There deleted and there’s really deleted.
When you delete a file, its contents aren’t actually removed. Instead, the space the file formerly occupied is marked as available for another file to be written to later. Until that overwrite happens, the originally deleted information is still there.
This is the basis for many undelete and other data-recovery utilities. It’s also why most of those utilities recommend you stop using your disk if you accidentally delete something and want to recover it — so it doesn’t get overwritten.
But what if you really want it gone? That’s where a technique called “secure delete” comes into play.
Become a Patron of Ask Leo! and go ad-free!
Secure delete
Deleting a file doesn’t necessarily mean it’s gone; it’s just marked for overwriting. Secure delete ensures data is unrecoverable by overwriting it with random data. For sensitive cases, extended secure delete uses multiple passes to erase data completely. Tools like SDelete have options for securely deleting files or wiping free space.
Basic secure delete
At its simplest, a secure delete overwrites the area on the disk where the file’s data lives (or used to live) with random data. Once securely deleted, the previous data is no longer recoverable.
Secure delete utilities delete existing files and overwrite the space they once occupied.
A free space wipe writes data to all areas of your disk that aren’t currently in use (free space). The net effect is the same: the contents of all previously deleted files are overwritten. This can take time depending on how much free space your disk currently has.
A basic secure delete renders your data unrecoverable to the most common forensic and data-recovery tools.
Unfortunately, I did say “most”, and that’s where what I’ll call extended secure delete comes into play.
Extended secure delete
The best way to grasp this concept is to grab a pencil with an eraser.
- Write something on a piece of paper. We’ll make that the equivalent of creating a file on your hard disk.
- Draw a line through what you’ve just written. That’s kind of equivalent to a normal delete. You can still see the data, but the line through it says, “This has been deleted; ignore it.”
- Using the pencil’s eraser, erase what you’ve written, including the line. That’s roughly equivalent to a basic secure delete: you physically remove what you wrote.
At this point, there’s a good chance you can still sort of see what you had written before.
The same is true for magnetic media like hard disks. With the right equipment — which typically means taking the hard disk apart in a clean room and using some high-powered analysis tools — it’s possible that even overwritten data can be partially recovered, just like you could kind of make out what you had written in pencil and then erased.
Let’s continue with the pencil and eraser example.
- Write a line of capital A’s on top of the area you just erased.
- Erase the line of A’s.
- Write a line of capital X’s on top of the area you just erased.
- Erase the line of X’s.
- Write a line of capital O’s on top of the area you just erased.
- Erase the line of O’s.
- Keep doing this over and over, with a different letter each time, until you get tired.
At this point, if you haven’t erased the paper into oblivion, it’ll be impossible to decipher the original line of text you wrote.
That’s an extended delete. A good secure delete utility writes and overwrites the data several times before calling it erased.
Which do you need?
Most people don’t need secure delete at all. No one is coming to examine your previously deleted files — except maybe you, if you mistakenly delete something and want to recover it.
If there is some concern, be it privacy, security, or something else, an every-so-often free space wipe is probably more than enough for most people.
If you regularly deal with exceptionally sensitive, highly valuable data that is subject to theft or espionage, an extended multiple-pass secure delete may be what you need. My understanding is that some businesses and governments require this.
SDelete
While I’m sure that there are many secure delete apps, the tool I recommend for this is SDelete. It’s a command-line tool that’s part of the SysInternals Suite of tools, and it allows you to do everything discussed above: securely delete a file, securely wipe free space, and do either with multiple passes.
Here are the command-line functions.
Securely deleting a file:
sdelete file.txt
Securely deleting a file with multiple overwrites:
sdelete -p 3 file.txt
Securely wiping free space:
sdelete -c C:
There are more options, of course, but those are the basic operations.
Do this
Most of the time, you don’t need to worry about secure deletion. Like I said, most of us just aren’t at risk for malicious data recovery. However, if it is of concern, you now have the tools to deal with it.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
I use CCleaner and PrivaZer . PrivaZer will clean your computer and leave it like brand new. Runs very smooth after using this software and, best of all it’s free. I use it once every 2 months and sometimes once a month. Try it….you’ll love it.
I think the above needs some clarifications for changes to both hard disk drives and solid state drives over the last 10 years. (My job at a local computer repair shop is to wipe and re-certify for sale HDs – making sure that any old information is not retrievable and the drive is suitable for sale.)
Bob may be confusing ‘Secure Erase’ and ‘Extended Secure Erase’, (the ATA commands) with secure delete, the commonly used term for a higher level of deleting files by a user. The former terms are defined by the ATA specification and is implemented differently by different manufacturers. I know of no Windows programs that implement Secure Erase; the Parted Magic Linux boot disk has a good implementation. These commands do not write data to a drive, unstead they effectively tell the drive to wipe itself. They are only drive-level commands, not used for files, folders or partitions. While a drive is running secure erase it ignores any input until the wipe is complete.
