We have an interesting discussion here about file deletion on iOS devices.
The question was: if I delete a file using NSFileManager, what's happening under the hood?
My understanding is that deletion is performed by removing the corresponding file entry from the file system table.
The counter argument is that a file handle remains in some way and only a flag gets set which marks the file as deleted. If the user had root access to the iOS device, he could potentially reset that flag and recover the file content.
In both cases we agree that the actual file content will not be overwritten and the plain bytes still exist on the flash memory/disk until the block is occupied by another file.
The idea is now: if the second version is true, we could overwrite the file with a one byte content prior to deletion (even if that byte gets written to a new location on the flash drive without actually overwriting the old content). If then the file is recovered, only the overwritten one byte content is available.
Note that we're not talking about forensic analysis of the flash drive which could maybe recover the original file content.
So to recap:
- How does deletion of a file on iOS work internally?
- Does the overwrite approach prevent undeletion?
Best Answer
I believe in Unix the file system is modified as you suggest (the entry is removed from the file system table). On Windows the file system table is modified, and the file is just flagged as deleted - data recovery tools can undelete the file. Having looked at Windows undelete applications I think the file name is also modified, so when undeleting, you need to supply the correct file name. Modifying the file name would mean if you created a file with the same name as the one you just deleted, the OS wouldn't have to reconcile there being two files with the same name.
MacOSX and Windows have a trash can (recycle bin) which I think is implemented a special folder into which the deleted files are copied. When you empty the trash, this folder is purged - by modifying the system file table. If you use NSFileManager, it circumvents the trash can (which doesn't exist on iOS anyway) so it's a real delete. likewise if you "rm" from a terminal window.
If you create a new file with the same name as the old one, in Unix it's just a new entry in the system file table, but since the old entry had been removed from the table, there wouldn't be an advantage to creating the new entry.
That's my belief, and I'm ready for the onslaught of down votes ;-)