Deleting a file removes it permanently
Deleting a file in most operating systems only removes its directory entry and marks the storage space as available; the actual data remains on the drive until overwritten. Forensic tools routinely recover deleted files, which is why NIST publishes dedicated secure erasure guidelines.
What we know
When a file is deleted in standard operating system operations, the file system removes the pointer to that file's data and marks the sectors as available for reuse. The underlying data bits remain physically present on the storage medium until new data is written over them. This is why deleted file recovery is a standard feature of digital forensics tools such as Autopsy, EnCase, and FTK, used by law enforcement worldwide.
NIST defines a 'deleted file' in its Computer Security Resource Center as one whose directory entry has been removed but whose contents remain on the storage medium until overwritten. NIST Special Publication 800-88 (Guidelines for Media Sanitization) provides a framework for secure data destruction, distinguishing between clearing (overwriting), purging (degaussing or cryptographic erasure), and physical destruction.
For solid-state drives (SSDs), the situation is more complex due to wear leveling, over-provisioning, and TRIM commands, which mean standard single-pass overwriting may not reliably erase all copies of data that were spread across the drive. Secure erase commands built into SSD firmware (ATA Secure Erase) or cryptographic erasure (encrypting the drive before deletion) are recommended for sensitive data disposal.
Common claims
- Emptying the recycle bin permanently destroys a fileFalse. The data remains on storage until overwritten; forensic tools can recover it.
- Formatting a hard drive makes old data unrecoverableFalse for quick format. A quick format only rewrites the file system; a full format or dedicated wiping tool is needed.
- SSD data is harder to recover than HDD dataMixed. TRIM and wear leveling complicate recovery differently but do not guarantee data is gone without cryptographic erasure.