Just like a fingerprint, a file can leave behind evidential traces, well after it has been deleted. Here we explore what kinds of information can be recovered after a file has been deleted.
Take for example a business owner suspicious of their ex-employee. The owner believed their ex-employee took sensitive information and copied it into a document using their work laptop, and then copied this document to his new work place, and then deleted it. As forensic examiners, we aid in preserving the data on the laptop, searching for the offending file, and recovering as much information about its usage as possible.
There are a number of locations where evidence of deleted files commonly resides which we use to build a picture of potentially suspicious activity.
When you delete a file, it’s common to think of it like shredding a document, i.e. since I’ve deleted it and I can’t see it in the folder, then it must be safely gone forever. This is generally not the case. Providing prompt and correct forensic procedures are undertaken, it is often possible to recover the deleted file. When a file is deleted using the standard methodology in Windows, it is simply moved to the recycle bin, where it is fully recoverable. Deleting a file from the recycle bin then instructs Windows to forget about the data, however it may not yet have been ‘overwritten’.
After a file is deleted from the recycling bin, the operating system treats the space that file occupies on the drive as “free”, and will overwrite all or part of the data in due course. Using forensic tools, we can process both the ‘active’ and ‘unallocated’ areas of the drive and attempt to reconstruct these partial, damaged, and corrupted files.
Once the automated process of recovering these files is complete, we then use keywords in an attempt to locate the files of interest. As the process is reasonably automated (and successful in locating evidence), we are often instructed by lawyers and investigators to conduct this task.
Even in cases where the files have been fully deleted or corrupted beyond recognition, there may still be other artifacts of interest. For example, there may be thumbnails of images of interest hidden in the Thumbnails database, or records of file access history.