Can the FBI recover deleted files?

Answer 1

A normal delete does not actually delete a file, it just marks the hard drive space as available for later use. All the data are still there, and there are software programs that can bring it back more or less intact.

Even after a real deletion, or after the disk is reformatted, traces of magnetism remain on the hard drive, and with special equipment it is possible to read those traces and reconstruct what was there before deletion. This is true even after the deleted content has been overwritten once or twice.

It is not only FBI that can read deleted files, there are commercial companies that offer similar services, for example to businesses that accidentally reformatted the hard drive containing all their customer data.

Some programs offer a "safe delete" option which overwrites deleted files 20-30 times with random noise, to make sure that the data are really gone. This is now the standard option for emptying the waste basket in Mac OS X, for instance.

The drawback of "safe delete" is that it is much slower, especially if you delete a lot of data. And of course it means that even the companies that specialize in retrieving deleted data cannot help you if you accidentally delete something you shouldn't.

Answer 2

Anyone with the correct forensic tools can recover a deleted file, even if it has been deleted from the recycle bin. There are ways to prevent recovery of files, but the answer is more complex than simply deleting the file.

First, a Department of Defense-standards compliant file wiping utility should be used to overwrite the original data with pseudo-random bits designed to mess up the residual magnetic resonance on the disk, usually with at least a seven pass overwrite pattern.

Secondly, any files that are sensitive should be encrypted using a tool such as BitLocker or other software designed to store the data securely.

Third, to prevent recovery of the data even after a DOD wipe, it is recommended that the entire partition be software scrubbed after deleting the partition and before reformatting.

Note that flash technology doesn't suffer from the need to overwrite the data continuously, and in fact will serve only to shorten the life of the device. Most flash devices use a load-balancing algorithm, making overwriting selected sectors virtually impossible.

For flash devices, store only encrypted files, as the only secure way to delete files from a flash device is to physically destroy the device by fire. The same is true of burnable discs and other non-magnetic types of storage.

The best protection that a user can afford from file recovery is to make sure the data is always encrypted using the strongest algorithm available (often 1024-bit or higher).

If a user is concerned about their data, even if they have done nothing wrong, always using encryption and always deleting securely will prevent that information from being leaked to people interested in trying to figure out what the user had stored, including things like bank account passwords, credit card numbers, tax information, and so on. Protecting the file beforehand is the only way to keep it securely deleted later.