Custom Top Menu

Detailed Example of How to Permanently Delete Files (Advanced Users)

Wiping Items and Purging Left-over Directory Entries

Top Tip – This section is for advanced users, so if you find the materials a bit complicated, jump ahead to the Recap section at the end.

Using a practical example, this tutorial demonstrates the concepts explained in chapter 18 of my book about how to permanently delete files and, in fact, to eliminate any trace the files existed at all.

Because this detailed example is long and relies heavily on images (increasing the cost of the book to readers), it was placed here on the book’s companion website.

For the demonstration, I saved and then deleted on a USB stick a video clip named STRIPPED.WMV. This item could just as easily represent a document about a medical condition you have, your personal budget, a confidential report, your dairy, items from your erotica stash or whatever else you consider private.

Below I use a file recovery (undelete) app to illustrate that the now deleted video is easily found and recovered. In other words, by deleting the file “normally” it could be easily undeleted.

I again saved the video clip to a USB stick, but this time I properly deleted the video with a wiping app. The video should now be wiped and beyond recovery by conventional undelete apps.  To check this, I use the same file recovery (undelete) app to confirm whether the wiping has truly worked.

However, it is important to understand that even wiped files still leave behind an empty directory entry (its file name) and sometimes old file names alone can be enough of a threat to your privacy.

With the wipe of the video clip now confirmed, to address the risk of empty directory entries, I then move on to purging its old file name (its empty directory entry) from the storage media’s master index so that no trace of it exists.

Finally, for ultimate privacy, I wipe the storage media’s free space using multiple passes so that there is no trace or risk of recovery even from sophisticated adversaries using the best forensic software that money can buy.

Let’s get started ….

* * *

Using a widely available and free data recovery (undelete) app, the deleted video is easily found (see screenshot). Depending on whether any new data has overwritten the space on the storage media previously occupied by the video, it may be fully recoverable. This is usually a function of how long ago the item was deleted and how large the storage media.

Figure: The previously deleted video STRIPPED.WMV is easily found and recovered

Figure: The previously deleted video STRIPPED.WMV is easily found and recovered

 

As explained in the summary above, for the next steps, I again saved the video clip to a USB stick, but this time I properly deleted the video with a wiping app. This makes the video beyond recovery by conventional undelete apps.

However, even though the video is wiped its old file name is left behind in the storage media’s master index. To address this risk we need to purge its empty directory entry so that no trace of it exists.

Observe in the next series of screenshots as the relevant directory entry is purged using my recommended wiping app. The app easily locates the directory entry and, with a few selections, purges the directory entry.

Figure: The undelete app easily locates the directory entry (the file name of the deleted item)

Figure: The undelete app easily locates the directory entry (the file name of the deleted item)

3-purge menu  .  4-confirm purge  .   5-purge confirmed

Figures: Selecting the directory entry for purging and then confirming the purge

 

Figure: Confirming that the directory entry is now purged and emptied from the disk’s index

Figure: Confirming that the directory entry is now purged and emptied from the disk’s index

 

As you can see in the screenshot above, the name of the deleted item (the directory entry) is now purged from the drive’s index and replaced with a question mark (?).

Now let’s re-run the undelete app to see if it can reveal the existence of the deleted item.

Figure: The undelete utility fails to find the STRIPPED.WMV video when you do another search

Figure: The undelete utility fails to find the STRIPPED.WMV video when you do another search

 

Even with the widest search possible on the USB stick, the undelete app finds no trace of the deleted video; this is because the directory entry is now gone.

The undelete app can no longer find the record of the deleted item. This means that the deleted item is safe from, not only discovery and recovery, but also detection by conventional undelete apps. However, until the drive’s free space is wiped, more powerful forensic software could probably detect the previous existence of and perhaps even recover the video in part or in its entirety.

This is why, for sensitive items and data, you should always, in addition to wiping the specific items, also wipe your drive’s free space – demonstrated in detail further down – to ensure that the data is beyond recovery from powerful forensic software.

Purging All Your Empty Directory Entries

Good wiping apps, including those I recommend, make it easy to purge all empty directory entries from storage devices. This is illustrated in the next series of screenshots.

Figure: Select the drive from which you wish to purge directory entries (here G:)

 

Figure: Filter the results to display the directory entries of previously deleted items

Figure: Filter the results to display the directory entries of previously deleted items

 

Figure: Now select all the displayed empty directory entries you wish to purge

Figure: Now select all the displayed empty directory entries you wish to purge

 

Figure: After confirming, all the selected empty directory entries will be purged from storage devices

Figure: After confirming, all the selected empty directory entries will be purged from storage devices

 

After the mass purge of empty directory entries from the USB stick you can now use a file recovery (undelete) utility to confirm that no record remains of the deleted items or folders; that is, that all of the empty directory entries were in fact purged. This is shown in the next screenshot.

Figure: Confirm the purge was successful by re-running your file recovery (undelete) utility

Figure: Confirm the purge was successful by re-running your file recovery (undelete) utility

 

Congratulations! All trace records of the names of deleted items and folders have been eliminated from the USB stick. Of course, you can and should apply these same techniques to as many storage devices, especially computer hard drives, in order to keep your entire system clear of this hidden trace data risk.

Wiping Your Drive’s Free Space

Now, it is all well and good that widely-available undelete utilities may not be able to find and recover your previously deleted files and folders. But, as previously mentioned, until the relevant drive’s free space is wiped, sophisticated forensic software probably could detect and perhaps recover (in part or in whole) your deleted items, even with these items’ empty directory entries purged. Therefore, you should also take the extra step of wiping the free space on your storage media.

Wiping the free space of a storage device (the same USB memory stick as above) is shown in the next series of screenshots. If you are using a different app, the screens will look different but the same general steps and concepts will apply.

Figure: Now wipe the free space on the same drive that was just purged of empty directory entries

Figure: Now wipe the free space on the same drive that was just purged of empty directory entries

 

Figure: The more secure wiping method you use (the number of overwriting passes you apply), the longer it will take

Figure: The more secure wiping method you use (the number of overwriting passes you apply), the longer it will take

 

Once the wipe is complete, all traces of the former files and folders will be eliminated and beyond recovery, even with sophisticated forensic software.

Recapping the Lessons Learned

These materials covered why and how to delete data beyond recovery and to leave no trace that the files even existed in the first place. The concepts were reinforced with concrete, step-by-step demonstrations.

To recap, the best way to protect your devices from privacy breaches is a combination of the following:

  • wipe (rather than merely delete) any items you wish to truly delete permanently
    .
  • purge empty directory entries from your storage media devices’ master indexes to get rid of the old (deleted) names of items and folders that were deleted, moved, renamed and wiped
    .
  • wipe the free space on your storage devices to permanently eliminate risks from empty directory entries as well as from file slack
    .
  • in addition, you should also keep in mind:
    • the importance of using a clearing history traces app to clear the most obvious sources of trace data from your device such as the history and activity records kept by your web browser and other apps and
      .
    • the benefits of embracing on-the-fly full disk encryption and, ideally, saving your private items to encrypted media or even using a fully encrypted operating system

Related:

css.php