Per Scott Moulton of ‘My Hard Drive Died’ (a data recovery company) a *single* pass of even just zeros is sufficient to wipe all information from HDs made since 2006. (See, or rather listen, http://podnutz.com/mhdd027/ starting a 36:15. Yes, I was the one asking the question.) There was, at one time, “extremely high-powered analysis tools” that could read-around and read-through written data on a MFM and RLL tracks, but technology has changed so much that this is no longer possible.
User programs wipe the places the user can access, but that’s not all the places data exist on a HD. For those other places, one needs to use the ‘secure erase’ as noted above. This is especially true with Solid State Drives (SSDs), in which what and where data is actually written may bear no relationship to what the operating system thinks. The OS does not need to know, only the SSD knows. To wipe a SSD use the tool provided by the manufacturer to do so.
Bob’s companion piece, “Are There Hidden Files that Save Every Keystroke I’ve Ever Typed?” also comes into play here. Even though a user may think they have securely deleted a file, the OS may have squirreled a copy away somewhere else like the swap or hibernation file, a temp file made during editing, or even older versions of the same file. These are exactly the areas forensic investigators look for evidence. There is no need, or ability, to look ‘under’ long strings of zeros; there are lots of other places that contain easily read (if not easily interpreted) data.
And it must be said that if the drive fails or reports errors all bets are off. There is no way to know if data exists on it or not. Broken drives may be repaired and data recovered, but for the person trying to wipe a drive with problems the best thing to use the ‘ol drill and hammer technique and destroy the drive.
Amen. To totally erase a full-disk encrypted disk just throw away the key. Done. No writing or over-writing needed; no worry about deleted or ‘squirreled away copies,’ it is literally instant.
I usually place precious files, e.g. a bank statement or tax-prep program’s PDF output in the Desktop folder, because it’s easy to do. Then I move the files to an external USB drive, and overwrite the Desktop file using AxCrypt’s “Shred and Delete” button in the file icon’s context-menu popup.
I started using this three-step procedure when I had to take my machine to a computer shop to get it working after Windows 10 bricked it. The C drive had the remnants of files I had merely “deleted”, as Leo describes. The shop’s personnel probably had better ways to spend their time than browsing my deleted files, but one never knows. And I found that TaxCut’s working files were on the C partition, as was the TaxCut executable. I think the files were encrypted, but that was useless, since the executable ran without demanding a password. (I now install programs on my external USB drive.)
I hope you’re creating a backup copy of the files somewhere like a second or third USB thumb drive as data is always subject to loss. And thumb drives ae easily lost.
So what exactly is the difference between these secure erase tools and holding down Shift while deleting a file in Windows/File Explorer (the so-called “permanently delete”)?
In windows explorer delete simply moves the file to the recycle bin. That’s not a delete as I mention in the article. SHIFT makes it a “real” delete.
So i am giving my pc to my gf with my hard drive. I formated my hard drive but could she still see my browsing history from formated hard disk?
It depends on how securely you deleted everything and her skills in finding things. Your only choice to completely delete everything is to totally “nuke” the drive. And then start over with a new operating system.
If i do everything you listed above will that work?
Yes, if you securely delete everything on your hard drives, you wouldn’t have any remaining traces of files.
https://askleo.com/dban-dariks-boot-nuke/
Probably not.
Could you please tell me what program I need to make sure deleted text and deleted photos are permanently deleted on galaxy s7…i have secure eraser installed and use it often…how often do I need to run it to secure deleted text and photos?
You mention Secure Eraser. That’s a viable option. As for how often to run it, that depends on what kind of files you’ve deleted from your phone. I’ve you’ve recently deleted some sensitive files, you might want to run it at that point. Or you can use it to directly delete files you don’t want to be recoverable.
If I “Reset my PC” (Win 10 and 11) instruct it to “keep nothing” and to “clean my drive”, have I actually deleted my personal files so they cannot be recovered?
Pragmatically, YES. (I have to say “pragmatically”, because if someone were to bring NSA-level recovery efforts to bear, there’s slim possibility. That’s why secure delete, and the clean my drive, have options to overwrite multiple times for HDDs.)
People have gone to great lengths to obtain my chili recipe, but probably not to NSA-level recovery. Thanks!
When I was in school, I’d write different letters over what I wanted to cover up like in your example..
Another way to securely delete a file is to encrypt the file before deleting. It’s not faster than sdelete, but there’s no need to secure delete an encrypted file.
Disagree. Encrypting is often a copy operation where the unencrypted file is copied to the newly encrypted file, and then the unencrypted file is deleted normally.