Today it is no longer a surprise to most people that deleted data is not really gone. Hitting the Delete key simply moves the data to the Recycle Bin (Windows) or Trash Can (Macintosh). And even those that try to permanently remove data by emptying the Recycle Bin/Trash Can or bypassing it altogether using the more advanced format of delete are thwarted when they learn that action does not remove the data either.
Deletion simply marks the data for deletion – which leaves that data in a precarious state. Should the system need the space occupied by the “deleted” data, it will be used, thus overwriting (or partially overwriting) the original data located there. While this is not completely random, this action can leave deleted data intact for an extended time.
Forensic analysis can both identify deleted information and recover data that has not been overwritten. In many instances complete recovery of such deleted data is possible. In other situations, only a partial recovery is possible. In some of those instances, and depending on the circumstances of the matter at-hand, the partial recovery may still provide adequate evidence.
In many cases the fact that something has been deleted is the important fact. Deletion activity may be “surgical” (i.e. removal of a specific file, deletion during a narrow timeframe, etc.) or en masse. Vestige’s deletion analysis takes a critical approach at understanding the deletion that occurred, to answer things like:
If your matter can benefit from understanding these and other relevant facts surrounding potential deletion, contact Vestige to learn more.
Ctrl-Alt-Del: IT Reboot & Recovery
Data Breach | Incident Response
Data Recovery
Deletion Analysis
Device Usage Reconstruction
Document & E-mail Authentication
External Device Usage Analysis
Forensic Artifact Analysis
Internet History Analysis
Malware Analysis & Reverse Engineering
Mobile Device Analysis
Opposing Expert Critique
Password Cracking
Root Cause Analysis
