I remember way back about 12 years ago I got my first computer. It was an HP Pavilion desktop. I stored my music on the machine and one day I accidently deleted one of my music tracks from the hard drive. At the time I didn’t have a CD of the track so it was lost for good it seemed.
Fast forward 12 years later, I still have the computer from 12 years ago and one day I decided to put my digital forensics knowledge to use. I removed the hard drive and imaged it. Using the imaging program I performed a triage on the hard drive and poked around to see what was on it. I was not surprised to see the music track that I thought 12 years ago was gone for good. During my forensics training I learned that deleted data may not be gone from the hard drive for good. So I used the imaging program to recover the data and all was well. So how do computers store data and why can the data still be there when it is deleted?
When a file is created on a hard drive the operating system needs to allocate space for that file. With NTFS (New Technology File System) formatted hard drives there are two ways that the operating system searches for unallocated space, I’ll describe one of them.
One of the ways Windows searches for unallocated space to allocate to a file is it will comb the hard drive and the first set of unallocated space that it finds that is big enough to accommodate the size of the file will be allocated to the file. Then the file’s data will be placed into that space. Here’s an analogy:
A family of three enters a theater and they need to find three seats to accommodate them. So they search for the first three seats that are next to each other and empty. The empty seats are the unallocated space, seats that are taken are allocated space and the family is data. When the family finds the seats they sit in them and seats are allocated to the family.
When a file is created and space is allocated to the file a file name is chosen by the user to identify that file. This file name is used by the operating system to find the file’s metadata entry. Metadata is data about data. An example of metadata is when you create a document in Microsoft Word usually the file has a creation time, modified time, author, and file size. This is the word document’s metadata. Once the metadata entry for the file is found the metadata entry points to the file’s content, the content is just the file’s actual data. So when you double click on a document to open it the operating system boots the program that will view the file then uses the file name to find the metadata entry then the metadata entry points to file’s content and the content is displayed in the viewer.
When a file is deleted from a computer is it truly gone for good? It depends. When a file is deleted from a computer (say by right clicking on the file and clicking delete) all the user is doing is telling the operating system to lose track of the file and unallocate the space that was given to that file. The file’s data is still there. It’s kind of like ripping out an index entry in a book, the index may be gone but the chapter is still there. The only time a file is truly deleted from a computer is if the space the deleted file is on is overwritten by another file or if a forensic cleaning program is used to wipe the unallocated space. Once a file is deleted even though the data is still there the operating system cannot recover the data on its own. Special programs need to be used to find the deleted data.
To show the concept of this I’ll do an experiment using one of my thumb drives.
First I have to create some test files.
After that I confirm with both the GUI and the command line that the three files are on the thumb drive.
Next I delete two of the test files.
Both the GUI and the command line show that two of the test files have been deleted. From here Windows on its own cannot recover the files even though they are still present on the hard drive. To show that the files are still there I’m going to use some forensic techniques.
First I image the thumb drive.
Next I import the image file into the Autopsy forensic browser and display the files that are contained within the image file.
The files with the red names are the files that I have deleted. The content is still there but the space that it is on has been unallocated so another file’s content can take up the space.
So with this still be careful when you go to delete something. Make sure you really want it gone. But at least there is still hope for getting the data back. Thanks for reading!