Recovering The Deleted File
In the growing story about text messages here in the City of Detroit, there has been a lot of focus on the issue of “Deleted Files” and if deleted files can be recovered. Yesterday (April 29, 2008) we did an interview for “Ruth to the Rescue report on Local 4 News/WDIV-TV, Detroit, MI” .
Ruth Spencer is a Consumer Reporter and her story line focused on how the consumer needs to be aware that merely deleting a file from the computer does not erase the file. In her interview with Ives Potrafka, a Senior Forensic Examiner for the Center for Computer Forensics, she learned that deleted files can be recovered fairly easily if you have the correct tools. She also learned that the Data Recovery Group has an extensive business recovering lost files.
At the close of the interview Mr. Potrafka suggested that if consumers want to protect themselves from people recovering deleted files, then the consumer should research wiping utilities on the web. Ruth closed the segment with a warning to consumers that they needed to diligent when getting rid of their old computers to make sure that their sensitive information, is in fact, unrecoverable.
As a follow on, Mike Wendland, the Technology Editor for the Detroit Free Press, wrote an article today (April 30, 2008) entitled “More proof that deleting a file doesn’t kill it”
The article said, in part:
Here’s a computer secret most people don’t know: The delete key doesn’t really delete. A deleted computer file can usually be recovered, even if it seems to have been removed from your hard drive.
As the latest chapter in Detroit’s ongoing saga of the mayor and his text messages unfolds, we once again learn a valuable technology lesson: Computers seldom forget.
The latest round of messages, further illuminating Mayor Kwame Kilpatrick’s affair with then chief of staff Christine Beatty, was released Tuesday by Wayne County Circuit Judge Robert Colombo Jr.
A forensic expert recovered the document that contained the messages from the computer of Mike Stefani, the attorney for three former Detroit police officers who sued Kilpatrick.
What the article does not say is that the file was reported to have been deleted by Mike Stefani from his computer in late 2007 as part of a law suit settlement. The file was recovered in late April 2008 by a computer expert. The use of the computer for several months did not overwrite the file that was recovered.
What the consumer needs to understand is that the delete key in a Windows environment does not erase a file. In windows, deleting a file puts the file into the recycle bin. In essence all the user has done is move the file to a different folder on the hard drive and modified the file name. When you empty the recycle bin, the user has told the computer that the space is available for the computer to store another file. Given the size of hard drives today, that file may not be overwritten for a long time.
The analogy I like to use is the manual card file at the library:
- The delete key removes the index card form the catalog. The book is still on the shelf and the Librarian can put the card back in the catalog.
- Emptying the recycle bin is the Librarian throwing the card away. The book is still on the shelf and will remain there until another book needs the space.
- A wipe utility overwrites the space where the file was stored and effectively removes the file from the hard drive.
To ensure that the data has been fully erased we recommend that the data utility used overwrite the physical areas of the hard drive multiple times with varying patterns. To learn more Google “wiping utilities” or “data eraser”. I have used Webroots Window washer in the past and it seems to work fairly quickly.
Data Recovery Diagnositics
Data Recovery Diagnostics
This is intended to be a guideline for determining whether a hard drive is failing physically or if the drive is a candidate for software recovery by technicians in the field.
There are many commercial utilities that will allow users or qualified technicians to recover data from a hard drive that is otherwise inaccessible. Commercial utilities work with varying degrees of success. The question to be asked is when is it a good idea to use these utilities versus when is a good idea to send the hard drive to Data Recovery Group?
The first step is to determine if the hard drive is functioning. If the hard drive is functioning properly it should be recognized in the CMOS and you should be able to boot the system from another media source, such as a floppy, CD-ROM, or another hard drive. If there are any BIOS errors when attempting to boot the system the hard drive has malfunctioned and needs to be sent to Data Recovery Group. If during the boot process the system is unable to boot from an alternate media source, this is another indication that hard drive is malfunctioning. Further attempts to boot the system could seriously reduce the likelihood of a successful data recovery.
If the system can be successfully booted the next step is to attempt to run the data recovery utility. Most utilities work in the same way. The first step the data recovery utility performs is to scan the drive to locate the file system components. Most utilities will display this scan with some type of progress meter. It is necessary to monitor progress and to stay with the hard drive while the utility is operating. If the hard drive starts to make unusual noises stop the scan immediately and power down the computer. The hard drive will need to be sent to us. Another thing that needs to be watched is the rate of progress for the utility. Usually there will be a count of sectors read. The count should steadily increase and it should not stop. If the count or progress does stop the scan should be terminated and the computer powered down. Failure to stop could jeopardize the likelihood of a successful data recovery. The hard drive should be sent to Data Recovery Group.
If there are any signs that the hard drive is failing physically, it is important that software data recovery utilities not be used on the hard drive. Hard drives usually fail gradually and this failure process will be accelerated during a full scan of the hard drive necessary for most data recovery utilities to recover the data.
It is important to read the instructions provided with any data recovery utility you may use on a hard drive. It is important that if you can complete a scan of the failing hard drive that the recovered files are not saved back to the hard drive you are trying to recover. It is possible o save recovered files on the source drive and if this occurs the recovered files could overwrite other files you are trying to recover.
In conclusion, it is very important to determine if a drive has any physical failure before attempting to recover the data using a utility. Data Recovery Group has received many hard drives from customers where the data could have been recovered had we received the drive right after the original failure. Repeated attempts to recover the data with software rendered the drive useless and the data not recoverable.
Hard drives fail, always have & always will…
The ability to properly diagnose & temporarily restore a disk drive to operating condition is vital to the recovery of data. If you have experienced data loss, it is the result of a mathematical problem, a mechanical problem, an electrical problem or a combination of the three, and Data recovery Group is uniquely qualified to recover your data.