How Is It That Deleted Data Can Be Recovered?

Losing the data on your hard drive is not a pleasant thought to most people. You have pictures, documents and more that are irreplaceable. The good news in most cases is that if your hard drive crashes that data is recoverable. It is not hard to connect a hard drive to another computer and copy the data off of it. At the same time even if a file is deleted it is possible that it can be recovered as well. For many people this is computer magic and wonder just how it is possible?

Deleted Files Are Not Really Deleted

The easiest way to answer just how it is possible is that when you empty your trash can the file itself is not deleted. In reality the space that the file took up on the hard drive is just marked as available for it to be reused. The actual file is still there until the memory where it was stored is reallocated for something else. As long as it has not been reallocated the file can be recovered. Specialized software is needed for this to be done but these programs are available to the general public and can even be downloaded off of the Internet.

Windows keeps track of where files are by using pointers. These pointers tell it where a file’s data begins and ends. When a file is deleted these pointers are removed which frees up this disk space for reallocation. This process takes almost no time to do when compared to the amount of time it would take to completely wipe that space clean. 

Newer solid state hard drives have changed this. With those hard drives deleted files are removed immediately since it uses flash memory to speed up operations. If a file is not deleted immediately the speed of the hard drive will slow down over time. New software has made recovery possible but it is not easy, it is not cheap and it is not guaranteed.

As Seen On TV…

Of course this has been a central premise in more than a few crime dramas as now every one of them has to have the computer forensics specialist who can work their magic and recover all of the files that will convict the suspect with a neat and tidy bow (or provide that clue that is needed to point the TV detective in the right direction at just the right time). What can be done there is only limited by a writer’s imagination but in reality modern forensics can do quite a lot. Data can be retrieved from burned hard drives, ones retrieved from the bottom of bodies of water and even smashed ones. 

The FBI Leads The Way

Data recovery has been a lynchpin of criminal investigations since the 1980s. The FBI established the Computer Analysis and Response Team in 1984 which was made up of law enforcement professionals and computer hobbyists. One of the first known tests was the pursuit of German hacker Markus Hess who hacked into military and industrial computers in the US and other countries while working for the KGB. 

Putting Away Killers

But the first case of data recovery being used in a criminal investigation was right here in Pennsylvania in the town of Corry in 1988. Sally Weiner was kidnapped and killed by local bookshop owner David Copenhefer because her husband Harry, a bank manager, had denied Copenhefer a loan to expand his store. An alert policeman noticed that an ad printed on Copenhefer’s store window used some of the same decorative characters as the ransom note.

Copenhefer was arrested and his computer was examined. At the time there was no specialized software available to recover data so each sector on the hard drive had to be examined individually in a laborious process by the FBI. Eventually bits and pieces of the ransom note as well as a script that Sally was to read to secure a ransom was also found. Copenhefer was sentenced to life in prison and died on death row in 2013. This story has been profiled on numerous TV crime shows including Forensic Files.

The BTK Killer

This kind of forensic analysis became more famous as it allowed the police to find the BTK (Bind, Torture and Kill) killer in 2005. The BTK killer had murdered ten people in the Wichita, Kansas area during the 1970s and 1980s but had managed to avoid arrest despite taunting local police and media. Of course like any serial killer he wanted attention and after over two decades he resumed sending letters to the police and local media as he had decided to kill again.

After being told by the police that they could not trace information on a floppy disk he sent a disk with information to a local TV station in 2004. While the information on the disk could not be traced when it was analyzed other information was found. The metadata of a MS Word document was present containing the name Christ Lutheran Church and it was last authored by a man named Dennis. 

A quick search of the Internet found that Dennis Rader was president of the church council and when police arrived at his home they also found a jeep that had been seen in surveillance footage when he dropped another of his letters off for police. Rader was convicted and is currently serving ten consecutive life sentences at the El Dorado Correctional Facility in El Dorado, Kansas. He might not have been caught if that metadata was not present. 

Data recovery is just another example of tech that was thought to be advanced only as little as a decade and a half ago and is now something that anyone can use. It is amazing what information is left behind by us, even when we think that we have disposed of it. While we do not think that you will be committing a crime anytime in the near future this also underscores why any hard drives need to be disposed of properly. These hard drives have your data on them and that can be recovered and used against you. If you are getting rid of a hard drive make sure that you format it so no data can be recovered or destroy it.

Comments are closed.

Scroll to Top