You right-clicked, hit Delete, emptied the Recycle Bin, and felt a small sense of closure. The file is gone. Except it isn’t. What you deleted was a pointer — a reference in the file system’s index that said “this data lives here.” The actual data, every single bit of it, is still sitting on that disk, intact and recoverable, until something else happens to overwrite those specific sectors. And on modern storage, that might never happen the way you think it does.

The TLDR

When you delete a file, the operating system removes the file’s entry from the file system table and marks the space as “available.” The data itself remains untouched until new data is written to those exact physical locations. On traditional hard drives, this means deleted files can be recovered with freely available tools — sometimes years later. On SSDs, wear leveling and reserved blocks make even deliberate overwriting unreliable. Proper data destruction requires one of three approaches defined by NIST SP 800-88 Rev. 1: clearing (overwriting), purging (degaussing or cryptographic erasure), or physical destruction. If you’re not doing one of these, you’re not deleting — you’re forgetting.

The Reality

Digital forensics professionals recover “deleted” data for a living. Law enforcement, corporate investigators, and intelligence agencies routinely pull files off devices that their owners believed were wiped clean. The tools aren’t classified — Recuva is free, PhotoRec is open source, and EnCase is standard-issue for forensic labs. If the data hasn’t been overwritten, it’s recoverable. Period.

In 2003, a study by MIT graduate students Simson Garfinkel and Abhi Shelat analyzed 158 hard drives purchased on eBay and at secondhand shops. They recovered over 5,000 credit card numbers, medical records, corporate financial data, and personal correspondence. The drives had been “erased” by their previous owners — some had even been reformatted. The data was still there.

This isn’t ancient history. In 2019, researchers at the University of Hertfordshire found that 59% of secondhand hard drives and SSDs sold on eBay still contained recoverable data from previous owners — personal photos, financial documents, login credentials. These weren’t raw disks from dumpsters. They were drives that people sold thinking they’d deleted everything.

Morgan Stanley paid $35 million in SEC fines in 2022 for failing to properly decommission data center equipment. Hard drives containing customer data — names, Social Security numbers, account details — were sent to a reseller without being wiped. Some of those drives ended up on the secondary market with the data intact.

How It Works

What “Delete” Actually Does

On every major operating system, file deletion is a two-step illusion:

  1. The file system removes the directory entry — the file’s name disappears from its folder. The metadata (filename, location, timestamps) is marked as available for reuse.
  2. The space is marked as free — the file allocation table, NTFS Master File Table, or ext4 inode is updated to show those disk sectors as available for new writes.

What doesn’t happen: the actual data occupying those sectors is not touched. Not zeroed. Not scrambled. Not overwritten. It sits there, bit-for-bit identical, until the operating system needs that space for something new and writes over it.

Recovery — How the Data Comes Back

Recovery tools bypass the file system table and scan the raw disk surface for recognizable data structures. File headers (every JPEG starts with FF D8 FF, every PDF starts with %PDF) act as signatures. Tools carve through raw sectors, reassembling files from fragments. The process:

If the sectors haven’t been overwritten, the recovery rate on HDDs approaches 100%. Even partial overwrites leave fragments — enough to reconstruct documents, extract text, or recover images.

Sanitization Methods — How to Actually Destroy Data

NIST SP 800-88 Rev. 1 defines three levels of media sanitization:

Clearing — Overwriting the data with non-sensitive data. One pass of zeros or random data across all addressable locations. This defeats software-based recovery tools and is sufficient for media staying within the organization. The old DoD 5220.22-M standard called for seven overwriting passes — this was excessive even when it was written, and NIST has confirmed that a single pass is sufficient for modern hard drives. The seven-pass myth persists because people don’t read the actual standards.

Purging — Making data recovery infeasible even with laboratory techniques. Methods include:

Physical destruction — Shredding, disintegration, incineration, or melting. The final option when you need absolute certainty. NSA-approved shredders reduce hard drives to 2mm particles. For the truly paranoid, incineration at 1,600°F ensures nothing survives. The National Security Agency’s Media Destruction Guidance specifies the particle sizes and temperatures required for classified media.

