but for different file systems, the file metadata is stored in different locations. In the case of NTFS, file names, times, attributes etc are stored in the MFT; for FAT the file names and times are stored in the directory containing the file.

Deleting 1.mp3 would only mark the reference to clusters 1-4 as not in use. It does not mark clusters 1-4 as deleted. Thus, file recovery is possible, on the premise that the clusters and order of clusters which were used to store the file data can be determined. In this instance, if the forensic examiner were to immediately look up clusters 1-4, the file data will be there. At the same time, as the file metadata was not erased, a forensic examiner can go to the MFT/FAT and find the locations of the file, which allows him to recover the file.

Deleting 1.mp3 and coincidentally storing 2.mp3 over the same clusters 1.mp3 used would (presently) prevent recovery of the data of 1.mp3 but not the metadata of 1.mp3. Simplifying things, by not considering things like the USN journal for NTFS volumes, and shadow copies from > Win2k systems, would result in the following observations:

  1. 1.mp3 will not have the file contents recoverable.
  2. 2.mp3 will, forensically, have the same file data as 1.mp3
  3. 1.mp3 will have the metadata still accessible (creation/modified/access times etc; under NTFS this will also include the time the file was deleted)

Eraser has been designed to do the above, and to remove the file metadata such that the file name cannot be found, it would be significantly more complicated to recover a file if the clusters used by the deleted file and file name cannot be determined in the first place.

Hopefully this clarifies things; otherwise please do ask.
 
Top