When you delete a file from your computer hard drive, it will not disappear. With enough effort and technical skill, it is often possible to retrieve documents and photos that you thought were deleted.
In cybercrime this feature is a useful law enforcement tool, but how does it really work?
Before we get into the technical details, it is worth discussing the boring procedural and legal aspects of cybercrime in the context of law enforcement.
Adjusting the legal framework
First, let's break down the old myth that a police warrant is always required to examine a digital device, such as a telephone or a computer. Although a prosecutorial order is usually required, there are many "gaps" within the law.
Authorities around the world, such as in the United Kingdom and the United States, allow customs and immigration officials to examine electronic devices without a warrant. U.S. Customs and Border Patrols may also examine the contents of devices without a warrant if evidence is suspected of being tampered with. according to a decision of the 11th district from 2018.
Compared to Americans, UK police have more access to the contents of the devices without having to make a request to a judge. They can, for example, download the contents of a telephone using a law called the Police and Criminal Evidence Act (PACE), regardless of whether charges have been filed. However, if the police finally decide that they want to examine the contents of those who downloaded a device, they must have a court signature.
Legislation in almost the entire Western world gives the police the right to examine devices without a warrant, in some cases where there is an urgent need, as in a terrorist case or when there is a real fear that a child may be a victim of sexual exploitation.
But ultimately, no matter how "how" a computer is confiscated, it is the beginning of a long process, starting with putting a laptop or phone in a plastic bag and often ending with evidence presented in the courtroom.
The police must follow certain rules and procedures to ensure the admissibility of evidence. Cybercrime teams document their every move so that, if necessary, they can repeat the same steps and achieve the same results. They use special tools to ensure the integrity of the files. An example is "registration blocker", Which is designed to allow police officers to extract information without accidentally modifying the information being examined.
This legal basis and procedural rigor determine whether a computer forensics investigation is successful.
Despite the legal issues, it is always interesting to point out the many factors that can determine the ease with which deleted files can be recovered by the police (and not only). These include the type of disk used, if encrypted and successful, and the drive file system.
Take hard drives, for example. Although they are far ahead of the fastest SSDs, mechanical hard drives (HDDs) have been the dominant storage device for over 30 years. They are widely used by those who want an economical storage solution or have a very large volume of data.
Hard disks use magnetic concentric disks to store data. If you've ever disassembled a hard drive, you've probably noticed how it looks a bit like a CD. They are circular and silver in color.
When used, these discs spin at incredible speeds, usually either 5.400 or 7.200 rpm, and in some cases, reach 15.000 rpm. These concentric disks rest on special "heads" that perform read and write tasks. When you save a file to the drive, this "head" moves to a specific part of the drive and converts an electric current into a magnetic field, thus changing the properties of the drive.
But how does he know where to go? Well, it looks at something called an allocation table, which contains a enrollment for each file stored on a disk. But what happens when a file is deleted?
Not many things.
Here is the correct answer: The record for this particular file is deleted, allowing the space on the hard disk to be replaced for something else later. However, the data naturally remains present on the magnetic disks and is actually deleted only when new data is added to that location on the disk.
Ultimately, deleting them completely would require the magnetic head to physically move the file to disk and replace it. This could slow down the performance of the computer. So when it comes to hard drives, it's simpler to pretend that deleted files simply do not exist!
This makes recovering deleted files much easier for the police authority. They just have to recreate the missing pieces in the partition, which can be done even with free tools.
Of course, SSDs are different. They do not contain moving parts. Instead, the files are depicted as electrons held by trillions of tiny transistors. Collectively, they combine to form NAND flash chips.
SSDs have some similarities to hard drives, such as that files are only deleted when they are replaced. However, some key differences inevitably complicate the work of police officers. And like hard drives, SSDs organize data into blocks, with sizes varying greatly between manufacturers.
The main difference here is that for an SSD to store data, the block must be completely empty of content. To ensure that the SSD has a continuous flow of available blocks, the computer issues something called "TRIM Command, Which informs the SSD which blocks are no longer required.
For researchers, this means that when they try to find deleted files on an SSD, they may find that the drive put them much further away than they were.
SSDs can also scatter files in multiple blocks on the drive to reduce the amount of wear caused by everyday use. Because SSDs can only withstand a finite number of recordings, it is important that they are distributed throughout the drive rather than in a small location. This technology is called wear leveling and is known to make life difficult for digital forensics professionals.
Then there is the fact that SSDs are more difficult to get an image because on some devices you can not remove them. While hard drives are almost always replaceable and connected via standard interfaces, such as IDE or SATA, some laptop manufacturers choose to integrate storage onto the machine's motherboard. This makes it difficult for police to extract content.
The real complications
Conclusion: Yes, the police can recover deleted files if they so desire. However, advances in storage technology and extensive encryption complicate matters somewhat. Especially if you have done an extensive encryption and with a very large code, it will be very difficult to be able to decrypt your data. Remember that example of a widow who she could not get her husband's Bitcoin because the laptop had a strong encryption.
However, whatever the technical problems, they can often be overcome. With regard to digital investigations, the biggest challenge facing the police authority is not the mechanisms and encryption, but rather the lack of resources.
There are not enough trained professionals to do the job. And police forces around the world often face a large number of unprocessed phones, laptops and servers.
A article from the British newspaper The Times reported that the 32 police forces across England and Wales have over 12.000 devices waiting to be tested. The processing time of a device varies from one month to more than one year.
And that has consequences. The foundation of any system for a proper justice is that theirs should be immediate. When justice is delayed, then there is no real justice.