this post was submitted on 11 Feb 2026
287 points (98.6% liked)

Technology

81026 readers
7808 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
287
Why ‘deleted’ doesn’t mean gone: How police recovered Nancy Guthrie’s doorbell footage (www.theverge.com)
submitted 13 hours ago by silence7@slrpnk.net to c/technology@lemmy.world
28 comments fedilink hide all child comments
 

Investigators pulled video from ‘residual data’ in Google’s systems — here’s how that was possible and what it means for your privacy.

you are viewing a single comment's thread
view the rest of the comments
[–] wuffah@lemmy.world 19 points 10 hours ago* (last edited 9 hours ago) (2 children)

From the article:

Nest cameras, by contrast, can send clips to Google’s servers even without a paid subscription. Google offers a small amount of free cloud storage — older models store clips up to five minutes long for three hours; the latest models store 10-second clips for six hours. That means some footage is uploaded and stored, at least temporarily, whether you pay or not.

According to Nick Barreiro, chief forensic analyst with Principle Forensics, deleting footage from the cloud doesn’t necessarily mean it’s immediately gone. “When you delete something from a server, it doesn’t get overwritten immediately — the file system is just told to ignore this data, and this space is now available to be used. But if no new data is written over it, it’s still going to be there, even though you can’t see it.”

This is more or less how local storage works as well. The creator of BleachBit, a file cleaning tool made famous for being present on Hillary Clinton’s email servers, has some great insights in their documentation about the methods for destroying data on hard drives. As it turns out, data “deletion” is just a series of operations on your hard disk like any other, and retrieval depends on the methods used - de-indexing, metadata and file structure removal, and overwriting to name a few.

Once, I accidentally formatted the wrong drive in Windows and it ended up being my 20TB platter (oops). I was able to recover 99% of the files on the drive with some free recovery software just because I disconnected and stopped using the drive immediately. The only files lost were large ones partially overwritten by the new blank file system created when I formatted the drive. Windows had only deleted the file system indexing the drive, and all of the file data and metadata was intact, waiting to be randomly overwritten. I had to string together four cheap failing 4TB SATA drives I bought used on Amazon, but it worked.

The point is, if I could do this as an amateur, and storage technology operating on the same principals is in use at enterprise scale, what are the lengths that the likes of the FBI and Google are willing to go to recover old data that has been “deleted”? I’m frankly surprised that Google does not overwrite their discarded data, and it’s probably for reasons like this, beyond the additional processing time it would take. Given their vast resources and storage capacity, it could be some time before “deleted” data is at least partially overwritten, if ever.

If you ever have data that you absolutely need destroyed, overwrite the entire drive with random data more than once, then physically shred the drive completely. And never connect your devices to a cloud storage service. It’s the only way to be sure.

[–] hodgepodgin@lemmy.zip 4 points 8 hours ago (1 children)

I was under the impression that Google just didn’t delete data — ever. Like, it’s way more valuable compared to the cost of the disk.

[–] qqq@lemmy.world 1 points 6 hours ago* (last edited 6 hours ago)

I wouldn't be surprised if this is actually what happened here.. tech companies in general don't delete data if they can avoid it. I worked for companies that would just set deleted = 1 in the DB on delete calls. Google has more ability than anyone else to put that data to use

[–] Imgonnatrythis@sh.itjust.works 3 points 9 hours ago (2 children)

I've never understood the overwrite more than once instruction. If the entire drive is overwritten how in the world do you pull back data out from an overwrite?

[–] 4am@lemmy.zip 7 points 7 hours ago (1 children)

Flipping the bits on a magnetic medium back and forth doesn’t always flip them entirely. Using more sensitive equipment to read back the bits can see the faint hints of what the bits used to be, which is why multiple overwrites with random information is the only way to be sure (and even then, there are advanced techniques that try to see past all that noise. The more you overwrite, the less sure any of these techniques are to work.

[–] Imgonnatrythis@sh.itjust.works 3 points 5 hours ago

Wild. If anyone knows of a video or demonstration of someone actually looking past the overwritten data on a platter, I'd love to see that - that's really next level csi stuff.

[–] wuffah@lemmy.world 6 points 7 hours ago* (last edited 7 hours ago)

Magnetic platter drives still have the highest storage density per dollar and so they are still heavily in use. Theoretically, overwritten data can be recovered from them by analyzing the magnetic fields directly from the platter. However, this is extremely time and money intensive and requires specialized equipment and expertise. Overwriting a partition multiple times severely complicates this process just by performing multiple overwrites.

Realistically, overwriting once with random data is enough, especially if the drive is to be physically destroyed. You can also use a powerful magnet (top end neodymium in direct contact) to scramble the delicate magnetic fields that encode the data on the platter, but at that point you may as well shred the drive anyways.

SSDs are a fundamentally different storage paradigm that make this kind of recovery essentially impossible. Due to the limitations of NAND memory, data can be written to blocks inaccessible except at the hardware level. To make SSDs secure, modern drives usually implement processes (TRIM) that erase blocks marked for deletion. Or, all data written to the drive is encrypted by onboard hardware (SED), and “erasing” the drive simply deletes the encryption keys.