Originally posted here by andrewsco
Second thing - How exactly can data be recovered. I know that programs such as Encase are used, but i have also read that data can be recovered, even after being re-written a number of times (I gather this has to do with the hardware?) Does anyone know any more on this, and where I could find some information?

Thanks
Andrew
Hi, Andrew,
I've confirmed, using before-and-after direct disk view software, that at least one program does indeed wipe data: Eraser 5.7 (open source software). That includes wiping small files that reside in the Master File Table (MFT).

However, there's a catch: on NTFS systems, there is journaling data temporarily stored in a file called $LogFile. This system file, which essentially serves as a short-term record of what's written to the disk so that the system can recover should power be lost, consists of a bunch of 4kB records. That can include information that's from a file you wanted to wipe.

The good news, from a privacy point of view, is that the $LogFile is routinely overwritten, so any information stored there has a very limited shelf life (perhaps less than 24 hours during normal computer use, or less with heavy disk access activities).

However, there are other places for file recovery programs like Encase to find data. When disks are defragmented, files shortened or data moved from one disk to another, old data is frequently left in its old positions on the disk, data which is now orphaned. The computer's pagefile and hibernation file can both leave lots of data behind, too. If disk freespace is not routinely overwritten, there can be a surprising amount of info left through normal use. And, of course, Encase can find all sorts of info in obscure, non-deleted files.

Encase isn't magic. It can't recover data that's been overwritten. But you'd better make sure that there aren't other copies or fragments of copies lying around on the disk, or it can find them.