When you delete a file on almost any consumer operating system, what actually happens is narrow: the file system stops pointing to the data and marks that space as available to be overwritten. The bytes on disk do not change. Until something else happens to be written to that same physical location, the original content is recoverable with off-the-shelf forensic software, no special access required, just the drive and a tool that anyone can download.
Formatting a drive through a standard operating system "quick format" does something similarly shallow: it rebuilds the file system's index structures but does not touch the underlying data blocks. A "full format" on some systems does more, but the terminology is inconsistent enough across Windows, macOS, and third-party disk utilities that most users cannot tell from the dialog box alone which one they are running.
What Researchers Keep Finding When They Buy Used Drives
This is not a theoretical risk. Since the mid-2000s, digital forensics researchers, notably a long-running study line out of the University of South Wales (previously the University of Glamorgan) led by Andy Jones and collaborators, have periodically purchased batches of used hard drives and USB storage from secondhand markets, resale auctions, and computer recyclers specifically to measure what remains recoverable. Across repeated rounds of this research published over more than a decade, a consistent share of the drives purchased contained recoverable personal data: financial records, personal correspondence, photographs, and in some rounds corporate or government data that should never have left an organization's control at all.
The pattern held across geographies and across years, which is the useful finding: this is not a one-time lapse by careless sellers, it is what happens by default when the disposal step of a device's life cycle is skipped or done wrong, and it happens often enough that researchers can reliably reproduce it by buying a batch of drives and checking.
The same forensic recoverability applies to more than spinning hard drives: USB flash drives, old phones, tablets, printers with internal storage for scanned documents, and smart home hubs with local caches all hold data past a factory reset unless the reset method specifically addresses the underlying storage, not just the user-facing settings.
Solid State Drives Are a Different, Harder Problem
SSDs complicate this further rather than simplifying it. Wear-leveling, the technique SSD controllers use to spread writes evenly across memory cells to extend the drive's lifespan, means a "delete" or even an overwrite command issued by the operating system does not necessarily touch the same physical cells the original data lived in. The controller may have already relocated that data elsewhere and left the original cells marked internally as stale but not zeroed. Traditional overwrite-based erasure methods, developed for spinning disks, are less reliable against this behavior on SSDs, which is part of why NIST's guidance below treats SSDs and traditional hard drives differently rather than prescribing one method for both.
The Standard That Actually Defines "Erased"
The U.S. National Institute of Standards and Technology publishes the reference standard for media sanitization, NIST Special Publication 800-88. It defines three tiers, not one, because "erased" means different things depending on how much residual risk is acceptable.
| NIST 800-88 tier | What it involves |
|---|---|
| Clear | Software-based overwrite of user-addressable storage, resistant to recovery via standard file recovery tools. Adequate for most personal and consumer disposal. |
| Purge | Techniques that address data even in areas not normally addressable, including a drive's own cryptographic erase command (if the drive supports full-disk encryption at the hardware level) or vendor-specific secure erase. Recommended before a drive leaves an organization's control entirely. |
| Destroy | Physical destruction: shredding, disintegration, or degaussing for magnetic media. The only tier with no residual recovery risk, at the cost of the drive being unusable afterward. |
For most people selling or donating a personal laptop or phone, "Clear" done correctly, a full cryptographic wipe or several passes of a dedicated overwrite tool, not a quick format, is a reasonable bar. For a drive that held anything genuinely sensitive, financial records, health information, professional client data, "Purge" or physical destruction is the more defensible choice, and it is inexpensive: most consumer SSDs and modern hard drives support a built-in secure erase command that performs a cryptographic-level wipe in minutes.
The Easiest Fix Is Set Up Before the Drive Is Ever Sold
The single most effective mitigation is full-disk encryption enabled from the moment the device is first set up, not applied retroactively before resale. If a drive has been encrypted its entire operating life, discarding the encryption key, rather than overwriting the data itself, renders the ciphertext on disk unrecoverable in practice, because there is no plaintext version of the data to recover; only ciphertext remains, and without the key it does not decrypt. This is functionally equivalent to a cryptographic "Purge" and takes seconds instead of hours. We cover the mechanics of this in our disk encryption piece, and the broader deletion question, including cloud storage and account data, in secure data deletion.
What to Actually Do Before You Sell, Donate, or Recycle a Device
- Confirm full-disk encryption was on before you start (BitLocker, FileVault, or LUKS, depending on platform), not applied for the first time right before resale.
- Use the manufacturer's built-in secure erase or cryptographic erase command rather than dragging files to the trash or running a quick format.
- For phones and tablets, use the platform's official "erase all content" reset, which on modern iOS and Android devices is built on the same encrypted-storage principle, rather than a third-party "wipe" app of unknown provenance.
- For anything that held financial, medical, legal, or client data, consider physical destruction over software erasure. A drive is inexpensive; the data on it may not be replaceable if it leaks.
Where Haven Fits
This is a device-level problem, not a messaging-app problem, and Haven does not change what happens to your phone's storage when you sell it. What we can say is that the same principle, encryption from the start rather than cleanup after the fact, is the design basis for how Haven handles your keys and local data: everything sensitive is encrypted at rest from first use, so the failure mode this piece describes, plaintext quietly surviving a deletion that was supposed to remove it, is not one your Haven data is exposed to on a device that is otherwise properly wiped.