Question about sensitive data, erasing files, and backup drives.
August 26, 2008 4:37 PM   Subscribe

Question about sensitive data, erasing files, and backup drives.

If a file is deleted from a computer, I know that the data may be still be retrievable from the hard drive. I am aware that you can "wipe" unused data or an entire drive by overwriting with 1 or more passes of random data.

Rather than overwrite to erase unused space, I've chosen to upgrade to a new, larger, internal hard drive. I plan to destroy/discard the current one after the upgrade.

I have a bootable backup of my Mac's hard drive, created with SuperDuper. Here's my question... if I install a new hard drive and copy the entire contents of the old hard drive to the new one, am I also copying deleted files that may still exist in "unused space"?

In other words - are deleted files on my laptop duplicated on an external hard drive when creating a backup?
posted by anonymous to Computers & Internet (7 answers total) 1 user marked this as a favorite
 
It depends of how SuperDuper creates the backup. Does it make a _full_ disk image or does it copy all the files present in the HD and merges them into an image?

From what I can see in SuperDuper's webpage, it does the latter. So, deleted files wouldn't be added to the backup.
posted by Memo at 4:49 PM on August 26, 2008


Short: No

Long: SuperDuper is a file based backup, so you will not have any ambient data copied over. (The restore data you speak of is the result of files being "Deleted" from the allocation table, but not removed physically from the drive. These bits that are not referenced in the allocation table will NOT be copied over.
posted by SirStan at 5:38 PM on August 26, 2008


By the way -- if you are going to be paranoid about the deleted data, you might as well know that even a physically damaged drive can have data restored from it. Read the stories on Ontrack.com about data recovery from drives that were set on fire, at the bottom of the sea, etc.

If you want to be paranoid about it, find some utility that will write data to it over and over and let it run for a day. Free bootdisk that will wipe a OSX Drive. If your even more paranoid, sandpaper the drives, smash them up, toss them around with some hardcore magnets, then give the drive to a company that will physically shred and destroy the remaining pieces.
posted by SirStan at 5:46 PM on August 26, 2008


Short answer: you're fine.

Long answer is really long and my apologies up front for a post that will meander along to the answer. The reason why is because it's important to clarify the principle of deleting files as there are so many myths surrounding file deletion. Everyones got some ridiculous story about a nephew who recovered data from an exploded floppy disk or that they've heard of someone who recovered data from an 2 pass overwrite. On top of this is all the unnecessary arguments caused by people talking at cross purposes about deleting file data vs the deleting file reference. There are as many myths about file recovery as there are about programmers hacking the pentagon or whistling up some missile launch codes in a phone call. It's a big mess.

So let's get back to basics and, unfortunately, book analogies. If hard disk drives (HDD) had files stored sequentially you'd need to search the whole HDD to find a file and that would be very slow. It would be like using an encyclopedia without a table of contents; where there's no alphabetical/topical ordering; where you had to read every single page to find a particular file. That would be dumb and so all file systems have a Table Of Contents (TOC) with references to the file that you're after. TOCs are small and fast because they don't contain the data, just references to the data. TOCs are what computers use to list files.

When people talk about deleting a file they have usually just removed a TOC entry. The reason why this is considered "deletion" is because in most cases it's the same thing and because it's faster to delete a small TOC entry than it is to delete large data area. Deleting a TOC entry means that area is freed up for later use, so it may be overwritten at some later point. Until this happens however then data is still there and diligent recovery software can recover the data by looking over the whole HDD. Now it takes a while to read the whole HDD but if the data is still there it'll work.

Another way of recovering data comes from reading the unallocated ends of blocks. This is like if a page was full of text, then the TOC entry is deleted and the page is freed up for use, but then only a half page of text is stored there. The last-half of the pages text will still be recoverable. This will typically recover fragments of a file rather than the whole file. Again, this is practical and commonly understood.

What goes against conventional wisdom however is the fact that we can't recover data from a HDD made since about 1995* when it's been overwritten by even one pass. There is no technology or even proposed scientific approach about how we'd go about this.

These extra safe deletion programs that do 5 passes, or 10 or 1000 passes aren't more safe than a single pass. If you enjoy spinning your wheels or if you're paranoid then have fun with 10,000 passes but it's not science. You can read more about
this here on the SHSC wiki.

[*] post-MFM technology.

(ps. although I've written this with quite strong language I'm not as closed to argument as you might think so if you've got any references to argue this then please post them, cheers :)
posted by holloway at 9:02 PM on August 26, 2008


Just throwing this in (hopefully will save you the hassle....

I did exactly this - the superduper copy from one hard drive (smaller) to larger (new internal drive.)

I needed to use this fix prebinding script to get my copy to work.
posted by filmgeek at 9:57 PM on August 26, 2008


@kalessin: Yes, we're supposed to believe that there's secret government technology whose abstract scientific basis (with bearings on many fields of science) hasn't been talked about or independently rediscovered for over a decade now, and that the way that we defend against this secret technology is through 60 pass overwrites rather than 1, 2 or 3 pass overwrites.

Is that a fair assessment?

Overwriting is harmless so by all means do as many passes as you want, but it's good to clarify what kind of thing we're defending against... secret government technology!

(again, I'd like to hear if anyone has a scientific basis for a possible way of possibly recovering overwritten bits from even 1 pass)
posted by holloway at 3:21 PM on August 27, 2008


By the way I've met Guttman a few times (we're both kiwi's and computer nerds so we run in similar circles) and I didn't mean to suggest that money or products or any bias affected his research. Sorry if it came off that way.
posted by holloway at 4:36 PM on August 27, 2008


« Older Utility bills to my roommate and my credit score.   |   What books would you recommend for a David... Newer »
This thread is closed to new comments.