Emptying Trash--Files Gone Permanently?

[Matte2]

I am a beginner, so please go easy on me.

I am using Mac OS 10.15.2 with a regular internal HDD. I have a USB stick with some old tax and financial documents with my SSN and other confidential information on it. If I insert the USB stick into the USB port and drag those files to the trash and select "Empty Trash", are those documents permanently erased from both the USB stick and the HDD. If a burglar takes my computer and USB stick, are there readily available programs that can recover files that were deleted from the USB stick and emptied from the computer's trash.

I just looked in system preferences and saw something called FileVault. If I turn that on, will it also encrypt files that have already been emptied from the trash?

 

[TiggrToo]

I am a beginner, so please go easy on me.

I am using Mac OS 10.15.2 with a regular internal HDD. I have a USB stick with some old tax and financial documents with my SSN and other confidential information on it. If I insert the USB stick into the USB port and drag those files to the trash and select "Empty Trash", are those documents permanently erased from both the USB stick and the HDD. If a burglar takes my computer and USB stick, are there readily available programs that can recover files that were deleted from the USB stick and emptied from the computer's trash.

Both are susceptible to recovery, yes. Best way to remove the risk on the USB stick is to write lots of other files onto the stick to get it to overwrite the areas that still contain data.

If you do not have encryption turned on on your APFS drive, then there's a risk of the files being extracted from there. If this is the case given that you've already deleted the files, you may be better off letting the machine churn over.

An alternative is to use the terminal to clear out the free space, but that's not something I'd myself bother with.

If you do wish to proceed using ther teminal, type the following into your favorite search engine "diskutil secureErase freespace" and follow what you see. I'm unsure the effect on Catalina as I've not done this for a while.

 

[||\||]

Unless you saved to the HDD, the files never made it to the internal computer drive. When you delete from a flash drive, the system creates a hidden trashes folder on the USB drive. It empties from that hidden folder.

I know that with HDDs, the empty trash command simply gives the system the OK to overwrite when it needs to. Files will remain on a HDD until overwritten. Flash technology might work differently. I don't know enough say whether or not anything still resides on the flash drive after deletion.

 

[TiggrToo]

Unless you saved to the HDD, the files never made it to the internal computer drive.

True dat - I never noticed that bit.

 

[Matte2]

Unless you saved to the HDD, the files never made it to the internal computer drive. When you delete from a flash drive, the system creates a hidden trashes folder on the USB drive. It empties from that hidden folder.

I know that with HDDs, the empty trash command simply gives the system the OK to overwrite when it needs to. Files will remain on a HDD until overwritten. Flash technology might work differently. I don't know enough say whether or not anything still resides on the flash drive after deletion.

I opened the files from the USB drive with a document reader, then quit the document reader and dragged the files from the USB stick to the trash and clicked "Empty Trash." So basically the only thing to be concerned about then is being able to recover files that were deleted from the flash drive, correct?
[automerge]1578341303[/automerge]

Both are susceptible to recovery, yes. Best way to remove the risk on the USB stick is to write lots of other files onto the stick to get it to overwrite the areas that still contain data.

If you do not have encryption turned on on your APFS drive, then there's a risk of the files being extracted from there. If this is the case given that you've already deleted the files, you may be better off letting the machine churn over.

An alternative is to use the terminal to clear out the free space, but that's not something I'd myself bother with.

If you do wish to proceed using ther teminal, type the following into your favorite search engine "diskutil secureErase freespace" and follow what you see. I'm unsure the effect on Catalina as I've not done this for a while.

I think about 8 months ago, I might have deleted tax documents that were on my desktop (not on a USB drive) using "Empty Trash." How long does it take the computer to "churn over" and overwrite files? Once overwritten, can the original file be recovered?

 

[ApfelKuchen]

I opened the files from the USB drive with a document reader, then quit the document reader and dragged the files from the USB stick to the trash and clicked "Empty Trash." So basically the only thing to be concerned about then is being able to recover files that were deleted from the flash drive, correct?

Correct

I think about 8 months ago, I might have deleted tax documents that were on my desktop (not on a USB drive) using "Empty Trash." How long does it take the computer to "churn over" and overwrite files? Once overwritten, can the original file be recovered?

"How long" depends upon the amount of free storage space on the system. The more free space there is, the longer it will take to "churn."

How many overwrites are necessary? It depends on the storage type. With magnetic storage (conventional HDD) it may take multiple overwrites to fully obscure the residual magnetic signal. With Flash/SSD storage, a single over-write is enough.

Basically, the ability to recover deleted files following an overwrite on an unencrypted magnetic HDD is a function of the determination to recover that data. Forensic data recovery isn't cheap, and the residual signal following an overwrite isn't that easy to detect, so it's typically only done when the data is of high value - government investigations, corporate security/espionage, high-value financial fraud targets, etc. Garden-variety data recovery (the "oops, I just erased my HDD" variety) depends on there being zero over-writes of the data - it doesn't go deeper than that.

