Deleted Files … are they really gone?

Does deleting a file on a computer really mean its lost forever?

Short answer: no. Longer answer: it depends, but probably not.

Given you are still reading this that must mean you are wondering “depends on what?”.

Deleting a File

Deleting a file in most current operating systems does not actually modify any of
the data contained in that file. Operating systems maintain an internal list of where
files are physically and logically located within the hard disk and file system. Different
file systems have different names for these lists including:

• Master File Table (MFT) for NTFS
• File Allocation Table (FAT) for FAT16 and FAT32
• Catalog File for HFS

When you the user choose to delete a file, the operating system will remove that files
entry from this internal list and mark the space on the hard disk (called clusters)
as empty and available. However, the actual file contents are still sitting on the
disk unchanged! The delete files contents will remain on the disk until a new file
is created and the OS chooses to use the clusters of the old file to store the new
information.

The process of recovering deleted files and information is known as data carving.
Two freely available data carving tools are Foremostand Scalpel. Using
either of these tools it is extremely easy to search for and extract out any deleted
data left on a hard drive or other storage device (including USB thumb drives).

A Little Experiment

To find out just how effective these tools are I
decided to experiment on an old USB thumb drive I found in a drawer. It’s only a 256
meg stick and hasn’t been used in a couple years. Plugging it into my Windows workstation
and viewing its contents showed no files on the drive and all 256 megs of space available.
So it appears there is nothing on it… right?

I booted up my forensics laptop using the Helix3
Forensics LiveCD, plugged in the USB stick
and created an image file containing an exact copy of the entire drive using the dd
utility. Now it was time to
find out if the disk really had nothing on it.

Moment of Truth

I ran the image files through both Foremost and Scalpel
and instructed each tool to extract as much information as possible. This included
all possible types of files and even partial remains of files. The results were slightly
different between the two tools but each one found almost 100 files and file fragments!
Everything from Office documents to music files and even installation executables
for some small utilities I had once used was extracted.

Moral of
the story is even though your files may be out of site they really aren’t gone for
good. So remember this, the next time you decide to toss out an old hard drive or
USB stick you might want to look into a secure wiping tool like Eraser.