Where are deleted files stored in Android phone?
When a user deletes a file on an Android device, they likely assume it is permanently erased. However, that is often not the case. Understanding where deleted files are actually stored on Android devices is important for several reasons:
First, it allows users to better manage device storage and ensure sensitive files are truly deleted. Without knowing how deletion works on Android, private data may remain accessible to other apps or users.
Second, it is useful for data recovery. When a file is accidentally deleted, knowing where it went can allow for retrieval.
Finally, it provides transparency into how the Android operating system handles file deletion. Users deserve to understand what happens behind the scenes when they delete a file.
File Systems in Android
Android uses various file systems depending on the device and version of Android. The most common file systems are:
ext4: This is the most widely used file system in Android. It is based on the Linux ext3 file system with added features like extents and larger file sizes. ext4 uses journaling to prevent data corruption and relies on the TRIM command for secure file deletion (more on this later).
F2FS: Introduced in Android 4.4, F2FS (Flash-Friendly File System) is designed for NAND flash memory like SSDs. It employs a log-structured method to write data sequentially rather than in-place updates. F2FS also makes use of TRIM for secure deletion.[1]
YAFFS: Yet Another Flash File System is an older file system designed for NAND flash dating back to Android 1.5. It has since been largely replaced by ext4 and F2FS on newer devices.
Overall, despite using different structures optimized for flash memory, modern Android file systems like ext4 and F2FS rely on the TRIM command to securely erase deleted files by notifying the storage device that the blocks containing those files can be wiped and reused.[2]
Delete vs Unlink
When a file is deleted on an Android device, it is unlinked from the file system but the data itself still remains on the storage device. Unlinking a file removes the directory entry for that file, which contains information like the filename, location on disk, file size, etc. The data contents of the file are not actually erased right away (source: https://stackoverflow.com/questions/25498872/what-is-the-difference-between-delete-and-unlink-in-php).
Deleting a file just removes the link to the data, while unlinking refers to actually erasing the data contents from the physical storage. So when a file is deleted on Android, it is unlinked from the file table but the data still resides in the memory blocks it previously occupied. The space is only marked as “free” to be overwritten by new data. Until those blocks are needed again, the original deleted file contents can often still be recovered (source: https://blender.stackexchange.com/questions/147559/what-is-the-difference-between-unlink-and-delete-in-the-outliner).
TRIM Command
The TRIM command allows the operating system to inform the SSD which blocks of data can be erased and reused. When a file is deleted on an SSD, the file system will simply “unlink” the file, meaning it removes the link to the actual data. The data itself is not erased immediately.
Over time, this can lead to slower write speeds as the SSD has to find available unused blocks to write to. TRIM allows the operating system to proactively tell the SSD which blocks are no longer being used due to deleted files. The SSD can then perform garbage collection to securely erase these blocks so they become available for reuse.
Android supports the TRIM command, but it is not enabled by default. Users must enable Developer Options and toggle on “Discard unused blocks” to allow periodic TRIM operations. Some devices may also run TRIM during idle time while charging. Third party apps like SD Maid and Solid Explorer also include manual TRIM tools. Performing a factory reset on an Android device will also TRIM the entire drive, wiping all user data.
Overall, TRIM is an important feature for optimizing SSD performance on Android devices. Though deleted files are only unlinked at first, TRIM will permanently erase their data blocks so they can be reused for new writes. This prevents the gradual slowdown caused by accumulation of deleted file remnants.
Data Recovery
When files are deleted on an Android device, the reference to the data is removed from the file system, but the actual data still remains on the storage device until it is overwritten by new data. This provides a window of opportunity to recover deleted files using data recovery software before they are permanently erased.
There are several powerful data recovery tools available that can scan an Android device’s storage and rebuild the file structure to restore deleted content. Some popular options include Dr.Fone, EaseUS, and DiskDigger. These tools can recover a wide range of file types like contacts, messages, photos, videos, call logs, documents, and more.
