Computers > Digital forensics > Data sterilization >

2016-12-16 – After having learned a bunch more, this has become a much more complex topic. See Data sterilization for bits and pieces of insight.

The data underneath the data ∞

It’s theoretically possible to recover past writes of data underneath current data. This is why good sterilizing methods write up to 35 times overtop of a file/partition/disk.

If the disk were a shoreline, and the data were sand, I imagine that each disk overwrite is like water pushing a new layer of sand overtop. There is still some sand underneath.

“Overwriting” a file ∞

Opening, editing and then saving a file does not necessarily save the file to the same disk location. In fact, for many setups it’s very unlikely that it would. Most user friendly setups write the complete file and then delete the original. This way if there is a power outage during the write, the old copy is intact.

So if that new file is saved to another location on the disk, then the old file is still hanging around where it was. It may not even be overwritten for some time, instead remaining “flagged as deleted”.

The data beside the data ∞

A cluster is a unit of space which a partition is broken into. So a partition may be split up into many 32kB clusters.

A file fits into those clusters. If the file is bigger, it takes up more than one cluster.

But what happens when a while is very small and does not need an entire cluster? It takes up one whole cluster anyway. The same thing is true for a file that’s larger than one cluster. There may be a small “remainder” of one cluster which the file doesn’t need.

Now imagine you are using your disk as usual. Even if you overwrite a file with another, if the file that’s doing the overwriting isn’t completely filling a cluster, then you still have a little piece of the underlying file peeking out.