I Thought I Deleted these Files; How Were They Recovered?

//
My son brought up some files in my computer that I had deleted such as emails on my yahoo account, deleted photos and deleted conversations on yahoo messenger. How is this possible and where do I go in my computer to get rid of that information and how do I prevent this from happening again?

I usually get the reverse of this question: “how do I recover files I deleted?”. But it’s absolutely worth looking at how things can be recovered, so that if you actually want something to be deleted and stay deleted you can take appropriate steps.

Become a Patron of Ask Leo! and go ad-free!

In general, there are three things that contribute to data “rising from the dead”, so to speak:

  • applications may not actually delete files you think are being deleted, or be deleted when you think they’re deleted
  • “deleting” may not really be deleting at all
  • deleted files can sometimes be recovered using special tools

I’ll look at each of those in turn.

It’s Not Deleted

The best example I can give of this is your web browser’s cache, and I suspect that’s responsible for most of what you’re seeing. People are often surprised at the files, pages and images that are left behind on your machine after you’ve browsed the web for a while. IE, Firefox and others all make use of what’s called a “cache”, a place where files can be downloaded once and kept “for a while”, so that in case you need to view that file again, it need not be downloaded again.

A good example is the Ask Leo! logo at the top of this page. The first time you visit Ask Leo! it’s downloaded and shown to you, but also placed in your browser cache. Then, when you visit a different page that references the same image there’s no need to get it again, it’s already in your cache. The result is a faster experience.

The result is also that days or sometimes even weeks later you’ll find those images in your browser’s cache. If you don’t recall visiting the site, you’ll wonder where they came from.

Anything you visit on the web might well be saved in your browser’s cache. In addition, anything you viewed in email might be there as well, as some email programs use the browser cache for caches of their own when viewing pictures, html emails or attachments.

The browser cache is just one example. Different programs often manage their data in different ways, and can easily decide not to delete or clean things up until sometime later, based on whatever that program decides is important.

It’s Deleted, but Not Really

Two words: Recycle Bin.

When you delete a file using Windows Explorer that file is typically not actually deleted. Rather, it’s moved into the recycle bin. The recycle bin is then managed separately and files are physically deleted only when the bin becomes full, or you manually empty it.

The point, of course, is to allow you to say “oops” and retrieve the file from the Recycle Bin if you make a mistake.

The side effect is that the files are still on your machine until they’re removed from the Recycle Bin.

This same approach is occasionally used by other programs. Quite often email programs will also have their own internal Recycle Bin into which they’ll move deleted messages.

It’s Really Deleted, but …

Depending on which side of “I deleted something, I want it back” versus “how do I make sure it’s really gone” you happen to be on this might be good news or bad news.

When a file is deleted the contents of the file remain behind. It’s kind of like moving out of an apartment by just taking your name off the door; you might still be in there, but no one can find you.

Well, they can find you … by checking every unlabelled apartment. Only if someone else has moved into your old apartment will you and your stuff truly be gone.

The same is true … sort of … for deleted files. A file deletion does nothing more than remove the file’s name from the list of files occupying the drive. It’s not until another file “moves in” and overwrites the data that it’s actually gone. And naturally there are tools that will search for and reconstruct the files whose data has not yet been overwritten.

Making Sure Gone is Gone

So the question is what do you do to ensure that when you delete something it’s really gone? Several steps, that all follow from the various scenarios above:

  • Understand how your application handles files, and either configure it to not keep files around, or manually force them to be really deleted. As perhaps the most common example, in the case of things like web browsers that means emptying the cache of saved items.
  • Empty the Recycle Bin. You could go so far as to disable it, I suppose, if you’re very concerned, but I’d be satisfied with reducing the size of the Recycle Bin, and periodically emptying it manually.
  • Use a secure delete tool. Either use such a tool to overwrite the “unused” space on your hard disk (think of this as cleaning out all the empty unlabelled apartments), or use it to actually delete files and erase the space they used on the spot.

And finally, no discussion of data security and recovery would be complete without discussing even briefly high tech low level data recovery. Even after data has been overwritten once by other data – even the secure delete utility – it’s possible to send a drive in for detailed (and expensive) recovery that might uncover and restore the previously overwritten data. It’s not part of the scenario you described, since it involves removing the hard disk drive and taking it apart. Prevention is actually relatively simple: either store your data encrypted (such as using a TrueCrypt volume), or make sure to use a multiple-overwrite feature of your secure delete program. Overwriting the data even twice makes the original data nearly unrecoverable.

11 comments on “I Thought I Deleted these Files; How Were They Recovered?”

  1. Add my name to the large chorus of your fans….just want to mention here that your analogy of the vacant apartment with furniture remaining, but the name tag being gone from the door is superb. Even online banking which is supposed to be encrypted, triggers my paranoid need to “wipe the free space”….I often wondered why the “free space” needed wiping if it was indeed “free”.
    Why, oh why, has such free (pun alert) use of truncated language been so successfully programmed?
    No response needed, it’s a rhetorical question without any real answer.

    Best Regards.

  2. Is the Windows Cache the same as temporary internet file folder?

    Depends on the context where you’re hearing it, but in general, no.

    – Leo
    04-Mar-2009
  3. I should add, that all your files and the rest of the system are in the shadowstorage for as long as the shadows (recovery points) are not being overwritten by more recent shadows. And that can take a several weeks with a large OS disk partition. But that can also be a blessing if you need to recover files that were accidently deleted. If you like to know more about it, have a look at my little tutorial here http://www.winvistaclub.com/forum/windows-tips-tutorials-articles/26995-recover-lost-files-shadow-explorer.html

  4. Well,I have been using System Mechanic Software to delete all the temporary files,is it possible that the files which are being deleted are removed permanently.

    You’d have to find out from System Mechanic how they delete files. My guess is they do it the quick way, which means that the files might still be recoverable. Using SDelete afterwards to thoroughly overwrite unused space would take care of it.

    – Leo
    04-Mar-2009
  5. I believe the Ram in your computer also stores information, if that is correct how do you clear that?

    RAM is cleared the moment you turn your computer off.

    – Leo
    04-Mar-2009
  6. Firstly make sure you do not change the disk or drive on which the files are deleted.

    Then you should check your Recycle Bin and see if the files you want is inside it. If not, then you can resort to some apps designed specifically for recovering deleted files. Such as Advanced NTFS Undelete at http://www.ntfs-undelete.com or EasyRecovery at http://www.ontrack.com. There can be many by searching on Google.com or Yahoo.com, but I only recommend the above two which are proved to be the best among the all.

Leave a reply: