Your guide to retrieving deleted files

Hitting delete will not completely erase data from your systems, so how can you retrieve the data if you need it, and how can you be sure that it’s really gone?

It was 4pm and all that could be heard in the office was the gentle tapping of keys, some mumbled conversations on the phone… and a frantically thrashing hard drive. The hard drive in question was on an employee’s laptop, and it was thrashing because the employee was trying to delete gigabytes of downloaded porn before handing...

his laptop over to his boss.

Unfortunately for him, his boss was about to hand the laptop over to a team managed by Jarrod Haggerty. Haggerty, who came to the UK in 2004 after working for years as a police officer in Victoria, Australia, is now a director of PricewaterhouseCoopers’ Forensic Technology Solutions operation.

Haggerty has made it his business to undelete deleted files, which is precisely what his team did when it got the laptop. There, languishing on the hard drive, was the porn: gone, but not forgotten.

“A client might say that they want to make an operation covert, and we say that we are quite happy to make it overt. Because if there is anything on their machine that they think is incriminating, they will often delete it in the two hours before we get there,” Haggerty says.
All his team has to do is check the time stamp information that shows what files the employee deleted and when. The evidence is then handed to them on a platter.

And that is the problem with electronic information. Dragging something to the wastepaper basket does not get rid of it at all. Corporate embezzlers or illicit internet surfers trying to cover their tracks will need either a lot of knowledge or a lot of luck to be successful.

Information about that data, along with the data itself, will be smeared all over the hard drive in temporary swap files and registry entries. In many cases, the original file will still be found intact.
When a user deletes a file, they want it to disappear as quickly and conveniently as possible, so pressing delete or dragging it to a wastepaper basket makes sense. But for the computer, which will have scattered parts of the data all over the hard drive, it is more efficient to delete just the information about that file, rather than the file itself. The file stays there, but the operating system – and the user – cannot see it.

If the user tries to format the drive, nothing will change, says Simon Janes, a former head of the Computer Crime Unit and now operations manager for computer forensics firm Ibas. “When you format the drive, you are just drawing boxes showing where the new data will go,” he says.
Popular file systems all use the same basic principles. Information is stored on sectors on the hard drive, and probably scattered around depending on how fragmented the files are. An index contains information about all of the files, including the disc clusters where they can be found.

The Fat file system, used mainly in Dos and versions of Windows before 2000, indexes the files in a file-allocation table, containing pointers to the clusters where parts of a file are stored. The NTFS system, used from Windows 2000 onwards, uses the Master File Table to do the same thing, although it stores metadata about its files differently, using a binary tree.

One of the biggest problems for digital forensics experts is overwritten data. Once a file system has deleted a file, it marks the clusters where pieces of the file were stored as available, meaning that when another file is created on the drive, you risk overwriting the original file data in that cluster.

Unfortunately, modern computers have a habit of creating system files behind the scenes as a result of even the most basic actions, which means that even shutting down a computer can overwrite deleted data. “If you find a machine that is on, the best practice is to pull the plug on the machine so that you do not write to the registry or anywhere else on shut down,” says Haggerty.

Once data has been overwritten with another magnetic signal, it becomes much more difficult to retrieve. This has led to a market for data-wiping tools, enabling users to truly delete their data by overwriting deleted files. Different algorithms provide different levels of file security. The Guttman algorithm, for example, serves the truly paranoid, overwriting file data seven times.
The latest Windows operating system, Vista, does not have a secure delete function that would truly delete a file by overwriting. Mac users have an easier time of it; OS X includes a secure delete function that you can select when emptying the recycle bin.

But even then, it is sometimes possible to scrape some data from the hard drive, says Fred Smith, principal consultant at computer forensics firm Detica Forensics. Some older disc heads can be slightly adjusted to read data at the very edges of a magnetic track. Moving them slightly may enable experts to pick up magnetic data that an overwrite did not touch.

However, techniques such as these add greatly to the cost of recovery. Moreover, new disc technologies designed to increase density, such as perpendicular magnetic recording, will only make it harder to recover such data.

