Software Backups

How does law enforcement recover deleted files?

We know that even if you delete a file and empty the recycle bin, the is really still on your computer somewhere because law enforcement can retrieve deleted files. How do they do it? Great explanations - thank you!!! Can somebody please be a little more specific as to how I go about recovering deleted files? I am specifically looking to retrieve some of my teenage daughter's deleted Yahoo chat archive logs.

Public Comments

1. Nothing is ever really deleted...you just think it is.
2. There are "undelete" programs out there, which work because deleted files are not in general overwritten for some time. I don't know which ones are used in police forensics, but here's a link to Diskeeper's Undelete product: http://www.undelete.com
3. Files are stored on your hard disc drive by manipulating the magnetic particles of the disc to orient in one of two directions. Information about the stored file (location in memory, size, filename, etc.) is then stored in the file management system to enable access to that portion of the hard disc drive containing the file. Deleting the file only deletes the reference to the file in the file management system, the oriented particles on the hard drive still contain the data. It is not difficult to retrieve that data by scanning the current state of the hard drive. You have to reformat the hard drive to erase the current state, or expose it to a strong magnetic field. Over time, a deleted file's data can be overwritten by other files. But usually, a significant portion of it remains for detection. ***NEW*** Try the link below:
4. They have rooms called "clean rooms", nothing is aloud in these rooms whatsoever(to eliminate dust particles&all that). They then take the harddrive apart to get out the disk that is in the harddrive. After that it's beyond me but I know the sh-ts exspensive.
5. Emptying the recycle bin dereferences the files from the filesystem, which means that the space they used to be in is marked as "free" and hence if a new file request's it Windoze gives it to the new file. In this point the old file is gone for good, unfortunatelly it can take a long time (depending on how frequently you move files around in your disk) for those "free" spaces to be actually taken and the "deleted" files can be read and reasembled by any tool capable of low-level reading the bits composing a file (as long as the "free" space it is in haven't been taken over), one such tools happens to be free to get (opensource) and exists in most modern linux distros. The best way to really wipe files is using a tool like bcwipe (also free) which runs several patterns of random data on the "free" space left by files deleted from the recycle bin, ensuring that space get taken over inmediatelly.
6. Assuming the data is on a Windows machine running off a FAT, FAT32, or NTFS filesystem, there is technically no such thing as "deleting" a file, only overwriting it. Recovery programs work by picking up the magnetic traces left on the hard drive from the data, so data can still be recovered (although possibly with errors) even after it's been overwritten multiple times. This can be difficult to do on a system like linux because it uses a different file system (ext3, if I remember correctly) that automatically "reformats" the portion of the drive where the deleted data was stored. It can also be difficult if an overwrite/nuke disc was run on the machine. One such I use for my refurbishing charity uses the Guttman Algorithm, which overwrites the entire hard drive with random code on each pass for up to thirty passes, rendering all data virtually unrecoverable.