According to a survey, 93% of all information never leaves the digital form. The majority of information these days is being created, modified, and consumed entirely in digital form. This means most spreadsheets and databases never make it on paper, and most digital snapshots never get printed. In this article, we will discuss methods and techniques to recover deleted digital evidence. 

What is Digital Evidence?

Digital Evidence is any information that is stored or transmitted in the digital form that a party at court can use at the time of trial. Digital evidence can be Audio files, and voice recordings, Address books and contact lists, Backups to various programs, including backups to mobile devices, Browser history, Cookies, Database, Compressed archives (ZIP, RAR, etc.) including encrypted archives, etc. 

Destroyed Evidence

In a criminal or cyber-criminal case, the attempts to destroy the evidence are very common. Such attempts can be more or less successful depending upon the following conditions: 
 

• Action is taken to destroy the evidence.
• Time Available to destroy the evidence.
• Type of storage device like magnetic hard drive, flash memory card, or SSD drive.

In this section, we will be discussing some of the methods to destroy the evidence and ways to recover the destroyed evidence. 

Deleted Files

Deleting files is one of the easiest, convenient, and foremost way to destroy the evidence. Whether it is using the “Delete” button or “Shift+Delete” button. The principle of file recovery of deleted files is based on the fact that Windows does not wipe the contents of the file when it’s being deleted. Instead, a file system record storing the exact location of the deleted file on the disk is being marked as “deleted” and the disk space previously occupied by the deleted file is then labeled as available – but not overwritten with zeroes or other data. 
 

• The deleted file can be retrieved by analyzing the contents of the recycle bin as they are temporarily stored there before being erased.
• If the deleted files have no trace in the recycle bin like in case of the “Shift+Delete” command, then, in that case, you can use commercial recovery tools to recover the deleted evidence. One such example commercial tool is DiskInternals Partition Recovery.
• Looking for characteristic signatures of known file types by analyzing the file system and/or scanning the entire hard drive, one can successfully recover : 
  • Files that were deleted by the user.
  • Temporary copies of Office documents (including old versions and revisions of such documents).
  • Temporary files saved by many applications.
  • Renamed files.
• Information stored in deleted files can be supplemented with data collected from other sources. For example, the “chatsync” folder in Skype stores the internal data that may contain chunks and bits of user conversations. This means if the “chatsync” folder exists there is a possibility to recover user chat’s even if the Skype database is deleted. Many tools exist for this purpose like Belkasoft Evidence Center 2020.

Formatted Hard Drives

Recovery of the data from the formatted hard drive depends upon a lot of parameters. Information from the formatted hard drive may be recoverable either using data carving technology or by using commercial data recovery tools. 
There are two possible ways to format a hard drive: Full Format and Quick Format. 

Full Format – As the name suggests, this initializes the disk by creating the new file system on the partition being formatted and also checks the disk for the bad sectors. Prior to Windows Vista, a full format operation did not zero the disk being formatted. Instead, Windows would simply scan the disk surface sector after sector. Unreliable sectors would be marked as “bad”. But in case of Vista and Windows 7, a full format operation will actually: 
 

• Wipe the disk clean.
• Writing zeroes onto the disk.
• Reading the sectors back to ensure reliability.

Quick Format – This is never destructive except for the case of SSD. Disk format simply initializes the disk by creating the new file system on the partition being formatted. Information from disks cleared using a quick format method can be recovered by using one of the data recovery tools that support data carving. 

SSD Drives

SSD means Solid-State Drives represent a new storage technology. 
 

• They operate much faster than traditional drives.
• They employ a completely different way of storing information internally, which makes it much easier to destroy information and much more difficult to recover it.

The culprit in SSD is TRIM Command. According to a survey, TRIM enables SSD completely wiped all the deleted information in less than 3 minutes. This means that the TRIM command effectively zeros all the information as soon as it is marked as deleted by the operating system. Moreover, TRIM command effects can’t be prevented even by using Write-Blocking devices. 

Traditional Methods are not useful when we try to recover deleted data from the SSD or even any information from the SSD formatted with either Full format or Quick format. This means the traditional methods can be used for data recovery in SSD only when the TRIM command is not issued or at least one of the components does not support TRIM. The components include: 
 

• Version of Operating System: Windows Vista and Windows 7 support TRIM Command, on the other hand, Windows XP and earlier versions typically don’t support TRIM Command.
• Communication Interface: SATA and eSATA support TRIM, while external enclosures connected via USB, LAN or FireWire don’t.
• File System: Windows supports TRIM on NTFS volumes but not on FAT-formatted disks. Linux, on the other hand, supports TRIM on all types of volumes including those formatted with FAT.

Data Carving

Carving means bit-precise and sequential examination of the entire content of the hard drive. The concept of Data Carving is completely different from File Recovery. Carving allows: 
 

• Identifying particular signatures or patterns that may give a clue that some interesting data can be stored in a particular spot on the disk.
• Locating various artifacts that would not be available otherwise.

Data Carving is truly amazing when looking for destroyed evidence. In the case of data carving, investigators don’t need to rely on files as they may be partially overwritten, fragmented and scattered around the disk. Data Carving has the following features when we are dealing with the text content: 
 

• Text information is easiest to recover.
• Blocks containing text data are filled exclusively with numeric values belonging to a shallow range that represents letters, numbers, and symbols.
• When carving for text data, investigators have to take various languages and text encodings into accounts. For example, the Turkish character set differs from Latin, and neither has anything in common with Arabic, Chinese or Korean writing.
• Different encodings must be taken into account when looking for texts in each supported language.
• By analyzing the information read from the disk in terms of a specific language and a specific encoding, one can typically detect text information.

In the case of Binary data: 
 

• Binary data is much random.
• It is easy to detect the beginning and end of each text block by counting the number of characters that do not belong to a given language/encoding combination.
• Once a set threshold is met, it is assumed that the algorithm has reached the end of a given text block.

Limitations of Data Carving – 
 

• Not all formats of data can be carved.
• Data Carving is based on looking for characteristic signatures or patterns. For example- JPEG files typically have the “JFIF” signature, in the beginning, followed by the file header. ZIP archives start with “PK” and PDF files begin with “%PDF”.
• Some files can be a true binary file without any permanent signature in their header. For example, QQ messenger.
• Text-based files can be an issue in most of the cases as there is a humongous amount of plain-text files that can be stored on a PC.
• Data Carving cannot be used in the case where special algorithms are used to fill the disk space previously occupied with sensitive information with cryptographically strong random data.
• In “paranoid” mode, sensitive information is overwritten several times to make even best and cleanroom type extraction impossible.
• In case the sensitive information is not stored on a hard drive rather it is stored in RAM. In such a case Data Carving is impossible. The only feasible option here is “Live RAM Analysis”.
• Data Carving is quite useless and impossible in SSD.