Delete Does Not Erase a File
By Stephen Bucaro
When you delete a file on a computer running the Windows operating system, the
file is sent to the Recycle Bin. The Recycle Bin is just another folder on your
hard drive. The file can easily be recovered by opening the Recycle Bin,
clicking on the file name, and selecting Restore in the menu.
You can delete a file without sending it to the Recycle Bin by holding down the
[shift] key while you delete the file. (Turn off the NUM LOCK key, or use the DEL
key thatís not in the numeric keypad.) But this still does not erase the file.
When you delete a file, if your system uses the FAT (File Allocation Table) file
system, which is the only one available for older Operating Systems such as
Windows 98, it removes the file's name from the directory and puts a special
code in the first character of the file's FAT entry to indicate that those allocation
units are available for new files. The file data itself is stored completely
separate from the directory and FAT and remains intact on the storage device.
Newer Operating Systems, like Windows XP, use the NTFS (New Technology File
System) which replaces the FAT and directory with the MFT (Master File Table).
When a file is deleted, the Operating System marks the file name in the MFT with
a special character to indicate that those allocation units are available for
new files. Again, the file data itself is stored completely separate from the
MFT and remains intact on the storage device.
Defragmenting or formatting the storage device may relocate the clusters
occupied by the deleted file, but the file data may still remain intact on the
storage device. Over time, saving new files on the storage device may cause some,
or all, of the deleted files allocation units to be overwritten, but until then,
there are many utilities available which can be used to recover your deleted file.
If your system uses a FAT storage device, someone can simply use the DOS
undelete command followed by the name of the file. If they don't know the
name of the file, they can type undelete without a file name and it will
undelete all deleted files, prompting them one at a time.
If your system uses a NTFS storage device, someone can use Norton Utilities, or
one of the many NTFS undelete utilities available for free on the Internet,
including NTFS boot disks and live Linux CDs. The NT Resource kit contains a
utility called DiskProbe which can be used to search for and view the
data on a disk.
Many people delete all their files before they donate or give away their
computer, not realizing that their private information is easily recoverable.
Even reformatting a drive does not completely erase the data. This poses a
significant risk of identity theft. The only way to really erase a file is to
use one of the many file shredders or secure delete utilities.
There are many secure delete utilities available for free on the Internet. These
utilities overwrite the file's data with a bit pattern, making the file
unrecoverable. SDelete (Secure Delete) is a Sysinternals utility
that can be downloaded for free from