just curious...difference between deleting and moving?

[amarok]

Not really a vista problem (had the same in xp)

I´m wondering what the "technical" difference is between
delete or moving/copying a big file, since I experience
huge performance times?

If I delete a dvd file (either a imagefile or a folder with vob files)
on lets say 4.3 gb of size.....deleting takes merely few seconds,
but if I need to move/copy it to another harddisk or folder, it takes
alot longer time (several minutes).....
but isn´t deleting just a sort of "moving" a file??? why is there so much
difference in the types of operations with the files??

Best regards

Mike

 

[dev]

/amarok/ said:

Not really a vista problem (had the same in xp)

I´m wondering what the "technical" difference is between
delete or moving/copying a big file, since I experience
huge performance times?

If I delete a dvd file (either a image file or a folder with vob files)
on lets say 4.3 gb of size.....deleting takes merely few seconds,
but if I need to move/copy it to another harddisk or folder, it takes
a lot longer time (several minutes).....
but isn´t deleting just a sort of "moving" a file??? why is there so much
difference in the types of operations with the files??

As I size it up...
Deleting leaves the file/s, but allows overwriting of the space that
they occupy.
Moving migrates the bits to a different space.

 

[ChrisM]

In message %[email protected],

Not really a vista problem (had the same in xp)

I´m wondering what the "technical" difference is between
delete or moving/copying a big file, since I experience
huge performance times?

If I delete a dvd file (either a imagefile or a folder with vob files)
on lets say 4.3 gb of size.....deleting takes merely few seconds,
but if I need to move/copy it to another harddisk or folder, it takes
alot longer time (several minutes).....
but isn´t deleting just a sort of "moving" a file??? why is there so
much difference in the types of operations with the files??

Best regards

Mike

Deleting a file simply removes that files references so that the space is no
longer allocated to that file and can be reused. As all that is beng changed
is a few bytes representing the physical position of the file on the disc,
this should be fairly quick.

Copying a file creates a new version of that file, so has to physically copy
the whole file to a new(additional) location on the disc. As the whole file
is being copied, this can take some time.

Moving a file to a new location ON THE SAME LOGICAL DISK is usually simply a
case of changing the references to the file so locate it in a new logical
position in the directory structure. This does not normally require the file
to be physically moved just changing the references to it, so should be
quite quick.

Moving a file to a different logical or physical disk or a different
partition requires the file to be physically relocated. In fact it is
basically a copy followed by a delete of the old file. Once again, since the
file is being physically moved, it can be quite time consuming for a very
large file.

 

[kirk jim]

in addition to what chrisM correctly stated I have to add that
this is the reason why some "undelete" programs exist.

Because the files are not really totally erased, only marked as space
that can be used again. If another file does not get written upon that
space,
you can recover that deleted file!

That's why there are some programs that make sure all the empty spaces
of the drives get written by zeros, so you are sure no deleted files can be
recovered if you want to give your computer to someone else for example.

 

[amarok]

okay thanks guys

I guess I´m enlightened every time I´m this forum ))))

best regards

mike

 

[ChrisM]

In fact, even if the data has been overwritten with zeroes, I believe that
using some advanced data recovery techniques, it is still sometimes possible
to retrieve the original data.
The erase programs used by some high security applications (military, MI6,
top secret commercial data etc) actually overwrite the data many times so
that the original information is totally obliterated...



ChrisM

In message (e-mail address removed),

 

[Alun Harford]

In fact, even if the data has been overwritten with zeroes, I believe that
using some advanced data recovery techniques, it is still sometimes possible
to retrieve the original data.
The erase programs used by some high security applications (military, MI6,
top secret commercial data etc) actually overwrite the data many times so
that the original information is totally obliterated...

Modern hard drives and techniques mean that such programs are obsolete.
The only way to be sure of destroying the data is to destroy the drive.

Alun Harford

 

[Adam Albright]

In fact, even if the data has been overwritten with zeroes, I believe that
using some advanced data recovery techniques, it is still sometimes possible
to retrieve the original data.
The erase programs used by some high security applications (military, MI6,
top secret commercial data etc) actually overwrite the data many times so
that the original information is totally obliterated...

Again, that depends. That too can be BS. The king of forensic
software, a nifty application called ENCASE (for evidence case) can
recover nearly anything... no matter what you do, short of taking a
really powerful magnet to your hard drive or bashing it into a pieces
with a sledge hammer. Years back, before 9/11 anybody could buy a copy
of ENCASE, not anymore, now it is only sold (legally) to law
enforcement agencies.

 

[ChrisM]

In message (e-mail address removed),

Again, that depends. That too can be BS. The king of forensic
software, a nifty application called ENCASE (for evidence case) can
recover nearly anything... no matter what you do, short of taking a
really powerful magnet to your hard drive or bashing it into a pieces
with a sledge hammer. Years back, before 9/11 anybody could buy a copy
of ENCASE, not anymore, now it is only sold (legally) to law
enforcement agencies.

