By Amanda Urrutia
May 21, 2018
Whether on a computer, cellphone or tablet, data will be deleted intentionally or accidentally. Can it be recovered? How does it work? What if the information in question was deleted weeks, months or even years ago? How far back does the rabbit hole of recoverable data go?
Analogy for the Ages
Imagine a train. Each train car is a sector on a computer. Data, or for the train let’s say gold, is deposited into those sectors (train cars) until they’re completely full. If you have an order of gold that perfectly fills four train cars, that’s the contents of a single file. Whenever the conductor, or computer, goes to read the file, it looks at those specific train cars—we’ll call them Cars A1-A4.
Now we have a second order of gold that fills up two and three-fourths cars—Cars B1-B3. And you have a third order of gold on the way! To keep the shipments (or files) sorted, the entirety of car B3, even though it has a quarter of its space remaining, is assigned to shipment two. No more gold can be added to it, and it goes on its way. The leftover space is written off as “slack.” The third order comes in and is six train cars long, assigned Cars C1-C6.
The payment on shipment two didn’t go through, and the client doesn’t want it for whatever reason, so you need to find out what to do with it (delete it). To keep the rest of your train station (computer) running smoothly and not get the car orders mixed up, you rebrand the Cars B1-B3 to be $B1-$B3. This way they are no longer listed on your manifest (available space on the computer)
However, time passes, and you’re running out of unused train cars, so you need to start repurposing the ‘$’ labeled cars. The first car that was rebranded was the fleet labeled ‘$B1-$B3’ so you pull them out to fulfill your newest shipment for iron—requiring two and a half cars. Now imagine that in order to replace these contents, the exact amount needed is removed and replaced. The first two cars in the set are completely replaced with the new iron shipment. However, in the third car, there are still remnants of the gold. Remember, the initial order of gold was two and three-fourths cars full, leaving one quarter of the gold from the original shipment in combination with the new iron. When we bring the analogy back to computers, this is called ‘file slack.’ We mentioned that the leftover space in the car for the original shipment was written off as slack. This was mostly empty space unfilled with information. However, now that space remains but is filled with aspects of the original shipment, which has traces of information. In computers, this information can give us some insight into the file.
Data Recovery and You
When recovering deleted files, the metaphorical “gold mine” is when we find a car that has not been repurposed or data that hasn’t been written over. These are the files that we can view and present mostly in their entirety. The simplest factors that contribute to this state are file size and time since deletion.
When dealing with file slack, most of the time the file is not recoverable to be reproduced. However, the remainder of that file is able to be viewed with our forensic tools. Depending on the type of information in its URLs, portions of a message or document may be visible. But it is rarely ever used for its content. Instead, files like these are valuable for their metadata, the embedded information in a file which can tell us when the file was last accessed, written, and sometimes even deleted, among other things.
This is the most common way of storing data, however, it is not the only way. Solid State Drives for example, have a completely different way of reading and writing data which overtime slows down and can crash the device.
The Time Factor
As stated earlier, the biggest factors in recovering deleted files have to do with size and how long the files have been deleted. If a device has a file that was deleted and then not touched for five years, the file may very well still be recoverable. However, if the device had been regularly used everyday for five years, with new files being added, deleted, etc., the chance of it having any recoverable data from the original file are slim to none.
One of the most common ways the file is only partially there happens when data has been replaced, such as in the analogy above. Only traces of the files remain, without any of the actual contents.
How Backups Back You Up
When you create a backup of a file, it creates another copy of the file and places it in a location not visible by the operating system. These can be great sources of information for investigators or people wishing to recover files.
There are also some applications that create “backups” while you work. A common user of this is Microsoft’s Word application, which creates restore points that are stored in the RAM portion of the system’s memory.
What Forensics Can Do
When you bring your device in to be forensically analyzed, you will frequently hear the term “forensic image.” This is a term describing the process of information gathering when the source drive is copied in entirety, encrypted and compressed to a file that can then be loaded into specialized software and analyzed without ever having to touch the actual data from the source drive.
This technique is invaluable to examiners because the information is more than what is available to be seen on the surface. It includes backup areas, the information that makes the entire computer run and everything in between. It’s within all of this information that we are able to see and sometimes recover the files that were lost.
Sometimes forensic software still isn’t enough to recover the data. There could be hardware issues that affect the ability to gain a forensic image. These issues could involve the platters of the hard drive (where the data is stored) being scratched or not functioning at all. The arms, which function like a turntable arm, are used to read the data could be malfunctioning. When dealing with devices like this, a specialist must be called in. They can utilize tools and software to try and repair the drive to working order and see if the data is recoverable.
Data can be unrecoverable for a variety of reasons, from the type of hard drive used to the way it was saved onto the device in the first place.
The typical way this happens is when the data is overwritten. All it takes is one file larger than the deleted file to be saved in its place, and the operating system no longer has a record of it existing. There are also some specialized tools available on the market that can make files unrecoverable using a method similar to what I described—by continuously overwriting the area where the file used to be located.
The file may also become unrecoverable if the file sector (or train car) where the file is located becomes damaged or corrupt. This can happen for a variety of reasons, like overheating, physical damage, power surge, in proper shutdown, etc. The accuracy and ways these files are unrecoverable depends upon the device, file system, damage and more.
Hopefully now you know a little more about how data is stored on a device, what happens when you ‘delete’ a file, the way it is stored on the system even after deletion, the ways forensic investigators and data recovery specialists can try and recover the file, and an idea of what makes a file unrecoverable.
If you have any questions about file recovery, keep these tips in mind and contact an Eide Bailly professional for additional information.