:: Resources
Hard Drive Reformatting: How NOT to Securely Delete Data
Note: For simplicity's sake the FAT file system is discussed in this article. The principle is the same for NTFS, the primary practical difference being that the relevant metadata is removed from the Master File Table (NTFS) instead of the File Allocation Table and Root Directory (FAT) when formatted.
What formatting actually does to a hard disk drive
Great, so what's this got to do with formatting? As discussed above, Windows uses two primary spaces to record information about all the files on a hard disk: the FAT and Root Directory. The actual data of each file is physically stored in a separate area on the hard disk.
Here's the important part: when a hard disk drive is "reformatted" only the FAT and Root Directory are changed, the data area of the hard disk drive is not touched! Essentially the formatting process empties these two areas by filling them with zeroes.
When a computer tries to read a cleanly formatted hard disk drive, all it does is look for the FAT and Root Directory. If it finds these files empty, it treats the hard disk drive as being totally empty. This is not actually the case, however, as all the data from the files that used to be recorded in the FAT and Root Directory are still on the hard disk drive (in the separate data area). The computer looking at the formatted disk drive just doesn't know to look past the empty FAT and Root Directory.
Recovering "reformatted" data
Recovering data from a reformatted hard disk drive has a high likelihood of success. While precisely recreating the pre-formatted FAT and Root Directory is difficult, locating and reconstructing files is easier. While there are numerous programs that will automate this recovery process, it can also be done manually with a program that shows what in the hard disk drive's clusters, such as Norton's DiskEdit (part of Norton SystemWorks) or a hex editor. These programs let an examiner view each cluster individually. If a cluster holds text from a Word or WordPerfect file, it can be easily read using these types of programs. Automated programs, however, will be more successful reconstructing image files (GIF's JPG's) and database files (Outlook's PST file) as they look at each cluster and compare its data to a known file signature or pattern.
Case study of data recovered off a formatted drive
Latent-Data used the online auction service of a large metropolitan government to purchase a used, surplus computer. The computer was described as having no operating system and the "hard drive has been formatted and partitioned and will boot to the C:\."
Upon initial examination of the computer's hard drive, it was as described: freshly formatted and booted to the C:\. Using the DOS directory commands, no user created files were found on the hard disk. It appeared to be empty.
Page 1 < Page 2 > Page 3