“It is a game of cat and mouse,” says Smith. “It will not make it easier. We always have new challenges in forensics, and that is going to be one of them .”

The use of these tools can itself be a tell-tale sign. Haggerty recalls an investigation where two parties were suspected of withholding subpoenaed information. The court called in his team to try to find out who was holding back. One of the systems they checked had no tell-tale data on it at all. In fact, it was suspiciously clean. But the one thing that was on there was evidence of the tool that the company’s employee had installed on the drive to scrub the data.

Data overwriting can also take significant amounts of time (hours to destroy just a few gigabytes), so data overwrites may not be the best option for companies wanting to wipe their data on a large scale. With that in mind, how can a firm truly destroy its files?

Large degaussers are one approach. These systems blast magnetic discs with a powerful magnetic field and they are very effective. But there is a drawback, warns Janes. “If you are doing a high volume, the degausser is faster, but they are very expensive. It is not something that a small business with 50-60 machines will do,” he says. Unless a company is doing this on a large enough scale to make it worthwhile, the cost involved may be prohibitive.

With the per-megabyte price of disc storage constantly dropping, the other alternative is simply to trash the disc. Opening up the drive and taking sandpaper to the surface is a quick and easy method, as is taking a hammer to it.

However, Ralph Harvey would prefer to encrypt it. Harvey is the CTO for Forensic & Compliance Systems, which sells an e-mail and instant-message archiving appliance that uses encryption to protect stored data.

“If you store data encrypted, which we do, then unless you have the key, you essentially have anti-forensic storage,” he says. “It is as though you have already bit pattern-wiped the disc.”
That is debatable, however, given that encryption keys can be lost or stolen. The company also defaults to Data Encryption Standard (DES), which has already been shown to have flaws. That is why it was superseded with triple DES and then the Advanced Encryption Standard (AES).

Nevertheless, Harvey points out that a Java-based system included with the equipment allows customers to substitute DES with their own encryption mechanism.

Even if an embezzler is technically savvy enough to wipe all of the data from a PC, forensics experts still have other media to pick through. These include USB sticks, which, like hard drives, do not really remove data when it is deleted. It is all still there, on the stick’s flash memory.

And now, thanks to the increasingly popularity of smartphones, mobile phones can yield up a bumper crop of information. “We can take an image of the Sim card, which may have local contacts stored on it. The other is the phone, which could have hundreds of megabytes of Ram,” says Haggerty.

Finally, like hard drives and USB sticks, any removable media used by the phone will have latent information on it, ready to be scrutinised.

Those choosing the file-wiping route might be surprised by the amount of information that can be found in the average PC. For example, you may have copied a file to a USB stick and then deleted it from the drive. Then, for good measure, you may have gone back in and overwritten that data, either by creating lots of new files, defragmenting the PC, or using a specialist tool.
But what you may not know is that, depending on how you copied the file, the PC’s Windows Registry is likely to have noted the insertion of the USB stick and the copying of the file – complete with its title and a time stamp.

Document metadata can also contain a lot of information. This is less true today than it was in the past, with earlier versions of Microsoft Office being particularly useful to data detectives.
Some versions of Word, for example, used to create a global unique identifier (GUID), which would be based partly on the message authentication code address of the computer used to create the file. This would give forensics experts a direct pointer to the machine (and possibly the person) that created the document.

However, even though this GUID was stripped from the program in later versions, documents continue to yield up useful secrets for investigators. Experts say that they can still harvest substantial information, especially if features such as Word’s change-tracking and review features are switched on.

All this information in security means two things for IT departments. First, the information on PCs and other devices gives them a useful foundation for forensic analysis should the need arise.

Bear in mind, however, that the extent to which forensic experts can legally snoop around on hard drives depends heavily on the rights that employees signed over in the contract of employment.

Second, the ease with which deleted information can be retrieved should make companies paranoid about any equipment leaving their building. If you can snoop on corporate secrets then so can other people – and that is a clear and viable business risk. 

Forensic e-mail helps meet compliance >>

Information security: A stronger staff >>

High-tech crime is put on trial >>

Security special report: The internal threat >>


Read more on Computer storage hardware