Digital Forensics 101: Undeleting a file

Digital Forensics 101: Undeleting a file

Ever wondered why it takes more time to create/copy a file on the storage device than delete it?
If you were to write on a paper with a pencil, and then erase it, the erasing task should take about the same effort and time as the writing task did. Whereas, in a computer, when you copy a movie of 700MB to the disk, it would take some minutes for the task to complete. When you select this file and delete it, it’s gone in seconds.
The reason forensic analysts can "undelete" a file is because of the above anomaly. When a computer is asked to delete a file it does not get down to erase the entire content of the file from the hard disk. What it does instead is remove the entry of the file from the table that tracks the existence of the file.
Consider a book with a lot of stories that are not ordered. And imagine that the only way to find what you want in the book is to look at the index page. The index page consists of titles of the stories and the beginning and ending page numbers. So, when you want to delete a story from the book just erasing the entry in the index page is more efficient. That way you save time and the pages previously occupied by the story appear to be blank (in the index). People would not see the deleted story when they use the index page to search for it. But yes, it still exists in the book and a biblical forensic investigator will know where to look for it.
Applying this analogy to the Hard Disk:

  • Book ~ Hard Disk
  • Index ~ MFT (Master File Table) in NTFS Devices i.e. Hard Disks mostly and FAT (File Allocation Table) in Pen drives
  • Stories ~ Files in the system
  • Title of the story ~ File name
  • Pages ~ Clusters (Commonly 4KB sized memory locations in Systems with Windows XP, Vista, 7, 8) – cluster size is operating system dependent.

When a user connects the storage device (hard disk, flash drive, etc.) to the machine, the software in the computer is trained to use the index. This is the reason why regular users might think that the data once deleted is gone forever. Whereas, a digital forensic analyst uses a forensic software that can read from the rest of the device and not just the index. Hence, they can “magically” recover the data that was previously considered to be lost forever.
There are however a combination of situations that can arise. A file might be deleted and another file that is half the size of the previous one might be written over it. The remaining half of the un-over written file should still be intact. A forensic investigator would use a combination of various techniques depending on the situation to revive such remains of the "lost" file. Often many workarounds are used and a well-seasoned professional would always work towards optimizing the recovery and minimizing the loss of data.
Disclaimer: The above content is generalized and should not be considered as a substitute for technical information about digital forensics. It was written with an intent to spread awareness amongst regular users.

Rate this article: 
Average: 4 (1 vote)
Article category: 


Good article aimed at creating awareness of forensic "tricks'. Do keep posting more Amulya. I would suggest one on the method of recovering contents of a volatile memory.