What happens when you delete a file? No, not that Recycle Bin stuff. I’m talking what happens when you really delete a file.
Back in the Days of DOS, deleting a file was something that couldn’t be undone, not using DOS. It took Peter Norton to take advantage of a lazy trick that DOS uses and make a mint with his Unerase program.
To understand how a file is deleted you need to know how a file is stored.
Files have two parts. First there is the file’s raw data, the information that makes up the file. It’s essentially a chunk of bytes stored somewhere in the PC’s storage system.
Second there is a reference to that information. The reference includes the file’s name, date and time stamps, size, attributes, plus a location on a map. That map location tells the operating system where to find the file’s real guts.
All that information — name, time, size, and so on — formed the file’s directory entry.
The map was located on a separate part of the disk. In older versions of DOS, the map was the File Access Table or FAT. So the directory entry contained a link to the map, and the operating system used the map to locate the file’s actual data on disk.
I hope that all makes sense.
When a file is created, DOS looked on the map for a place to put the file. Once a chunk of disk is found, the directory entry is created and the information is written to disk.
When a file is deleted, DOS looks only at the directory entry. It changed the first character of the file’s name to hexadecimal value F6 (I believe). It then looked at the spot on the map where the file was located, and it changed the map to show that the space was “available.”
Contrary to all logic, DOS did not erase the file’s data; the data stayed on the storage media. Further, the full directory entry stayed as well; only the first character of the filename was changed. It’s that weakness that allowed files to be recovered.
What Norton’s Unerase utility did was to search the directory for files starting with the F6 character, files flagged as “deleted.” It then checked the map to ensure that nothing else was occupying the file’s former location. If all was okay, the utility simply prompted you for the file’s first letter. You typed in the letter, and the utility updated the directory entry, then marked the map to show the space once again used.
The news here is that today’s operating systems also follow the lazy method for removing files: When a file is seriously deleted, only the file’s directory entry and its reference on the disk map are zapped. Theoretically, it’s always possible to recover deleted data on computer storage.
Next blog post I’ll discuss what can be done to seriously, seriously delete files and their data.
Seriously deleting data would be using a “file shredder”, something that overwrites a file with random data a few times. Opps, I wasn’t supposed to talk about that yet 😐
Comment by linuxlove — March 17, 2010 @ 5:49 am
One of the reasons I like perl is because of the relevancy of it’s keywords and built-in functions. Instead of a ‘delete’ function or ‘remove’ function, perl calls it ‘unlink’, which actually sounds like what it does. It doesn’t destroy the data, it simply unlinks it.
It’s like removing every single URL (or link) to a web page. The only way to access it is if you know the page’s full path. The same thing happens to files.
Comment by samus250 — March 17, 2010 @ 11:44 am
Likewise, in C the function that deletes a file is named
unlink.Good analogy on the web site link. Very good, in fact.
Comment by admin — March 17, 2010 @ 11:50 am
A part of me wishes that GUI didn’t advance so much, and we were still back in the extremely simple days of the good ol’ fashioned DOS prompt, where when you deleted a file you could be relatively sure that it was gone (before Norton utilities). But the other part of me wants things to keep advancing. But there is a trend that has stood the test of times. And that is that the more user-friendly GUI gets, the more difficult formerly simple tasks like deleting/un-deleting a file becomes.
Comment by gamerguy473 — March 20, 2010 @ 11:48 am