As we all know, digital forensic evidence is very useful for enforcing and applying the law. But can governments recover files that have been permanently deleted? Some people believe that when files are deleted from the hard drive, they are erased and cannot be recovered. However, with enough effort and technical skills, deleted files, documents, and images can often be recovered. So, how is deleted files recovered and can files really be restored in all cases? This is what we will explore in this article.
Certainly, some judicial authorities give their officials the right to examine electronic devices in most cases. In some cases, governments can even examine electronic devices without a warrant to obtain evidence. However, law enforcement must adhere to a set of rules and procedures to ensure the admissibility of evidence. Ultimately, these are all legal matters that are beyond our control, so we will focus on the technical aspects that concern us.
First, to understand the full picture, there are many factors that determine the process of recovering deleted files, which also determine the ease or difficulty of recovering these files. Among the most important factors is the type of hard drive used and whether it has been encrypted or not. For example, there are different types of hard drives like Solid State Drives (SSD), which are known for their high speeds, and Hard Disk Drives (HDD), which have been the dominant storage mechanism for many years. Both of them have a significant impact on the process of recovering deleted files. But why is that? To understand the reason, one must first learn how the writing and deleting processes are managed in hard drives.
How Hard Drives Manage Writing and Deleting Operations
To begin with, it is important to note that Hard Disk Drives (HDD) use a part called magnetic disks to store your data. If you have ever dismantled a hard drive, you will notice a circular, silver part, which is the magnetic disks. These disks spin at very high speeds, ranging from 5400 to 7200 revolutions per minute during normal use. Some drives can spin at 15000 revolutions per minute, which is quite extraordinary!
These disks have heads responsible for reading and writing operations. When you save a specific file, the head moves to a designated part of the disk and converts the electrical current into a magnetic field to complete the reading and writing operations. But how do these heads manage an infinite number of different files?! The answer lies in something called the allocation table, which contains a record assigned to each file stored on the hard drive.
Now, after explaining how hard drives manage writing and storing data, we move on to the other part, where we will explain what happens when a file is deleted. As mentioned earlier, each file has a designated record on the hard drive. So when a file is deleted, its record is deleted from the hard drive, making the space previously occupied by the file empty and available for later use. However, the data of this file is not permanently deleted as it still exists on the magnetic disks. It is only marked as available for new data to be written in later. This makes recovering deleted files from Hard Disk Drives (HDD) relatively easy. You can also learn more about how recovery software works and how you can recover deleted files, as we discussed in detail in a previous topic.
Read also: Our successful experience in recovering deleted photos and videos from a flash drive
Are SSDs like HDDs or are they different?
Solid State Drives (SSD) are completely different from Hard Disk Drives (HDD). They pose a significant challenge for governments in recovering deleted files, as they do not have moving heads or magnetic disks. Instead, they represent files in the form of electrons stored in trillions of floating transistors, which combine to form chips called “NAND flash chips”. It is a somewhat complex process, but in general, the nature of how SSDs work, different from HDDs, makes them capable of erasing traces of deleted files.
In addition to not writing any new data unless the block or space is completely empty, SSDs receive a command called “TRIM command” to inform the SSD about blocks that are no longer needed. This makes deleted data significantly more obscure from government and investigators. Given that SSDs can endure a limited number of write operations, it is important to distribute them across the drive to reduce wear and tear from daily use.
This technology, known as wear leveling, makes recovering deleted files much more difficult. All of these factors, along with the fact that SSDs are often not physically removable from the device, as some manufacturers choose to solder the storage drives onto the motherboard, make it much harder for law enforcement professionals to extract content properly. This is unlike hard disk drives, which are always replaceable.
Real Complications and Challenges
After all these considerations, we can conclude that governments can sometimes recover files that you have deleted from your device. However, advances in storage and encryption technology have greatly complicated matters. Despite this, technical challenges can often be overcome. The main problem when it comes to digital investigations is that governments do not have enough mechanisms and resources. There are not enough trained professionals to perform these tasks, and as a result, many law enforcement agencies around the world face overwhelming accumulation of data on phones, laptops, and unprepared servers. Unfortunately, this problem cannot be solved without spending more money on training and hiring individuals with the professional capability to perform these tasks.
