Why Your Data Sticks Around After Deletion

Why Your Data Sticks Around After Deletion

As I wrote in the last article, digital forensics can give an attorney the edge she or he needs to win a case. Because of computer’s ability to store huge amounts of data, and the portable nature of mobile devices, it is highly unlikely that a forensic examiner will not find some sort of data of evidentiary value when examining a device. You might be saying, “well hey, wait, I delete my data so I am safe, right?” The answer is no. Deleted data remains on devices for a number of reasons after the user hits delete. Even if a user uses specialized data scrubbing software, that software leaves a fingerprint that can lead examiners to other useful data.

On computers, data is stored mainly in two ways. The first is called volatile memory and as its name suggests, this type of storage is temporary. When users talk about RAM, they are talking about volatile memory. It may be helpful to conceptualize this sort of memory as the rough equivalent of short term memory in humans. Because volatile memory uses chips to store data, rather than plates as in traditional storage, it is able to access data faster.  However, once the system is powered down and the volatile memory loses power, the data inside  is gone. For this reason, volatile memory often stores important information about the current state of the machine. Investigators will often attempt to read the data in non-volatile memory before shutting a machine down for investigation.

The other type of storage is called “non-volatile” storage. As you might guess, this is more permanent storage. Your computer hard drive is an example of non-volatize memory and it can be likened to long-term memory in humans. This type of storage writes data to be stored for long term use (like Windows or Microsoft Word.) Traditionally, this type of storage was mainly done on circular plates that look similar to vinyl records. Recently the advent of solid state drives that use non-volatile memory has allowed for faster access to long-term data in large amount. The development of larger storage capability of non-volatile, high-speed solid states drives has also allowed for the advent of mobile devices that can store more data(think of the phone you have now which likely has 16gb of storage at a minimum. This size of storage in such a small device was unheard of 10-15 years ago.)

By now you might be saying “Ok, so why the heck does my data stick around after I delete it?” The reason for this is simple. The types of storage discussed above exist at the physical, hardware level. This means they are tangible, physical objects that store data physically.  However, the average user cannot make senses of data in this form as it is not in a language most people can decipher.  For this reason, intrepid programmers came up with a way to write code that could speak to, translate and display the language of data in a way that the average person could understand.  This process includes two parts. A file system is basically a method for storing and retrieving files on a disk. The second part of this equation is the Operating System. This is software that interacts with the file system and organizes the data in a user-friendly way. So we have three levels of abstraction when we talk about data storage and access; 1.) The physical hardware the data is stored on, 2.) The software file system that is used to store and access the data and 3.) The operating system that works with the file system to display the accessed data in a user-friendly manner.

Since data is stored physically and logically (accessed via the file system and operating system) to truly delete data requires a user with advanced working knowledge of this entire process. When a user tells the operating system such as Android or Windows to delete a file, it really means that the OS will simply read that space on the storage as empty or “unallocated.” However, on the physical storage device, the data remains until it is written over a certain amount of times. For this reason, a forensic examiner can often retrieve data that has been deleted from a device.

One of my favorite examples of digital forensics recovering data to bring a criminal to justice is the BTK killer case. BTK had been murdering women for years and the police were not able to figure out who he was. Eventually, BTK sent in a letter to a local news outlet on  3.5” floppy disk(yes, it was that long ago.) Although the killer believed  the disk to be clean, digital forensics expert were able to look on the physical storage of the disk and recover a fragment of a Word document that had been deleted.  This document mentioned Dennis at Christ Lutheran Church.  Using this evidence, investigators eventually tied the crimes to Dennis Rader a member of the church. He was convicted and sentenced to life.

The point is that your data is almost never truly gone. With the increase of storage capabilities of computer hard drives, data take much longer to be overwritten to the point of total deletion. Mobile devices with large storage capacity are ubiquitous. Because of the nature of data creation and storage, when a user “deletes” a file she or he is simply telling the Operating System to view it as gone. The file still remains on the physical storage until overwritten a certain amount of times.  Digital Forensic examiners can find this data and make it work for you. Whether you are an attorney, a spouse suspecting infidelity or just someone looking for answers, Digital forensics can help you get what you need.

Speak with an Investigator