Sat. Jan 21st, 2023

Forensic requirements for data retrieval

When data is stored on a device, its information is usually stored in empty blocks on that medium (either magnetic or SSD). For practical reasons (speed on magnetic media and wear-levelling on SSDs), currently unused areas of storage are favoured wherever possible. Of course, as a disc is filled, there are fewer unused blocks. There will, however, probably now be used blocks that aren’t needed any more, because the file isn’t needed. Once we run out of empty blocks, we store data on theses blocks – reusing them.

This approach works because the storage device also contains a directory – an index which lists which files should be there, and where to find them. Deleting a file doesn’t actually remove it: it simply removes the entry from the index, meaning the space is now ‘used but ready to re-use’.

Why does this matter?

Firstly, when deleting files, or formatting a drive, you aren’t always removing the file(s). You are simply removing the directory. The data is still on the drive.

Secondly, if you are in a position to have deleted data that you need, any further use of that drive risks loss of the data, because new information could be written over a section that is needed. The risk of this is greatest with drives with little free space.

There are many tools available for retrieval of data and secure destruction of data. See examples here Forensic data recovery to retrieve digital data for litigation (