Apple - If I delete photos/files why aren't they actually deleted? How come they can be recovered?
Short answer
By moving a file to Trash and then emptying the trash, or by doing a quick format of a traditional hard drive (i.e. not a solid state drive), you're actually not deleting files. Instead, all you are doing is deleting the information about those files. This means the operating system has absolutely no idea those files exist, let alone where on the drive they exist.
Long answer
Okay, let me explain this by using an analogy.
Imagine you’re at a library and this particular library contains 100,000 books. All these books are indexed in the library’s catalog. This catalogue is accessible via a computer that allows you to search by title, author, date, etc. Most importantly, each index tells you exactly where that book is located. This makes it easy to find what you’re looking for when you need to. You simply conduct a search of the catalog and it’ll tell you exactly where that book is (i.e. what section, row, and shelf it’s sitting in).
One day, someone accidentally deletes the record of a particular book from the library’s catalogue. The book itself is still there, sitting in exactly the same spot. But no-one knows it’s there and/or where it is!
The next day, someone breaks in and steals the computer containing the library’s catalogue. All of the books are still there, but if you walked in and wanted to find a particular book about Steve Jobs, you’d have no idea if that book is in the library and, if so, where to find it!
Now imagine that your hard drive is that library. It contains 100,000 files (documents, photos, videos, music, etc).
When you move a file to the Trash and then empty it, it’s akin to someone accidentally deleting the record of a particular book from the library’s catalog.
When you erase a hard drive, that’s akin to someone stealing the library’s entire catalog.
So, using our analogy, the books are still on the shelves. They haven’t gone anywhere! But if you wanted to find that one book you’re looking for, well, you’d have absolutely no idea where to look.
Likewise when deleting files or erasing a hard drive. Your computer has no idea whatsoever what data is on that hard, or where it is. So, as a user, if you navigate around the hard drive you won’t see those files because your Mac isn’t aware of them and therefore isn’t displaying them. They effectively don’t exist.
But, if you were to use data recovery software, then that’s akin to a library hiring someone to go in and walk up and down every row of bookshelves and opening each and every book and taking notes of their titles, authors, location, etc. The data recovery software has no idea what’s on your hard drive initially, but it will interrogate every block of space to actually see what’s there and can then recover it. In other words, it’s making what’s already there visible again.
When you empty the trash or erase a hard drive and then start saving new files to your computer, over time macOS will just overwrite the previous data because it just doesn’t know there’s any data there. It just sees it as free space and therefore available to write new data over. That’s why recovering data is always more successful soon after you’ve deleted something, because there’s less chance it’s already been overwritten.
If you want to be fairly certain those intimate photos aren’t recoverable, you can:
- Secure erase the hard drive (since you’re on El Capitan, read this question and its answers How to get the "securely erase" function of Disk Utility on El Capitan & Sierra)
- Manually fill the empty space of the hard drive with other data, preferably large files (e.g. a whole heap videos) and then when it’s full, delete this files. In this way, the blocks containing the previous photos should be overwritten with other data.
IMPORTANT: If your daughter has Time Machine backups, then all those intimate photos will almost certainly be in those backups as well.
A final word...
Another option users can take is to encrypt their Mac startup drive. This will secure your data because everything on the disk is encrypted. If you delete files, these will be unrecoverable or, more to the point, they can be recovered, but they're encrypted and therefore inaccessible to anyone who doesn't have the right credentials (e.g. login password, recovery key).
For more info on how to use FileVault refer to: Use FileVault to encrypt the startup disk on your Mac.
The files on the hard drive are all around and the system keeps pointers that point to the files. When you delete the file, you really only delete the pointer and the data is still there, but you can't find it with normal tools. The operating system will eventually overwrite that data with new data.
This is where data recovery comes into place, there are tools that allow scanning of the drive and recovering the files (restoring the pointers).
One way of avoiding that is to overwrite the place where the actual data resides multiple times. Again there are tools for that.
Before El Capitan you could securely empty the trash right in the menu, but that option is gone because it did not work as it should. In newer versions this could be done from terminal like this: diskutil secureErase freespace LEVEL /Volumes/DRIVENAME. Source: Does FileVault 2 also encrypt my free disk space?
You can delete files that way with this command srm -v /path/to/file/to/securely/delete/example.png. Still, good tools could recover files deleted like this.
Unfortunately the only real solution is secure wiping the full drive and overwrite it with random 0 and 1. One time is enough. This process deletes everything on the drive and takes a lot of time to complete.
Emptying the trash doesn't erase the space the files occupied on the disc: it just marks that space as available to be used again. If the space hasn't been reused, the data is still there and can be found by software that looks through the available space of the drive looking for, e.g., fragments of photos.
Erasing the space would take time so, since most data isn't sensitive, it's usually better to just leave it there rather than really erasing it. It also allows people to recover from oopses.