Deleted files are not really deleted.
Have I made that clear enough?
Let me repeat – deleted files are not really deleted. And this fact underpins much of forensics and E-discovery.
To understand the full consequences we need to tease apart what is actually happening with file deletion. So lets get into it.
The reason that deleting a file does not remove it is the consequence of a decision made decades ago when the Windows operating system was developed (and is also true of virtually every other operating system like MacOS and Linux). When a file is written to a drive, its name and location are added to the drive index (otherwise how would the computer be able to find it). By analogy, a chapter in a book will be listed on the contents page. In order to erase a file fully all the 1s and 0s must be overwritten with something new, e.g. blanks or random characters. This rewriting takes time, and computer scientists made the sensible choice to minimise the time overheads by only overwriting the entry in the drive’s contents page. The file is still there, but the contents page lists it as empty. The computer sees the space as available for future use, and the time wasted is minimal.
The clear consequence is that the file is recoverable. The usual means of recovery is to ignore the drive contents table and scour the drive directly, looking for the start and end of files. Most files have a key signature at the beginning, and often a key signature at the end. Many times the file can be recovered whole and complete.
There is another important consequence to the way files are deleted and the space reused. When a file name is removed from the contents list, the computer considers the file’s space as empty and available for reuse. When you save a new document the computer may choose to write to that available space and often there will be space left over. This means that the beginning of the old file is now gone, but the end is still there. In this case, only a fragment of the file is recoverable.
Recovering deleted documents and photos is the obvious application, but it’s also valuable in other areas like recovering a person’s internet history. Attempts to delete a user’s internet history are typically not effective.
The recovery of deleted emails is also important. This can be an especially complex task as emails are often stored as entries within a single large container, as for example with MS Outlook, and deletion within a container is not necessarily a straightforward process. However, in a legal context, the preservation of emails is often a key and necessary requirement often mandated by the Court. Even if a forensic analysis can’t recover deleted emails in their entirety, it will usually find fragments and that is often sufficient to demonstrate an intent to subvert the wishes of the Court, and lead to serious sanctions.
I need to add one caveat to the discussion so far that changes the forensic landscape. I made the point at the beginning that files are not actually overwritten as part of the deletion process, but the introduction of new technology is changing this.
For the last 30 years the Hard Disk Drive (HDD) has been the normal form of long term computer storage. Over the last few years we have seen the introduction of a new form of drive, called the Solid State Drive (SSD). Whereas the hard drive is a mechanical device based around magnetic recording (just like a cassette tape), the SSD is purely electronic – it’s a larger, faster, USB flash drive.
In contrast to a HDD which doesn’t care about the original contents, an SSD requires that the an existing file be reset to all 0s before overwriting with a new file. In practice, while a computer is sitting idle, in the background the SSD is clearing out the deleted files and consequently making files unrecoverable.
Don’t despair just yet however, as SSDs are not yet the norm. There are swings and roundabouts in all areas of life and the long term impact on file recovery and forensic practice is still being evaluated.