The SSD Problem

Solid-state drives changed the destruction calculus entirely, and most people haven’t caught up.

Wear leveling — SSDs distribute writes across all cells to prevent premature wear on any single cell. This means when you overwrite a file, the SSD may write the new data to a completely different physical location than the original. The “overwritten” data is still sitting in the original cells, untouched.

TRIM — The TRIM command tells the SSD controller that certain blocks are no longer in use and can be erased. Most modern operating systems send TRIM commands automatically after file deletion. But TRIM is a suggestion to the controller, not a guarantee — the controller decides when to actually erase those blocks, and some blocks may persist for an indefinite period.

Over-provisioning and reserved blocks — SSDs set aside 7-28% of their total capacity as reserve space for wear leveling, bad block replacement, and garbage collection. Data in these reserved areas is invisible to the operating system and cannot be overwritten by software-based sanitization tools. Only the drive controller can access these blocks.

The practical upshot: overwriting an SSD with zeros does not guarantee all copies of the data are destroyed. NIST SP 800-88 Rev. 1 acknowledges this and recommends either cryptographic erasure or physical destruction for SSD sanitization when purge-level assurance is required.

Cloud Data Remanence

In multi-tenant cloud environments, your data lives on shared physical infrastructure. When you delete a file in S3, Azure Blob, or Google Cloud Storage, you’re trusting the provider to handle the actual destruction. In practice:

The only reliable approach in cloud environments is crypto-shredding: encrypt everything with keys you control, and destroy the keys when the data’s lifecycle ends. If you didn’t encrypt before storing, you’re dependent on your provider’s sanitization processes — and on trusting that they actually work as documented.

How It Gets Exploited

Secondhand Hardware

The usual suspects buy used hard drives in bulk — from eBay, surplus auctions, recyclers, IT liquidation sales. The MIT study proved the concept two decades ago, and nothing fundamental has changed. Every drive you dispose of without sanitization is a lottery ticket for whoever buys it next.

Forensic Recovery in Targeted Attacks

Nation-state actors and well-funded adversaries use laboratory-grade techniques to recover data from sanitized media. Magnetic force microscopy can theoretically read residual magnetic patterns even after overwriting — though this has never been demonstrated on modern high-density drives. The practical threshold is: if your adversary is a nation-state intelligence service, physical destruction is the only option you should trust.

Cloud Provider Compromise

If an attacker compromises cloud infrastructure at the provider level, deleted data that hasn’t been garbage-collected or that persists on backups becomes accessible. MITRE ATT&CK T1530 (Data from Cloud Storage) documents access to cloud storage objects, including those that may not have been fully purged.

Abandoned Devices

Phones traded in, laptops donated, servers decommissioned. Every device that leaves your physical control without proper sanitization is data remanence in the wild. Factory reset on a mobile device without prior encryption doesn’t reliably eliminate all data — especially on older Android devices where full-disk encryption wasn’t enabled by default.

What You Can Do

For HDDs: Use DBAN (Darik’s Boot and Nuke) for a full disk wipe, or the shred command on Linux (shred -vfz -n 1 /dev/sdX). One pass is sufficient. If the data is highly sensitive, degauss and then physically destroy.

For SSDs: Use the manufacturer’s secure erase utility (Samsung Magician, Intel SSD Toolbox, etc.) which sends the ATA Secure Erase command to the drive controller. Better yet: encrypt the drive before storing any data, then destroy the encryption key when done. This is the only reliable method for SSDs.

For mobile devices: Enable full-device encryption first (default on modern iOS, configurable on Android), then factory reset. The reset destroys the encryption key, rendering the data irrecoverable even though it technically still exists on the flash storage.

For cloud storage: Encrypt with keys you manage before uploading. When the data’s lifecycle ends, destroy the keys. Verify your cloud provider’s data deletion SLAs and contractual commitments.

For the truly sensitive: Physical destruction. Industrial shredders, incineration, or a drill press through the platters. Keep certificates of destruction. If it matters enough to destroy, it matters enough to document that you destroyed it.

Sources & Further Reading