Deleted Data: Basic Concepts for Attorneys and Investigators
How deleted data can be recovered and used as evidence in a case.
Deleted data is the most valuable digital evidence in many cases; it provides access to information that the user may believe is gone. Data is often deleted to hide deceptive or malicious activity. Understanding the basics of data storage and deletion is key to identifying likely sources of evidence.
The blanket term “deletion” covers a range of data removal processes, which differ in their degree of permanence. The following descriptions of the types of deletion, and the recovery options for each, are applicable to most common devices and operating systems, although they necessarily include some generalizations.
Moved to Trash
This is the typical way a user removes an unwanted file. This moves the file from wherever it is stored to the Trash, Recycle Bin, or similar deleted file storage area.
Recovery: Moving to Trash does not delete the file, and it is easy for someone who has a basic familiarity with the operating system to completely restore the file. Nevertheless, unsophisticated or absent minded users sometimes leave incriminating data in the Trash, mistakenly believing the files have been removed from the system.
Emptying the Trash/Recycling Bin or permanently deleting files through the user interface removes the file from the file system. The file is now inaccessible through ordinary methods. However, the data is not erased. Erasing data completely is a slow process, so most operating systems simply delete the link to the file, which is much faster. The data itself continues to reside on the drive until the system needs to reuse that storage space, at which point it will overwrite the deleted file with new data.
Recovery: Depending on the size of the drive and the amount of new data being saved, it could take months or years for a deleted file to be overwritten. Until then, that file can be retrieved using special forensic tools. Even when the file is eventually overwritten, portions of the data may persist, and a partial file recovery could be possible.
Data erasure or “wiping” involves the use of special software to deliberately destroy the data on a drive or storage medium. The software methodically overwrites each part of the disk with new, meaningless data (for example, all zeroes).
Recovery: When it functions properly, software-based data erasure is very effective; the data is permanently and irretrievably deleted. However, this method can fail for a variety of different reasons, and data may still be recoverable after someone has attempted to wipe the drive. Even if no data can be recovered, the wiping could be evidence itself; depending on the circumstances of the case, wholesale data erasure could be a clear indicator of malicious activity or spoliation.
Complete physical destruction of the drive is generally the most certain form of data elimination.
Recovery: Data on a destroyed drive is impossible to recover, but a damaged drive (not destroyed) may contain recoverable data.