A disintegrating hard drive.
Daniel Krason/Shutterstock.com

When you delete a file from your computer’s hard drive, it’s never really gone. With enough effort and technical skill, it’s often possible to recover documents and photos previously thought obliterated. These computer forensics are a useful tool for law enforcement, but how do they really work?

Setting the Legal Groundwork

Before we get into the technical weeds, it’s worth discussing the boring procedural and legal aspects of computer forensics within the context of law enforcement.

First, let’s dispel with the old myth that a warrant is always required for a law enforcement officer to examine a digital device like a phone or a computer. While that’s often the case, plenty of “loopholes” (for lack of a better word) can be found within the fabric of the law.

Many jurisdictions, like the United Kingdom and the United States, permit customs and immigration officials to examine electronic devices without a warrant. American border officers can also examine the contents of devices without a warrant if there’s an imminent thread of evidence being destroyed, as affirmed by an 11th Circuit judgment from 2018.

When compared to their American counterparts, U.K. cops tend to have more leeway to seize the contents of devices without having to make their case to a judge or magistrate. They can, for example, download the contents of a phone by using a piece of legislation called the Police and Criminal Evidence Act (PACE), regardless of whether any charges are brought. However, if the police ultimately decide they wish to examine the contents, they need sign-off from the courts.

Legislation also gives U.K. police the right to examine devices without a warrant in certain circumstances where there is an urgent need—such as in a terrorism case, or where there is a genuine fear that a child may be sexually exploited.

But ultimately, regardless of the “how,” when a computer is seized, it merely represents the start of a long process that begins with a laptop or phone being removed in a tamper-resistant plastic bag, and often concludes with evidence being presented in a courtroom.

The police must adhere to a set of rules and procedures to ensure the admissibility of evidence. Computer forensics teams document their every move so that, if necessary, they can repeat the same steps and achieve the same results. They use specific tools to ensure the integrity of files. One example is a “write blocker,” which is designed to allow forensic professionals to extract information without inadvertently modifying the evidence being examined.

It’s that legal basis and procedural rigor that determines whether a computer forensics investigation will be successful—not technical sophistication.

Moving Platters, Moving Cases

A close-up of a mechanical computer's hard drive platter and head.
mike mols/Shutterstock.com

Legal issues notwithstanding, it’s always interesting to note the many factors that can determine the ease in which deleted files can be recovered by law enforcement. These include the type of disk being used, whether encryption was in place, and the drive’s file system.

Take hard drives, for example. Although these have largely been surpassed by faster solid-state drives (SSDs), mechanical hard disk drives (HDDs) were the predominant storage mechanism for over 30 years.

HDDs used magnetic platters to store data. If you’ve ever disassembled a hard drive, you’ve probably observed how they look a bit like CDs. They’re circular and silver in color.

When in use, these platters spin at incredible speeds—usually either 5,400 or 7,200 RPM, and in some cases, as fast as 15,000 RPM. Connected to these platters are special “heads” that perform read and write operations. When you save a file to the drive, this “head” moves to a specific part of the platter and transforms an electrical current into a magnetic field, thereby changing the properties of the platter.

But how does it know where to go? Well, it looks at something called an allocation table, which contains a record of every file stored on a disk. But what happens when a file is deleted?

The short answer? Not much.

Here’s the long answer: The record for that file is deleted, allowing the space it occupied on the hard drive to be overwritten later. However, the data remains physically present on the magnetic platters and is only ever truly deleted when new data is added to that particular location on the platter.

After all, deleting it would require the magnetic head to physically move to that location on the platter and overwrite it. That could impede on other applications and slow the computer’s performance. As far as hard drives are concerned, it’s simpler to just pretend deleted files simply don’t exist.

That makes recovering deleted files much easier for law enforcement. They just have to recreate the missing parts within the allocation table, which is something that can be done with free tools, including Recuva.

RELATED: How to Recover a Deleted File: The Ultimate Guide

Solid (State) as a Rock

A solid-state drive inside a laptop PC.

Of course, SSDs are different. They contain no moving parts. Instead, files are represented as electrons held by trillions of microscopic floating gate transistors. Collectively, these combine to  form NAND flash chips.

SSDs bear some similarities to HDDs, insofar as files are only ever deleted when they’re overwritten. However, some key differences inevitably complicate the work of computer forensics professionals. And like HDDs, SSDs organize data in blocks, with the size varying wildly between manufacturers.

The key difference here is that for an SSD to write data, the block has to be completely empty of content. To ensure that the SSD has a constant stream of available blocks, the computer issues something called a “TRIM command,” which informs the SSD which blocks are no longer required.

For investigators, it means that when they try to find deleted files on an SSD, they may find that the drive has innocently put them far beyond their reach.

SSDs can also scatter files across multiple blocks across the drive to reduce the amount of wear and tear incurred by day-to-day use. Because SSDs can only withstand a finite number of writes, it’s important they’re distributed across the drive, rather than in a small location. This technology is called wear leveling, and has been known to make life hard for digital forensics professionals.

Then there’s the fact that SSDs are often harder to image, because you often physically can’t remove them from a device.

Whereas hard drives are almost always replaceable and connected via standard interfaces, like IDE or SATA, some laptop manufacturers choose to physically solder storage to the machine’s motherboard. It makes extracting the contents in a forensically sound way much harder for law enforcement professionals.

The Real Complications

So, in conclusion: Yes, law enforcement can retrieve files you’ve deleted. However, advances in storage technology and widespread encryption have complicated matters somewhat.

Yet, technical problems can often be overcome. When it comes to digital investigations, the biggest challenge facing law enforcement isn’t the mechanisms of SSD drives but rather their lack of resources.

There aren’t enough trained professionals to do the work. And the end result is, many police forces across the world are faced with a crushing backlog of unprocessed phones, laptops, and servers.

A Freedom of Information act request from the U.K. newspaper The Times showed that the 32 police forces across England and Wales have over 12,000 devices pending examination. The time to process a device there varies, from one month to over a year.

And that has consequences. The bedrock of any fair criminal justice system is that the accused are afforded a speedy trial. As the saying goes, justice delayed is justice denied. This principle is so fundamentally important, it’s even represented in the Sixth Amendment to the U.S. constitution.

Sadly, it’s not a problem that’s easily fixable without more money being spent by forces on recruitment and training. You can’t solve it with more technology.

Profile Photo for Matthew Hughes Matthew Hughes
Matthew Hughes is a reporter for The Register, where he covers mobile hardware and other consumer technology. He has also written for The Next Web, The Daily Beast, Gizmodo UK, The Daily Dot, and more.
Read Full Bio »