Is Data Gone When You Delete It?
When we get calls at Vestige on cases involving possible deletion of data, we usually get one of two questions:
- Nothing is ever really deleted, is it?
- We fear that they may delete data and then we’ll never know what it was, right?
Both of those questions can be answered with a “yes” and “no” but are better answered with “it depends”. So let’s dive into what happens when you think you’re deleting data.
Let’s start with a basic understanding that files take up space on a hard drive. Also there is a file system which governs and manages the files and folders in a database.
When you delete a file with a Windows computer (the file being on the computer or on a USB drive), Windows will just tell the file system to mark the file as deleted. The filename and other metadata is removed from the active list of files. However, in that space where the file exists, nothing happens. The file system now knows it can use that space but until it needs it, the data is recoverable. Oh, and remember that filename and metadata, well that is recoverable until such point in time that the file system needs that space in the database for other files. So in an ideal situation, when a file is deleted one can recover the contents as well as the name and other metadata. In a not so ideal situation one may either have just the file name left or just the data left.
If you note in the above explanation, we specifically said “Windows computer”. In the Mac world, it is a bit different. The deleted data is still recoverable as was described previously but recovering the file name and other metadata is for the most part not going to happen.
Another caveat to recovering deleted files is based on the type of hard drive that contains the data. Years ago all hard drives were magnetic spinning discs — read in a similar fashion to a record player or CD. Then a new type of hard drive has emerged in popularity, the Solid State Drive (SSD). With SSD drives, if implemented correctly (which many are not), shortly after a file is deleted, the file’s contents are overwritten by a process that is triggered by the hard drive itself. In these cases, recovery is not likely.
Recovering deleted data in your email depends on how the emails were viewed. The easier method of recovery is if the person reviewing the emails used Outlook, Thunderbird or another email application. In these cases, the emails are stored in one or more database files. Deleting data from these database files is very analogous to the example given above with deleting files. The content of the email still exists and one can usually hope to find in what folder that email resided. Until the area occupied by the content of the email is deleted, a forensic examiner can recover that email. The one caveat to this scenario is when one is using Lotus Notes. From experience and research, email recovery from a Lotus Notes environment is usually not possible.
If the individual was merely using a web browser to view email, recovery is much more difficult. When using a web browser, the email stays on the server. Only temporary copies of emails are downloaded to the computer for viewing in the browser. This process is akin to visiting websites where the files and pictures from the website are stored as Temporary Internet Files. When an email is deleted, it is deleted from the server itself. However, it is possible that a copy of that email remains on the computer in the Temporary Internet Files and can be recovered. Past experiences show varying degrees of success with this method.
Our discussion on recovering data has centered on computers and external drives but as we all know, cell phones and tablets are a major player in today’s technology. What about recovery of deleted data from these devices?
Most cell phones use databases for storing data such as contacts, calendars, call logs, text messages and emails (when emails are stored locally and accessible). In those cases, recovery is very similar to what was described above when talking about recovering emails viewed in Outlook and similar programs. The contents still exist in the database until such point in time that the database decides it needs that space. But there are a couple of things to remember with recovering deleted data, particularly text messages.
- Because of the recovery process, a recovered text message will likely stand on its own and not be connected with a conversation thread.
- If the custodian’s practice is to delete right after receiving or sending a message, typically the database will just keep reusing a very small amount of space for new messages, overwriting the deleted messages.
With recovering deleted files on cell phones, the answer is “it depends”. More and more cell phones (Apple and newer Androids) have what is called an encrypted file system. In this scenario each file has its own encryption key. When you delete data, the encryption key is destroyed. When that occurs, recovery is not likely.
The hope is that this blog post didn’t frustrate you with various caveats and scenarios in answering the question “is data gone when you deleted it”. There is a point to explaining all of these scenarios and that point is to drive home the idea that “it depends”. When considering whether to retrieve deleted data, do not fear that all is lost but do not expect all to be found. That said, the longer you wait to preserve a device that has deleted content, the less likely that recovery will be. Continue reading the second part of this series where we discuss how to permanently delete files on your computer.
by Greg Kelley, EnCE, DFCP,
Chief Technology Officer at Vestige Digital Investigations
For more information CONTACT US.