Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Were Files Recovered that I Thought Were Deleted?

Gone, but not forgotten.

I Thought I Deleted That File
(Image: canva.com)
Files may be gone, but frequently are not forgotten. Depending on the scenario, files you thought were deleted might be easily recovered.
Question: My son brought up some files in my computer that I had deleted, such as emails on my yahoo account, deleted photos and deleted conversations on yahoo messenger. How is this possible and where do I go in my computer to get rid of that information and how do I prevent this from happening again?

I usually get the reverse of this question: “How do I recover files I deleted?” But it’s worth understanding how things can be recovered so that if you want something to be deleted “for real”, you can take appropriate steps.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Common reasons files might be recovered

  • Applications may not delete files immediately.
  • “Deleting” may mean moving to a Recycle Bin.
  • Special tools can often recover data not yet overwritten.
  • The file was copied into a backup.

It’s not really deleted

One example is your web browser’s cache. I suspect that’s responsible for most of what you’re seeing.

People are often surprised at the files, pages, and images left behind after you’ve browsed the web for a while.

Browsers make use of what’s called a “cache”, a place where files can be downloaded once and kept “for a while” so if you need to view the file again, it need not be downloaded again.

A good example is the Ask Leo! logo at the top of this page. The first time you visit Ask Leo!, it’s downloaded and shown to you, but also placed in your browser cache. Then, when you visit a different page that references the same image, there’s no need to get it again, it’s already in your cache. The result is a faster experience.

Days or sometimes even weeks later, you’ll still find those images in your browser’s cache. If you don’t recall visiting the site, you’ll wonder where they came from.

Anything you visit on the web may be saved in your browser’s cache. In addition, anything you viewed in email could be there as well, as some email programs use the browser cache for caches of their own when viewing pictures, HTML emails, or attachments.

The browser cache is just one example. Different programs manage their data in different ways, and can easily decide not to delete or clean things up until sometime later based on whatever that program decides is important.

It’s deleted — but no

Two words: Recycle Bin.

When you delete a file using Windows File Explorer, it’s typically not really deleted. Instead, it’s moved into the Recycle Bin. The Recycle Bin is then managed separately, and files are physically deleted only when the bin becomes full or you manually empty it.

The point, of course, is to allow you to say “oops” and recover a file from the Recycle Bin if you delete one by mistake.

The side effect is that the files are still on your machine until the Recycle Bin is emptied.

This same approach is occasionally used by other programs. Email programs or interfaces often have their own Recycle Bin into which they move deleted messages.

It’s really deleted, but . . .

When a file is deleted, the contents of the file remains behind.

It’s kind of like moving out of an apartment by just taking your name off the door; you might still be in there, but no one can find you.

But they can find you by checking every unlabeled apartment. Only if someone else has moved into your old apartment will you and your stuff truly be gone.

The same is sort of true for deleted files. Deleting a file just removes the file’s name from the list of files on the drive. It’s not until another file “moves in” and overwrites the data that it’s actually gone. And naturally, there are tools that will search for and reconstruct files whose data has not yet been overwritten.

It was backed up

This isn’t part of the scenario you described, but it’s one that people overlook all the time: backups.

If you back up your machine regularly — as you should — then the files that were on the machine at the time of the backup have been copied and preserved in that backup.

This is a great thing if you accidentally delete a file and need to recover it. Just grab it from the latest backup on which that file existed.

This might be a bad thing if you need to ensure that a file is really and truly gone. You need to somehow deal with the backups on which it might remain.

Making sure gone is gone

So the question is, what do you do to ensure that when you delete something it’s really gone? Several steps, all following from the scenarios above:

  • Understand how your application handles files, and either configure it to not keep files around, or manually force them to be really deleted. In the case of web browsers, that means clearing the cache.
  • Empty the Recycle Bin. You could go so far as to disable it if you’re very concerned, but it’s probably enough to reduce the size of the Recycle Bin and/or empty it manually as needed.
  • Use a secure delete tool to either overwrite the “unused” space on your hard disk or to delete files and erase the space they used on the spot.

Further incantations to raise the dead

No discussion of data security and recovery would be complete without briefly discussing high-tech low-level data recovery.

Particularly on magnetic media like traditional spinning platter HDDs, after data has been overwritten once by other data — and even by a secure delete utility — it’s theoretically possible to send a drive in for detailed (and expensive) recovery that might uncover and restore previously overwritten data.

Again, it’s not part of the scenario you described, since it involves removing the hard disk drive and taking it apart. Prevention is relatively simple: either store your data encrypted or make sure to use a multiple-overwrite feature of your secure delete program.

Overwriting the data even twice makes the original data nearly unrecoverable.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

15 comments on “How Were Files Recovered that I Thought Were Deleted?”

  1. Add my name to the large chorus of your fans….just want to mention here that your analogy of the vacant apartment with furniture remaining, but the name tag being gone from the door is superb. Even online banking which is supposed to be encrypted, triggers my paranoid need to “wipe the free space”….I often wondered why the “free space” needed wiping if it was indeed “free”.
    Why, oh why, has such free (pun alert) use of truncated language been so successfully programmed?
    No response needed, it’s a rhetorical question without any real answer.

    Best Regards.

    Reply
    • Free space is labeled as “free’ because it is available to be written to. Your Operating System “deletes” files by removing the file’s file descriptor (a pointer to the file’s location on disk) from the partition table, so the space previously used by the file is now free (available). It would take significantly longer to wipe the space used by the file on disk, so not doing so is an efficiency effort.

      HTH,
      Ernie

      Reply
  2. Download CC Cleaner Free Download then go to Options click settings and check Secure File deletion.a good tool free download

    Reply
  3. Is the Windows Cache the same as temporary internet file folder?

    Depends on the context where you’re hearing it, but in general, no.

    – Leo
    04-Mar-2009
    Reply
  4. I should add, that all your files and the rest of the system are in the shadowstorage for as long as the shadows (recovery points) are not being overwritten by more recent shadows. And that can take a several weeks with a large OS disk partition. But that can also be a blessing if you need to recover files that were accidently deleted. If you like to know more about it, have a look at my little tutorial here http://www.winvistaclub.com/forum/windows-tips-tutorials-articles/26995-recover-lost-files-shadow-explorer.html

    Reply
  5. Well,I have been using System Mechanic Software to delete all the temporary files,is it possible that the files which are being deleted are removed permanently.

    You’d have to find out from System Mechanic how they delete files. My guess is they do it the quick way, which means that the files might still be recoverable. Using SDelete afterwards to thoroughly overwrite unused space would take care of it.

    – Leo
    04-Mar-2009
    Reply
  6. I believe the Ram in your computer also stores information, if that is correct how do you clear that?

    RAM is cleared the moment you turn your computer off.

    – Leo
    04-Mar-2009
    Reply
  7. Firstly make sure you do not change the disk or drive on which the files are deleted.

    Then you should check your Recycle Bin and see if the files you want is inside it. If not, then you can resort to some apps designed specifically for recovering deleted files. Such as Advanced NTFS Undelete at http://www.ntfs-undelete.com or EasyRecovery at http://www.ontrack.com. There can be many by searching on Google.com or Yahoo.com, but I only recommend the above two which are proved to be the best among the all.

    Reply
    • I would add test disk, a free open-source bootable disk recovery utility. It is command-line based, but a very good tool too.

      Reply
  8. When I am ready to discard or repurpose a hard drive, I get the most current version of Darik’s Boot and Nuke (aka DBAN) – https://dban.org/ to securely wipe the drive completely. When DBAN completes it’s work, every sector has been overwritten repeatedly (the number of times you specify at the beginning) so there is nothing on the drive, not even a partition table. The website describes it as “Free Open-Source Data Wiping Software for Personal Use”. The DBAN download file is an .iso live image that you burn to a CD, DVD, or a flash-drive. After putting DBAN on a CD, DVD, or flash-drive, you can boot your computer with your DBAN drive to securely wipe the disk. I strongly recommend that you disconnect any hard drive other than the one you want to wipe to prevent accidents :).

    I hope this helps someone,

    Ernie

    FYI, They also provide Blancco Drive Eraser for business and organizational use. Since I know nothing about it other than what I see on the website.

    Reply
  9. If someone is trying to make sure all data is truly gone and irrecoverable on the entire drive I suggest using ‘Secure Erase’ (basically triggers a feature of the drive itself to wipe the drive). I use the free ‘Ultimate Boot CD v5.3.9’ (from majorgeeks website) to issue ‘Secure Erase’ (I think there are other ways but that’s what I use).

    a easier and likely ‘good enough’ method would be DBAN but it takes longer than Secure Erase. but don’t use DBAN on a SSD as DBAN is strictly for regular hard drives!!!. but Secure Erase is fine on SSD’s as while on a hard drive it will basically overwrite all of the data on a hard drive (so it will probably take a hour or more etc (once Secure Erase is issued on a regular hard drive it does not show you any time remaining estimate but it does tell you when it’s finished with a message on screen)) where as on a SSD it completes in a couple of seconds or so since, from what I understand, it basically just deletes the current encryption type of key that the drive uses internally to store data on it (this does this even when your just using the drive normally (without any actual encryption through the OS)) that allows the drive to read the data and changes to a new one. so it’s like all data has been wiped even though it’s not actually overwritten as all prior data on the drive, the drive data is irrecoverable since the key used to read that data is gone. I don’t know all of the details but this is the gist of it to my knowledge.

    I noticed when doing that on a popular SSD (Samsung 850 EVO (which I have one myself) series etc), like I said, it completes in a couple of seconds or so. but I noticed for Secure Erase to work you basically have to power off the drive and back on (unplug power cable and plug it back in) during a certain step to temporarily unlock the drive so the Secure Erase command can be issued/complete through that Ultimate Boot CD with the ‘Parted Magic’ program.

    basically you use the ‘Parted Magic’ program (from the Ultimate Boot CD (which was from the year 2013 as it appears it’s the last free version)) after booting to issue the Secure Erase command. it’s been a while since I used it but that’s what I always do if I get a hold of a used hard drive etc to make sure any previous data on it is totally gone as you never know what the previous owner had on it and even for ones own hard drives if your going to give it to someone else, it’s always best to wipe it clean so you never have to worry about someone potentially recovering any sensitive data.

    so while I prefer Secure Erase over stuff like DBAN, DBAN can be a little easier-to-use as it’s more straight forward but is not recommended for SSD’s as Secure Erase is definitely better for SSD’s and quicker to.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.