If I delete photos/files why aren't they actually deleted? How come they can be recovered?
Short answer
By moving a file to Trash and then emptying the trash, or by doing a quick format of a traditional hard drive (i.e. not a solid state drive), you're actually not deleting files. Instead, all you are doing is deleting the information about those files. This means the operating system has absolutely no idea those files exist, let alone where on the drive they exist.
Long answer
Okay, let me explain this by using an analogy.
Imagine you’re at a library and this particular library contains 100,000 books. All these books are indexed in the library’s catalog. This catalogue is accessible via a computer that allows you to search by title, author, date, etc. Most importantly, each index tells you exactly where that book is located. This makes it easy to find what you’re looking for when you need to. You simply conduct a search of the catalog and it’ll tell you exactly where that book is (i.e. what section, row, and shelf it’s sitting in).
One day, someone accidentally deletes the record of a particular book from the library’s catalogue. The book itself is still there, sitting in exactly the same spot. But no-one knows it’s there and/or where it is!
The next day, someone breaks in and steals the computer containing the library’s catalogue. All of the books are still there, but if you walked in and wanted to find a particular book about Steve Jobs, you’d have no idea if that book is in the library and, if so, where to find it!
Now imagine that your hard drive is that library. It contains 100,000 files (documents, photos, videos, music, etc).
When you move a file to the Trash and then empty it, it’s akin to someone accidentally deleting the record of a particular book from the library’s catalog.
When you erase a hard drive, that’s akin to someone stealing the library’s entire catalog.
So, using our analogy, the books are still on the shelves. They haven’t gone anywhere! But if you wanted to find that one book you’re looking for, well, you’d have absolutely no idea where to look.
Likewise when deleting files or erasing a hard drive. Your computer has no idea whatsoever what data is on that hard, or where it is. So, as a user, if you navigate around the hard drive you won’t see those files because your Mac isn’t aware of them and therefore isn’t displaying them. They effectively don’t exist.
But, if you were to use data recovery software, then that’s akin to a library hiring someone to go in and walk up and down every row of bookshelves and opening each and every book and taking notes of their titles, authors, location, etc. The data recovery software has no idea what’s on your hard drive initially, but it will interrogate every block of space to actually see what’s there and can then recover it. In other words, it’s making what’s already there visible again.
When you empty the trash or erase a hard drive and then start saving new files to your computer, over time macOS will just overwrite the previous data because it just doesn’t know there’s any data there. It just sees it as free space and therefore available to write new data over. That’s why recovering data is always more successful soon after you’ve deleted something, because there’s less chance it’s already been overwritten.
If you want to be fairly certain those intimate photos aren’t recoverable, you can:
- Secure erase the hard drive (since you’re on El Capitan, read this question and its answers How to get the "securely erase" function of Disk Utility on El Capitan & Sierra)
- Manually fill the empty space of the hard drive with other data, preferably large files (e.g. a whole heap videos) and then when it’s full, delete this files. In this way, the blocks containing the previous photos should be overwritten with other data.
IMPORTANT: If your daughter has Time Machine backups, then all those intimate photos will almost certainly be in those backups as well.
A final word...
Another option users can take is to encrypt their Mac startup drive. This will secure your data because everything on the disk is encrypted. If you delete files, these will be unrecoverable or, more to the point, they can be recovered, but they're encrypted and therefore inaccessible to anyone who doesn't have the right credentials (e.g. login password, recovery key).
For more info on how to use FileVault refer to: Use FileVault to encrypt the startup disk on your Mac.
The files on the hard drive are all around and the system keeps pointers that point to the files. When you delete the file, you really only delete the pointer and the data is still there, but you can't find it with normal tools. The operating system will eventually overwrite that data with new data.
This is where data recovery comes into place, there are tools that allow scanning of the drive and recovering the files (restoring the pointers).
One way of avoiding that is to overwrite the place where the actual data resides multiple times. Again there are tools for that.
Before El Capitan you could securely empty the trash right in the menu, but that option is gone because it did not work as it should. In newer versions this could be done from terminal like this: diskutil secureErase freespace LEVEL /Volumes/DRIVENAME
. Source: Does FileVault 2 also encrypt my free disk space?
You can delete files that way with this command srm -v /path/to/file/to/securely/delete/example.png
. Still, good tools could recover files deleted like this.
Unfortunately the only real solution is secure wiping the full drive and overwrite it with random 0 and 1. One time is enough. This process deletes everything on the drive and takes a lot of time to complete.
Emptying the trash doesn't erase the space the files occupied on the disc: it just marks that space as available to be used again. If the space hasn't been reused, the data is still there and can be found by software that looks through the available space of the drive looking for, e.g., fragments of photos.
Erasing the space would take time so, since most data isn't sensitive, it's usually better to just leave it there rather than really erasing it. It also allows people to recover from oopses.
Monomeeth's answer already explains how deleting and recovery work.
I'm going to attempt to explain why they work that way.
Computers today are fast, but that wasn't always the case. Conceptually speaking, the latest greatest OS X (software that all apple computers have that makes them work) has a lot in common with earlish Unixes from the 1980's (think software for old refrigerator-sized machines that only universities or huge companies had).
Overwriting data on a hard disk is expensive (takes lots of computer resources). The difference between deleting the pointer (think library catalog entry) to where the data is and the data itself (think collection of encyclopedias) is (depending on the size of the data) the difference between running to the house next door (seconds) and running around the entire planet Earth (years)... or to the moon and back (centuries)... or to the next star system (you get the idea). It's hard to explain to a non-technical person just how big the difference is.
Even though computers run much faster than people, and modern computers run much faster than early computers, the difference is still significant.
That also plays in to the social factors: people want their computers to be fast. They also want to be able to recover files if they accidentally delete them. There's also the inertia of the fact that filesystems have almost always worked that way, and it would take a lot of programmers a lot of time (read: very very expensive) to change it.
All of that adds up to your current mac (and every other computer) working more-or-less the way Monomeeth's answer describes.
For more info see this question and my answer to it.
This answer belongs in Parenting SE, but since the question is here, I'll put the answer here too. It does not address OP's actual hardware question.
Following up a comment. The technical answers cover it. You can erase the images, and there are apps that will write gibberish over the files before erasing them making recovery unlikely without really high tech skills.
However any kid with the brains God gave to turnips will learn from the first experience, and hide things from you.
This is one you don't win by setting rules. You win this one by convincing her that she doesn't want this sort of thing on her computer. Discuss the content that troubles you. Far better for her to be open, and to talk about this, then for her to be secretive about it. Overall this process starts years earlier. Gaining trust at this point is tough.
14 is a difficult age. We all made dumb choices at that age. I always felt I could talk about anything with my parents. They pointed out possible downsides to things, but told me that I was allowed to make my own mistakes. I made a few. But not as many as most of my classmates.
Or you take the computer away from her.
Ways your child can circumvent your attempt to control the contents of his/her devices:
- Passcode the device.
- Encrypt the hard drive.
- Partition the hard drive and make the extra partition encrypted.
- Partition the hard drive and normally leave it non-mounted.
- Create a hidden folder.
- Create multiple photo libraries.
- Keep stuff on a thumb drive. On the thumb drive you can do any combination of 1-6.
- Create a new user account and require login. Do not show login items on opening screen. Use one account for school, and the other for clandestine stuff.
- Store stuff in the cloud.
- Store stuff in a archive that spotlight (or equivalent) doesn't search.
- Create a new email account on a public server. Mail stuff as attachments to that account.