Notes on Hard Drive File Deletion

Recently I went on a mini research binge on how operating systems delete files stored on a hard drive. I was taking notes in a Google Doc and decided to turn them into a short blog post. As such, this post isn’t as polished as some of my other ones.

This topic is new to me so there may be some things slightly wrong. Still, I figured it couldn’t hurt to share what I was studying. If any experts read this, I’d love to learn more.

What happens when you delete a file?

When a file is deleted it appears to be removed from the computer entirely. In actuality, the file contents (aka data) still reside on the hard drive. Meaning that it’s possible for the file to be recovered.

What does the operating system do when a file is deleted?

The operating system marks the “deleted” file as unallocated space (meaning it is no longer being used) and adds it to the free-space list. The free-space list is composed of blocks of unallocated space that the OS can pull from later. A bitmap or linked list are possible implementations for the free-space list.

When a new file is created, the OS searches the free-space list for a suitably sized block (using either first fit, best fit, or worst fit strategies). The new file will overwrite the unallocated space previously occupied by the deleted file. Next, the operating system marks this space as allocated, effectively removing it from the free-space list.

If the new file is smaller, then it will only partially overwrite the deleted file. So it is possible that fragments of the original file will still be on the hard drive!

Why doesn’t the OS properly delete the file?

It does! Well, at least it does from the operating system’s perspective.

It’s important to note that the word delete has a different meaning to an operating system than it does to humans. For the OS, deletion means freeing the pointer to the file. Deleting the pointer means that the computer has no (easy) way of locating the file data.

Still, you may be saying “I don’t care, why doesn’t the computer just delete my files the way I want to!”

Here are my thoughts on why the operating system does this:

• Accidentally deleted files would be gone forever (no more Recycle Bin, Trash, etc)
• Disk operations are extremely slow and could result in major performance hits
• Additional wear & tear would be done to the hard drive arm
• Computers were originally built for programmers, not consumers

Research and further reading

I don’t know much about computer forensics, but find the topic interesting. Check out these good sources for more detailed information!

• Forensic Analysis of Unallocated Space by Lei Zhenxing (Research paper)
• Operating Systems Concepts 10th Edition (Book)
• Why didn’t OSes securely delete files right from the beginning? And why do they still not do this? (Stack Exchange post)