Understanding Deleted Files and What They Mean
Attorneys who need to read and understand reports by computer forensics professionals and/or who need to present recovered files as evidence should understand how files are stored on computers and mobile devices, what happens when they are deleted, how they can be recovered, and know the limits on file recovery.
Before diving into the details of deleted files and how they are recovered, we need to understand how files are stored. Every computer storage device--hard drive, thumb drive, SSD, CD-ROM--has a "filesystem" that dictates how files are arranged and stored on that device. Filesystems maintain metadata about each file they store including the name of the file, the user who created or owns the file, the time it was created or modified, and the addresses or locations where the file is actually stored. They also divide their storage space into allocation units or "blocks" to make it easier to manage.
As an example, suppose I prepare my monthly budget using Microsoft Excel and save it as "Sep2017budget.xlsx". The metadata for the file might show that the file is owned by "Steven", was created at 12:00 PM on September 1, 2017, was last modified at 1:37 PM on September 2, 2017 and uses 10 blocks of space starting at location 100,126 and another 8 blocks starting at location 255,211--a total of 18 blocks. As a user, I might be interested in the time stamps--e.g. to distinguish between drafts of a document--but I won't ever care what locations were used to store the file. When I open the file again using Excel, the program will read the data from these locations on my behalf so that I can view or edit the file. For data recovery, however, those locations are very important.
Microsoft Windows uses the NTFS filesystem. NTFS has a "master file table" or MFT that serves as a table of contents for a hard drive. When a file is created, a record is added to the MFT. When a file is deleted, the record associated with that file is NOT erased. Instead, it is flagged as available for reuse. When Windows creates or saves a new file, it will always look for an existing MFT record that is flagged for reuse before adding a new one to the table. What this means is that the record for a deleted file (including the name and list of storage locations) can potentially last for a long time.
When a file is deleted, the storage for that file is marked as "free" to show that it is unused or available. In most cases, this storage is NOT overwritten until another file is assigned to these locations. This means that the contents of a deleted file can also potentially last for a long time. The term "free space" refers to all of the storage locations that are not currently in use by any files. When a file is deleted, all of its storage locations become part of free space.
Writing or saving additional files will eventually cause the previous file contents and metadata to be overwritten. This is why it is important to preserve evidence early and not continue using a computer or device that may have recoverable data.
Data recovery and forensics software can recover deleted files (on Windows/NTFS) by looking for entries in the file table that have not been overwritten. If the entries are still in place, they will show the locations where the file was stored. If those locations have not been reused by a new file, the original file can be completely recovered. If some but not all of the locations have been reused, partial recovery may be possible. If all of the locations have been reused, recovery is not possible.
Other filesystems are similar to NTFS but there are differences. The FAT filesystem, often used for USB/thumb drives, does not have a master table like NTFS but stores the file names and starting locations separately for each directory. Unfortunately, FAT will only remember the starting location for a deleted file. Many files, especially large ones like videos, are stored in multiple pieces. This means that we will often only recover the first piece of a large file that was deleted from a thumb drive. The HFS+ filesystem, used on Mac and Apple devices, is much more complicated and frequently reorganizes its metadata so that it can be searched and used efficiently. This means that metadata for a deleted file on a MacBook will probably not survive as long as on a Windows PC.
If the metadata is gone, e.g. the MFT record for the file was reused, we may still be able to recover the file. Most file types--e.g. JPG, PDF, XLS--have specific formatting requirements which usually include a special "header" value and sometimes a "footer" to show the beginning and end of the file. In addition to searching the file table, most data recovery and forensics programs can recover deleted files by searching the free space (also called unallocated space) on a hard drive for the header and footer values associated with different types of files. This technique is called "carving".
Carving is not as reliable as using metadata to recover a file because we generally have to assume that the file was stored in one contiguous piece which is often not true. This can result in partial recovery where the end of the file is actually made up of data from a different file. For example, we might recover a video that will not play after the first twenty seconds or a picture where everything below the first half of the picture is visibly garbled.
There are times when deleted file recovery and/or carving are not possible. Disk encryption often prevents the recovery of deleted files. Mobile phones generally do not allow us to access free space or directly access metadata to attempt deleted file recovery. Many solid-state disk (SSD) drives implement a feature whereby storage locations that are marked for reuse are automatically zeroed out (overwritten with the number 0).
The recovery of deleted files can often add important evidence to a case. It's important to realize, however, that we are often missing information and should be careful about reaching conclusions that are unwarranted. When a file is still live, we can tell where it was stored and who owned it (e.g. "Sept2017budget.xlsx" is owned by "Steven" and stored in the "Finances" folder on Steven's desktop). When we recover a deleted file, even completely, we may not have the metadata that shows which directory or folder the file was stored in. If we use carving to recover a file from unallocated (free) space, we will not be able to show the time stamps for the file, who owned it, or what folder it was stored in. This is particularly important in cases that involve contraband (e.g. pornography in a work setting, or child pornography in any setting). We should not assume that files carved from free space belong to the current user of the computer unless we have other evidence to support that.
Even on a computer that has only had a single owner, it's possible that files carved from free space were put there by someone else. For instance, they could have been downloaded by an employee at the store that sold the computer. Last year, I ordered a box of thumb drives. When I plugged in one of the drives, I discovered that it contained professionally-taken photos from a dance studio. A forensic examiner may be able to provide evidence to support the contention that carved files belonged to a particular user. For example, the examiner might show that the files are consistent with Internet searches conducted by that user or that the operating system cached thumbnail images of the same pictures.
If the metadata and data are still present, we can usually recover a file. If the metadata is missing but the data is present, we might be able to recover the file, at least partially, by "carving". If the data is not present, the file cannot be recovered.
We should not assume that files recovered from free space belonged to a particular user unless we have other evidence to support that notion.
Filesystem: The manner in which files and storage are organized on a hard drive or other device.
File table: A list of files including their metadata and storage locations.
Free space: The area of a hard drive that is not currently in use by any files. May contain deleted files.
Carving: A method of recovering deleted files by searching free space for header and footer values for specific file types.
Steven is the founder of Trace Digital Forensics, LLC and has over nineteen years of experience in Information Technology. He has a master's degree in Information Security specializing in Digital Forensics and several certifications including the EnCase Certified Examiner (EnCE) and Certified Information Systems Security Professional (CISSP).
Copyright Trace Digital Forensics, LLC
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.