Data recovery is most effective if performed quickly before the deleted files’ data blocks are overwritten by new data. The more the device is used after deletion, the higher the chance of data being overwritten. For best results, data recovery should be attempted as soon as possible after deletion and before performing a factory reset.
Overwrite on Deletion
When files are deleted on Android devices, they are not immediately erased from the storage media. Instead, the links to those files in the file system are removed, marking the space they occupied as available for new data. This allows deleted files to be recovered using data recovery software until that space is overwritten with new data (Source: https://www.makeuseof.com/best-ways-permanently-delete-android-data/).
Some apps like file shredders can immediately overwrite the deleted data to prevent recovery. They overwrite the occupied space multiple times with random 1s and 0s to ensure the original data cannot be reconstructed (Source: https://android.stackexchange.com/questions/233439/how-to-shred-deleted-files-to-prevent-data-recovery?). Popular file shredder apps for Android include Andro Shredder, Secure Erase, and Shreddit.
Factory Reset
A factory reset will erase all user data and settings from an Android device and restore it to its original manufacturer settings. This is done by formatting, or wiping clean, the data partitions on the device’s internal storage [1].
On Android devices, the user data is stored in a separate partition from the operating system files. When a factory reset is performed, the data partition is reformatted to a blank state, effectively deleting all apps, photos, accounts, settings and any other personal content added by the user [2]. The operating system partition is left intact during a reset.
Some key points about how factory reset erases data:
- It wipes all data from the user data partition
- It does not modify the operating system partition
- It restores the device to original manufacturing settings
- All apps, accounts, settings, files are erased.
So in summary, factory reset erases all user data by formatting the data partitions to a blank state.
Encryption
With encryption enabled on an Android device, a decryption key is used to encrypt all the data stored on the device. When a factory reset is performed, this decryption key is erased as part of the process. Without the decryption key, the encrypted data on the device becomes practically unrecoverable and unreadable.[1]
For example, on Samsung devices that utilize the company’s Knox security platform, performing a factory reset will wipe the decryption key from the device’s Trusted Execution Environment (TEE) secure chip.[2] Even if someone knows the device’s lock screen password, without the decryption key, it is impossible to decrypt and access any data from before the reset.
Therefore, with full-device encryption enabled, a factory reset renders a device’s data essentially irrecoverable. The encryption ensures a higher level of security when resetting the device before sale or disposal.
Removable Storage
Android supports removable storage encryption for SD cards and USB drives using the Extensible Encryption Standard (XTS) mode [1]. When encryption is enabled for removable storage, all files written to the SD card or USB drive are transparently encrypted [2]. The encryption keys are stored safely by the Android OS and are not accessible to other applications.
A major benefit of removable storage encryption is that when an SD card or USB drive is removed from the device, the data stored on it is completely inaccessible without the encryption keys. This means that even if the SD card or USB drive is lost, stolen, or accessed on a different device, the data remains securely encrypted and cannot be read. The encryption ensures the data is fully deleted and unrecoverable upon removal of the external storage from an Android device.
To enable removable storage encryption on Android, it needs to be turned on in the system settings. Some devices may encrypt removable storage by default when encryption is enabled. When formatted, the external storage will be formatted as encrypted and all new data written to it will be encrypted. Previously stored unencrypted data will remain unencrypted until deleted.
Conclusion
In summary, when files are deleted on an Android device, they are not immediately erased from storage. Instead, the references to those files in the file system are removed, marking the space they occupy as available for new data. The actual file contents remain on the storage media until that space is overwritten by new files.
To ensure deleted files are completely erased and unrecoverable, users can utilize the TRIM command, encrypt their device storage, or perform a factory reset. Overwriting deleted files repeatedly with junk data before deleting can also make recovery very difficult.
For most Android users, simply deleting unwanted files and media is sufficient, as recovering deleted data requires special tools and skills. However, those with highly sensitive information to protect may want to take extra precautions like using encryption or manually overwriting deleted files.