The #1 question in digital forensics!
This is definitely the most asked question. Can deleted files or data be recovered? As with most things in forensics, it depends. The answer depends on what device you use, a computer or a mobile phone? Then it depends on what make it is. Is it a Windows computer, an Android mobile or an Apple product? On top of that, the version of the operation system makes a big difference. A Windows 11 computer will handle deleted files differently than a Windows XP one or an Apple product. They will mostly be similar but there are differences. The same with mobile phones. An older iPhone 5 will not handle deleted files the same way as a current model.
Let’s keep it simple
It is not possible for me to discuss all the various deleted file scenarios in a short blog. For simplicity, I will discuss how a Windows computer handles deleted files. Every other devices does mostly the same things but in different ways. Sometimes, these different ways make it very difficult to recover files. Sometimes it is just impossible. I have done a lot of presentations and testified in court on this topic. I like to keep things very simple so that everyone understands.
The best example of deleted data
The best way to explain how deleted files are handled is with the library example. By that I mean that a deleted file, or any file, is like a book in a library. Remember the library? Have you been there lately? This is one thing that the internet sure has changed. Some of you may have never been to a physical library but that’s ok, I’m sure most of you are familiar with the concept. If not, here is how it works. Before computers were around, the way you found a book in a library was with good old-fashioned index cards! You would go to the index and look for the book you wanted. Every book had an index card. Once you found the card, it would tell you where the book was in the library. On which floor and on which bookshelf etc.
So where is your file? I mean your book:)
I am going to describe how files are deleted and recovered now. When I say book, I mean file and… below should make things easier:
- Book = File
- Index = Operating System
- Index Card = File Entry
- Blue Bin = Recycle Bin
When you delete a file in Windows, the file (book) is not deleted. It just means that the file entry (index card) for that file is placed in the recycle (blue) bin. The operating system (index) keeps track of where the file is and that the index card is in the recycle bin.
Let’s look at various scenarios
Let’s say you want your file back. Very simple, just take the index card out of the recycle bin and put in back in the index. Voilà, your file is back! If you are following along, you know the file never went anywhere.
What happens when you empty the recycle bin? When the index card is destroyed? As before, the file (book) is still on the shelf. In computer terms, it is still in the file system in the allocated space for it. But now, because there is no longer an index card, the operating system of the computer no longer knows where the file is. It basically “forgets” where it is.
You would be tempted to think that this means that all files can be recovered. Not so fast! You see, now the computer thinks that the space on the shelf where the book was is empty. So it now thinks it can put new books (files) there. The file is now in what is called “unallocated” space or “free” space. New books or files can take the place of old ones. When a new file is placed on top of an old file, the old file is “over-written”. If the new file is smaller than the old file, then you could recover a partial file. The image below is a partially recovered file.
What happens when the new file is bigger than the old file? The old file is GONE. It is NOT recoverable.
What is slack space?
Another way to think about partially recoverable files is by looking at “slack space”. Slack space is the space left over in a file that is left behind from an older file. An easy way to represent this is with VHS tapes. Again, you may not have used a VHS tape but your parents’ probably did. And most judges have, or at least, are comfortable with the concept. Let’s say you record a 2 hour movie on a VHS tape and the tape can only hold 2 hours of recordings. If you want to record something else, you would have to use a new tape or re-use this one. Let’s re-use this tape and record a 30 minute TV show at the beginning. What you would end up with is the 30 minute TV show followed by 1.5 hours of the movie. This 1.5 hours of the movie is slack space. Note that the first 30 minutes of the movie is over-written and gone forever.
How do I recover deleted files?
Using forensic tools and software, I am able to recover a variety of deleted files. The way this is mostly done is by searching the entire computer hard drive using specialized software. Every file has what is called a file “signature”. A file signature is a series of characters at the beginning of the file. It is similar to a book title. You would need to look at EVERY book in the library to find the one you are looking for. On a computer, you need to look at EVERY file with the signature you are looking for.
If you do find your file after the index card was deleted, it will have no file name, dates or original location. It is just “there”. Just like a $5 bill on the ground. It is there but you do not know how long it’s been there or who put it there. Recovered deleted files are sometimes difficult to use as evidence.
What about mobile devices?
A few things affect how mobile devices handle deleted files. One is encryption, all files are encrypted on an iPhone for example. Another is something called “trim” which is a process that “cleans” free space regularly. There are other ways too but as I have said, it would require much more than a blog to explain. If you have any questions, contact me on LinkedIn. It is the best place to reach me.