Does this ENCASE work on the HDD as is, or do you have to take things to
bits to do this sort of data recovery?
Surely the drive firmware(? or whatever it's called) will simply return that
most recent bit values written to the disk??
How do you get it to look at what 'used' to be there?? I've never really
understood the practicalities of data recovery at this level, only that it
could, somehow, be done...

 

[Adam Albright]

In message (e-mail address removed),


Does this ENCASE work on the HDD as is, or do you have to take things to
bits to do this sort of data recovery?
Surely the drive firmware(? or whatever it's called) will simply return that
most recent bit values written to the disk??
How do you get it to look at what 'used' to be there?? I've never really
understood the practicalities of data recovery at this level, only that it
could, somehow, be done...

I haven't seen the latest versions since I'm not in law enforcement.
The older versions of ENCASE would totally bypass the OS and just read
any drive sector by sector. Since the main purpose of ENCASE is to
build a air tight case against criminals, it reads a hard drive sector
by sector, bit by bit which gets copied to the trained investigator's
linked computer so they can prove they didn't tamper with the actual
contents and "plant" evidence. The build-in viewers that are a main
part of ENCASE are impressive in what they can dig up and transform
back into human readable form.

The first time I saw all it could dig out I was rather impressed. Even
written over files with so-called wipe utilites, ENCASE still often
found enough of the file and put it back together so you knew what it
was. Probably even better now since 9/11, an amazingly clever bit of
software, if the government don't abuse it. I think it costs about
$1495 now.

Do a Google on 'file slack' and security to learn more on how some of
what ENCASE does works.

In short, file slack is a fruitful and interesting environment to
snoop in. Defined, this is the total number of bytes written to a hard
drive's sectors between the actual end of "real" file data and the
virtual end the cluster used. For example when you write a 600 byte
file, all versions of Windows need to fill out the cluster, who's
common sizes are 512, 1024, 2048 bytes respectively.

File slack can be literally made up on anything, scraps of your files,
something that was in a memory page, just garbage, anything. Worse,
since Windows is a natural blabber mouth it journalizes just about
everything you do and remembers. Applications like ENCASE know where
to look.

Hint: Just because you "delete" a file, even overwrite it, doesn't
meant that was the only time either all or part of that deleted or
overwritten file was ever in a memory buffer in it's prestine pre wipe
form and may have, and often will be used as file slack. If any bit of
any file remains on a hard drive if the hard drive can be read sector
by sector, even if you reformat, delete a partition, wipe files,
whatever you think you do as security measure some applications can
bring back the dead, often very easily. ;-)

 

[ChrisM]

In message (e-mail address removed),

I haven't seen the latest versions since I'm not in law enforcement.
The older versions of ENCASE would totally bypass the OS and just read
any drive sector by sector. Since the main purpose of ENCASE is to
build a air tight case against criminals, it reads a hard drive sector
by sector, bit by bit which gets copied to the trained investigator's
linked computer so they can prove they didn't tamper with the actual
contents and "plant" evidence. The build-in viewers that are a main
part of ENCASE are impressive in what they can dig up and transform
back into human readable form.

The first time I saw all it could dig out I was rather impressed. Even
written over files with so-called wipe utilites, ENCASE still often
found enough of the file and put it back together so you knew what it
was. Probably even better now since 9/11, an amazingly clever bit of
software, if the government don't abuse it. I think it costs about
$1495 now.

Do a Google on 'file slack' and security to learn more on how some of
what ENCASE does works.

In short, file slack is a fruitful and interesting environment to
snoop in. Defined, this is the total number of bytes written to a hard
drive's sectors between the actual end of "real" file data and the
virtual end the cluster used. For example when you write a 600 byte
file, all versions of Windows need to fill out the cluster, who's
common sizes are 512, 1024, 2048 bytes respectively.

File slack can be literally made up on anything, scraps of your files,
something that was in a memory page, just garbage, anything. Worse,
since Windows is a natural blabber mouth it journalizes just about
everything you do and remembers. Applications like ENCASE know where
to look.

Hint: Just because you "delete" a file, even overwrite it, doesn't
meant that was the only time either all or part of that deleted or
overwritten file was ever in a memory buffer in it's prestine pre wipe
form and may have, and often will be used as file slack. If any bit of
any file remains on a hard drive if the hard drive can be read sector
by sector, even if you reformat, delete a partition, wipe files,
whatever you think you do as security measure some applications can
bring back the dead, often very easily. ;-)

I guess the only way to be fairly sure your secret data is completly gone,
is to write garbage or just zeroes into every single bit of every single
sector on the disc, then 'rinse and repeat' several times...
I guess the only way to be totally sure is to burn your HDD on the
bonfire!!!

 

[Guest]

If you want to have a look at a good erase program: East-Tec Eraser 2007. it
includes military, and the Gutzmann method, 35 passes to remove every
magnetic trace of data