Home > Digital Forensics

Recovering Files

Recovering deleted files is one of the most important tasks in digital forensics. When a file is deleted, it rarely disappears immediately. Instead, file systems typically only mark the space as available, leaving the actual data intact until it is overwritten. Understanding how deletion works and how to recover deleted files is essential for finding key evidence during investigations.

This chapter explains how file deletion works, what artifacts remain, and which techniques and tools are used to recover deleted data.

How File Deletion Works

File deletion does not erase the actual content of the file. Instead, different file systems handle deletion in slightly different ways, but the core idea remains the same:

  • The file system marks the file’s entry as deleted.

  • The storage space becomes “unallocated.”

  • The file’s contents remain on disk until new data overwrites them.

This makes data recovery possible in most cases, unless the deleted space has already been reused.

Deletion Behavior in Common File Systems

NTFS (Windows)

  • When a file is deleted, its entry in the Master File Table (MFT) is flagged as deleted.

  • File data remains in clusters until overwritten.

  • $LogFile and $UsnJrnl may contain traces of file activity.

  • $Recycle.Bin stores deleted files with unique names.

NTFS preserves metadata very well, making it highly recoverable.

FAT32 (USB drives, memory cards)

  • Directory entry is marked with a special character (0xE5) indicating deletion.

  • File Allocation Table entries are cleared.

  • File data often remains intact in clusters.

Since FAT32 is simple, recovering deleted files is usually easier.

EXT4 (Linux)

  • Deleting a file removes the pointer from its inode.

  • The file’s blocks become available for reuse.

  • Delayed allocation may lead to quicker overwriting.

EXT4 recovery depends heavily on how fast new data is written.

APFS (Apple)

  • Deletion behavior varies due to snapshots and encryption.

  • Snapshots may preserve older versions of files.

  • Space-sharing complicates recovery.

  • If encryption keys are lost, recovery becomes nearly impossible.

APFS is more challenging for recovery, but snapshots can be beneficial.

Sources of Recoverable Data

1. Recycle Bin / Trash

Before permanent deletion, files are stored here:

  • Windows: $Recycle.Bin

  • macOS: .Trash

These locations contain metadata and renaming patterns that help recover files.

2. Unallocated Space

Deleted file data often still exists in unallocated space.
Tools can scan this space to identify file headers and rebuild files.

3. File System Journals

Journals such as:

  • NTFS $LogFile

  • EXT4 journal
    contain logs of file operations that may reference deleted content.

4. Slack Space

Slack space is unused space inside the last cluster of a file.
It may contain remnants of previously deleted data.

5. Volume Shadow Copies and Snapshots

Windows Shadow Copies and APFS snapshots store earlier versions of files.
These can recover entire previous file states.

6. Backup Copies

Temporary system backups or application-level backups may contain deleted files:

  • System restore points

  • App caches

  • Cloud sync backups (Google Drive, OneDrive, iCloud)

Methods of Recovering Deleted Files

1. File Carving

File carving identifies file headers and reconstructs data blocks.
This works even without file system metadata.

Examples:

  • JPEG starts with FF D8 FF

  • PDF starts with %PDF

Carving is effective for recovering fragmented files.

2. Undeleting Through File System Records

If metadata is intact (MFT entries, inodes, FAT entries), recovery is easier and more accurate.

Tools read these records to restore filenames, paths, and timestamps.

3. Analyzing Journals

Journals can reveal:

  • Filename

  • File size

  • Metadata changes

  • Previous versions

This helps reconstruct file activity even after deletion.

4. Using Snapshots and Shadow Copies

Snapshots store historical disk states.
Investigators can mount these to retrieve earlier file versions.

5. Disk Imaging

A forensic image preserves all sectors, including:

  • Unallocated space

  • Slack space

  • Hidden areas

This ensures safe recovery without altering original evidence.

Tools for Deleted File Recovery

Common forensic tools include:

  • Autopsy

  • Sleuth Kit (fls, icat, blkls)

  • FTK Imager

  • EnCase

  • R-Studio

  • TestDisk and PhotoRec

  • X-Ways Forensics

These tools can undelete files, carve data, analyze journals, and scan unallocated space.

Factors Affecting Recovery Success

  • Time since deletion: The longer the delay, the higher the chance of overwriting.

  • System activity: Active systems overwrite faster.

  • File fragmentation: Fragmented files are harder to rebuild.

  • File system type: Some systems overwrite metadata quickly.

  • Encryption: Encrypted systems may be unrecoverable without keys.

Signs a File May Be Recoverable

  • MFT or inode entry exists but marked deleted

  • File header still present in unallocated space

  • File content blocks remain untouched

  • Backups or snapshots exist

  • Journal retains metadata

If all of these are missing, the chance of recovery drops significantly.

Summary

Recovering deleted files is a core forensic skill. File deletion rarely removes the data immediately, meaning investigators can often recover files using file system records, unallocated space, journals, slack space, and snapshots. Understanding how each file system handles deletion and using appropriate forensic tools allows analysts to recover crucial evidence effectively and reliably.

HOME COMMUNITY CAREERS DASHBOARD