As we all know that computer forensic evidence is very
useful for law enforcement and law enforcement, but can governments recover
files that have been permanently deleted?..some people think that when they
delete files from the hard drive they are obliterated and cannot be recovered,
but the matter is completely different. With enough effort and technical skill,
deleted files, documents, and photos can often be recovered. Here comes the
important question, how are deleted files recovered, and can deleted files
really be recovered in all cases? This is what we will learn about in this
article.
Of course, some jurisdictions give their officials the
right to examine electronic devices in most cases, so that in some cases
governments can examine electronic devices without permission to obtain
evidence, however, the police must adhere to a set of rules and procedures to
ensure the admissibility of evidence. In the end, these are all judicial
matters that we have nothing to do with, so we will discuss the technical
matters that concern us.
First, in order to be aware of the whole picture,
there are many factors on which the process of recovering deleted files
depends, and they also determine how easy and difficult it is to retrieve these
files; One of the most important of these factors is the type of hard drive
used, and whether it was previously encrypted or not. For example, there are
many types of hard disks such as hard drives "SSD", which are
characterized by high speeds, and mechanical hard disk drives "HDD",
which were considered the dominant storage mechanism for many years, and both
of them greatly affect the process of recovering deleted files, but what is the
reason for that? In fact, in order to find out why, you must first know how
hard disk writes and deletes are managed.
How hard disks manage writes and deletes
First of all, you should know that hard disk drives
"HDDs" use a specific part called a magnetic platter to store your
data. If you have ever disassembled one of the hard disks, you will notice that
there is a round and silver part. These are the magnetic platters. These plates
spin at very high speeds ranging from 5400 to 7200 rpm during use, and there
are even some discs that can spin at 15,000 rpm, fantastic!
Attached to these platters are heads responsible for
reading and writing operations. Usually, when you save a specific file, the
head moves to a specific part of the platter and converts the electric current
into a magnetic current to complete the reading and writing operations. But how
do these headers do this with an infinite number of different files?! In fact,
it automatically looks into something called an "allocation table"
which contains a record of each file stored on the hard drive.
Now, after explaining how hard disks manage writing
and saving data, we move on to the other part, which is where we will explain
what happens when a file is deleted. As we mentioned that each file has a
dedicated record on the hard disk, and therefore when a file is deleted, the
record for that file on the hard disk is deleted, and accordingly, the space
occupied by this file has become empty and can be written to at a later time to
store other files.
However, the data for this file is not
permanently deleted as it is already present on the magnetic platters and is
only deleted after adding new data to that specific location on the magnetic
platter. This makes recovering deleted files from HDD relatively easy.
Are SSDs the same as HDDs, or are they different?
Hard disks "SSD" are completely different
from hard disks "HDD", and they represent a major obstacle for
governments in the process of recovering deleted files, as they do not contain
any moving heads or magnetic platters. Instead, they represent files in the
form of electrons held by trillions of floating transistors, and these
transistors combine to form chips called "NAND flash chips". It is a
somewhat complicated process, but in general, the nature of the work of SSD
units, which is different from the HDD, makes it capable of erasing traces of
deleted files.
Besides, the SSD will not write any new data,
except when the block or space is completely empty of content. To ensure that
hard disks always have a steady stream of available blocks, the hardware issues
a command called “TRIM command” that tells SSDs which blocks are no longer
needed. As a result, deleted data is largely out of the hands of the government
and investigators. Because SDDs can only handle a limited number of writes,
it's important to distribute them across the drive, so they scatter files into
multiple blocks across the drive to reduce the wear and tear of everyday use.
This technique is called "wear leveling" and
has been known to make recovering deleted files quite difficult. All this plus
the fact that SSDs often can't be physically removed from a device, as some
manufacturers choose to physically solder the storage drives onto the device's
motherboard, making proper extraction of the contents much more difficult for
law enforcement professionals. This is unlike hard disks which are always
replaceable.
Real complications and challenges
After all these things, and at the conclusion of our article, we can say that governments can sometimes recover files that you have deleted from your device, however, advances in storage and encryption technology have greatly complicated matters. However, these technical problems can often be overcome. But the fundamental problem when it comes to digital investigations is that governments do not have the mechanisms and resources in place, there are not enough trained professionals to do the work and the end result is that many police forces around the world face an overwhelming backlog of unprepared phones, laptops, and servers. Unfortunately, this problem cannot be solved without spending more money to train people and to get people with the professional ability to do these jobs