Digital forensics: How to recover deleted files

Digital forensics: How to recover deleted files

Where I personally have a problem remembering names and birthdays, computers have a hard time “forgetting” things. Even when we tell them to do so. If you ever unintentionally deleted a file, you may have been able to retrieve it from the Recycle Bin. Or, if it was past that stage and the file was really important, you may have used System Restore. You may even have looked for recovery software. But what’s actually happening when you delete and recover those files? And are they ever truly gone? We examine the steps a forensic analyst would use to both recover deleted files and permanently delete those they want gone forever.

Deleting a file in Windows

When you send a file to the Recycle Bin, nothing happens to the file itself. The only change is in a pointer record that showed the location of the file before you deleted it. This pointer now shows the file is in the Recycle Bin. Taking the removal one step further, which can be achieved by emptying the Recycle Bin or using Shift + Delete, this pointer record is now what gets deleted.

So Windows will no longer “know” the physical location of the file. And the physical space it occupies on the hard disk is now free and ready to be used for a different objective. But it’s not immediately overwritten. This is by design. The data that was in the file is still in that same location until the operating system uses that physical location for a different purpose.

How does that help us?

Let’s for the sake of this article assume that System Restore or another backup method was not enabled, because if it were, that would the second method to try and get those important files back. The problem is that with System Restore, we sometimes dread the other changes that may be undone in the process of using it. Especially if the last usable restore point is an old one.

Knowing how the deletion procedure in Windows works can help us if and when we want to recover important deleted files. You should realize that every change you make after deleting that file diminishes the chance of getting it back in one piece. Defragmenting, for example, re-arranges a lot of the physical locations that files are in and can overwrite the “freed-up” space.

The mere act of looking for recovery software, downloading it, and installing it, may be the very thing that renders the file unrecoverable.

This is where forensic analysts come into play. While most home users wouldn’t perform many more tasks to find deleted files than mentioned above, forensic analysts will take the drive that they want to examine out of operation and slave it on another system, creating an exact snapshot image of all the data contained on the drive. This method allows them to examine the data without making any changes to the drive. And if they make changes to the copy, there is no harm done, as they can make a new copy from the original.

erasing data

What if I really want my files to be deleted?

Deleting a file may erode it or make space for other files, but is it ever truly 100 percent gone? For example, are there effective ways of deleting the content of a hard drive when you sell your computer? Well, the short answer is “No.” There is no method of deletion that I would trust 100 percent. There are professional recovery tools that claim they will be able to recover files even when the drive has been re-partitioned and re-formatted.

What a forensic analyst might do is to overwrite a whole hard disk and fill every addressable block with zeroes (ASCII NUL bytes). There are secure drive erase utilities for this purpose that can reach a high efficiency rate when used several times on the same drive. At this point, there is no way of recovering overwritten data.

There is software that can erase specific files and folders by overwriting them. Take note that this procedure could turn out to be useless if you have any type of automatic backup system in place, which is recommended given the current number of ransomware threats that are out there.

And if you want to keep on using a drive, but don’t want anyone else to have access to your important files, we would advise you to use encryption. You can encrypt specific data or the whole drive to prevent uninvited eyes from opening them.

There are important differences between deleting, erasing, and overwriting. When it comes to recovering and deleting files, think like a forensic analyst. If you want to be able to recover a deleted file, the method you use will be very different from wanting to make a file virtually disappear. Choose wisely and you’ll better protect your data in the long run.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.