 

[TiggrToo]

Correct




"How long" depends upon the amount of free storage space on the system. The more free space there is, the longer it will take to "churn."

How many overwrites are necessary? It depends on the storage type. With magnetic storage (conventional HDD) it may take multiple overwrites to fully obscure the residual magnetic signal. With Flash/SSD storage, a single over-write is enough.

Basically, the ability to recover deleted files following an overwrite on an unencrypted magnetic HDD is a function of the determination to recover that data. Forensic data recovery isn't cheap, and the residual signal following an overwrite isn't that easy to detect, so it's typically only done when the data is of high value - government investigations, corporate security/espionage, high-value financial fraud targets, etc. Garden-variety data recovery (the "oops, I just erased my HDD" variety) depends on there being zero over-writes of the data - it doesn't go deeper than that.

Which ultimately comes down to

A) are you trying to mitigate against espionage (military, government or corporate) or
B) you trying to protect yourself against a lowlife pinching your laptop to flog for £20 so they can get their next hit.

Only one of these really necessitates multiple HDD wipes, the other can be handle with a single pass.

 

[gilby101]

If a burglar takes my computer and USB stick, are there readily available programs that can recover files that were deleted from the USB stick and emptied from the computer's trash.

Yes, unless the disk (HDD, SSD or USB stick) was encrypted beforehand. It is harder for SSD and harder for APFS format, but still doable.

Your USB stick: Save anything important elsewhere, then use Disk Utility. In the menu bar enable View - Show All Devices. Erase the device (not the volume(s)) on the disk by selecting the device, clicking the Erase button, use whatever format your need but select Security Options and move the slider one away from the left. That will do a single pass of writing zeros on the USB stick. That is sufficient for personal finance documents.

If you are worried about government (or other) spying, grind the USB stick into powder.

In future: Encrypt new disks (or whenever you reformat them). Encrypt your system disk with Filevault. Be prepared to safely store the encryption passwords. And encrypt your backup disk - I assume you are backing up with Time Machine.

 

[LuisN]

I opened the files from the USB drive with a document reader, then quit the document reader and dragged the files from the USB stick to the trash and clicked "Empty Trash." So basically the only thing to be concerned about then is being able to recover files that were deleted from the flash drive, correct?
[automerge]1578341303[/automerge]




I think about 8 months ago, I might have deleted tax documents that were on my desktop (not on a USB drive) using "Empty Trash." How long does it take the computer to "churn over" and overwrite files? Once overwritten, can the original file be recovered?

Download ONYX from https://www.titanium-software.fr/en/onyx.html and use it to securely erase files and folders.

 

[gilby101]

Download ONYX from https://www.titanium-software.fr/en/onyx.html and use it to securely erase files and folders.

That is fine for a hard disk drive, but not for flash drives (SSD or USB stick). When you rewrite (or erase) a file it will use new blocks on the disk.

 

[Matte2]

Yes, unless the disk (HDD, SSD or USB stick) was encrypted beforehand. It is harder for SSD and harder for APFS format, but still doable.

Your USB stick: Save anything important elsewhere, then use Disk Utility. In the menu bar enable View - Show All Devices. Erase the device (not the volume(s)) on the disk by selecting the device, clicking the Erase button, use whatever format your need but select Security Options and move the slider one away from the left. That will do a single pass of writing zeros on the USB stick. That is sufficient for personal finance documents.

If you are worried about government (or other) spying, grind the USB stick into powder.

In future: Encrypt new disks (or whenever you reformat them). Encrypt your system disk with Filevault. Be prepared to safely store the encryption passwords. And encrypt your backup disk - I assume you are backing up with Time Machine.

Thank you for the tip. I just turned on FileVault, so now any documents deleted in the future will be encrypted. However, will turning on FileVault encrypt documents that were emptied from the trash before FileVault was turned on?

 

[960design]

I think about 8 months ago, I might have deleted tax documents that were on my desktop (not on a USB drive) using "Empty Trash." How long does it take the computer to "churn over" and overwrite files? Once overwritten, can the original file be recovered?

I've recovered 99% of the files ( for an investigation ) from a computer that was OS restored every year for three years ( corporate computer, handed out to new employee every year ).

If it was viewed (with Preview, for example) a cached copy is created on the computer that can be recovered.

PS. Do not worry about it too much. Yes, almost everything is recoverable ( there are ways to make recovery much more difficult: gilby101 suggestion ). No, we really do not have the time nor patience to recover your stuff unless it is for a criminal investigation... or we are really, really bored.

 

[gilby101]

However, will turning on FileVault encrypt documents that were emptied from the trash before FileVault was turned on?

I have seen statements on the web saying yes and others saying no. But, I believe the answer is no. That is because Filevault encryption time seems to depend on the number of files and/or their size.