When removing data from a storage device, such as a USB or hard disk drive, it is important to consider the method in which the data is formatted. Within Windows, users are given the option to format a drive with the “Quick Format” option enabled. This option is faster than a traditional format; However, all the data still remains on the device. After a quick format, the end user may not be able to access these files, but the data can become recoverable through various forensics techniques. It is important to perform a more thorough format for this reason, especially when it comes to buying or selling used storage devices.
The Master File Table
Windows utilizes the New Technology Filesystem, which is most commonly known as the NTFS filesystem. Every NTFS volume contains a file that is known as the Master File Table. The Master File Table (MFT) is an indexing system which stores all information about files and directories stored within an NTFS volume.i This information includes file metadata such as filenames, file sizes, creation timestamps, security identifiers (such as permissions), data content, and other various file attributes.ii Essentially, the MFT is a giant index that specifies where each file can be found on the drive. Without the MFT, none of the data located on the volume would be reachable, as their MFT entries referencing file information would be gone.
If the Master File Table is empty, it doesn’t necessarily mean that there isn’t any data located on the NTFS volume. When an MFT record of a file located on the drive is deleted, the link between the operating system and the data on the drive is forgotten. The data that was associated with the MFT record would reside in what is called “unallocated space”. When new information is written to the drive, the new data is allowed to receive storage capacity from the unallocated space and overwrite the data that used to exist there. This is the basic functionality of an NTFS drive, which is important to understand when learning about the types of formatting you can perform on them.
Quick Format
When formatting a storage device in windows, the user must right click the specific drive within File Explorer or within Disk Management. By default, the “Quick Format” option is enabled. Below are screenshots of the Quick Format option enabled in Windows 10 when formatting a drive within Disk Management and File Explorer.
The Quick Format option is a very fast formatting option which normally takes less than a minute to complete on most drives. When executing the quick format of a drive, the only content that is deleted is that of the Master File Table. When the MFT records for files get deleted, all referenced data located on the drive will be moved to the volume’s unallocated space. This means that all the data associated with the “formatted” files are still on the drive. This type of format is a fine option when you want to quickly clear up a storage device for personal use, but should be reconsidered when buying or selling used storage drives.
Recovering Data from a Quick Format
Since all the data is still present within the unallocated space after a quick format, the data can be recoverable using a variety of forensic techniques. Extracting data from the unallocated space is known as file carving. By using disk imaging software such as FTK Imager to create an image of a drive formatted with quick format enabled, all the unallocated space located on the drive can be collected. To parse and view the data located in the unallocated space, the generated image file can be analyzed using tools such as Autopsy or by searching for file signatures manually.
Full Format
Unchecking the Quick Format option within Windows executes a more secure disk format. A full format does exactly what the quick format does, in that the Master File Table is completely cleared. The only difference is that all the existing data on the drive is overwritten with zeros, effectively erasing all data from the drive. This method may take longer, but ensures that the data located on the drive is completely expunged. Unlike a quick format, data on the drive does not reside in the unallocated space. A full format also checks for bad sectors, which adds to the total format time.
The result of a full format is more secure than a quick format, as the data shouldn’t be recoverable in normal conditions. Unless there were bad sectors or protected areas located on the drive that didn’t get formatted, a full format in Windows should be sufficient when buying and selling used drives. The screenshots below show the difference in unallocated space when a drive is formatted with and without quick format enabled. For the quick format drive, notice the presence of data within the unallocated space that can potentially be recovered. These screenshots only picture a small amount of unallocated data.
Recovering Data from a Full Format
In rare cases, data can still be recovered from older disk drives using electron microscopes. This is due to how bits are electronically stored on older devices. This method involves estimating the bit value that was originally stored on the drive, which normally has a 50% chance of getting a correct valueiii. Many alternative formatting methods, such as Eraser and DBAN, overwrites existing data multiple times to decrease the chances of bits being able to be recovered. Even though there is a chance of recovering a single bit on a hard drive, the chances of recovering a large amount of data is nearly impossible on modern drives.iii Unless your old hard drive falls in the hands of someone who has an expensive electron microscope and a lot of time on their hands, a full format will safely prevent useful data recovery from occurring.
Conclusion
When formatting a drive within Windows, it is important to consider the different types of disk format options that can be executed, as well as the types of data recovery that can be performed. When buying, selling, or getting rid of used storage devices, it is important to uncheck the Quick Format option within Windows, as all the data that was located on the drive will be accessible to anyone who wants to examine it. Running a full format is the most secure choice you can make when formatting a drive and ensures that your personal data is deleted.
References
iWhat is a Master File Table? GeeksforGeeks. (2023, February 14)
https://www.geeksforgeeks.org/what-is-a-master-file-table/
iiMaster File Table (Local File Systems). Windows App Development Documentation. (n.d.)
https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table/
iii Wright, C. (2009, January 15). Overwriting Hard Drive Data. SANS Institute Blog.
https://www.sans.org/blog/overwriting-hard-drive-data/