As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, 
e-discovery, and cybersecurity service provider. The Vestige team that you know and trust will
continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow
us to serve you and your clients even better.

Deleted Still Isn’t Deleted


Deleted Still Isn’t Deleted

Author photo
Senior Director, Digital Forensic & E-Discovery

Not a week goes by that I am not talking with a client about some computer forensic matter when the conversation drifts into discussions of how data is deleted. A few minutes later and the client says “well, I guess deleted isn’t deleted”.

Most of the public is familiar with that phrase. They understand through newspaper articles, talking with the local IT expert, working with companies such as us and even watching TV that data can be recovered by those of us with the skills and know-how.

This blog, however, illustrates how any of your data, no matter who keeps it and where they keep it, may not be deleted when you think it is. In order for companies like Facebook, MySpace and others to recover from disasters they need to have backups or mirrors of your data. Disasters can range from data loss, server crash or power outage to buildings destroyed by flood or other natural disasters. The point is that your data is in multiple locations.

The data may not be kept just for backup purposes. It also may be kept because the provider has regulatory requirements that necessitate the need to keep the data. Maybe they are performing analytics on the data for future use. These steps may be made known to you or they may not be. Whatever the reason for keeping of the data, the fact remains is that it happens, quite often when one knowing.

When you request to delete data files permanently, you are relying that the provider is deleting any and all copies whether they be for analytic studies, backup or regulatory purposes. Needless to say from the article referrenced, that doesn’t always happen. Maybe it is purposely kept. Maybe it is accidentally kept because the provider isn’t aware of all the places it keeps your data.

Logic would hold that this issue isn’t just a Facebook problem. Think about all of your cloud providers. Whether you keep just your email, financial data or large sums of data in the cloud, chances are there are multiple copies of it up there. Depending on who you talk to in customer service or tech support, they may not even be aware of it. I recall working on a client matter wherein I wanted access to certain logs. I asked multiple times for these specific logs and was told by the provider that they did not keep these logs. A few weeks later I brought the subject up again, only this time I found out that they did keep these logs (side note: unfortunately they didn’t keep the logs for a long period of time so they claimed that they didn’t have them from the time period I was looking for. I bet if I inquired further, I may have found that story to be inaccurate).

So what can you do?

  1. Start with checking your contract with your provider. This may be a written formal contract or it may be as simple as their terms of service.
  2. Inquire at multiple levels. Start with customer service, go to your sales contact, ask to speak to a support engineer. Not only may you be surprised, you may surprise your provider with what you discover.

At the end of the day, you may discover that you have more discoverable personal data in a case than you realized. Quite often it may be helpful in proving your case but at the very least knowing this information on permanently deleting files will help you ward off spoliation claims.

Contact Vestige today for more information on deleting files permanently.

Greg Kelley - Vestige CTO lft smallby Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations