When you delete a file from your computer hard drive, it will not disappear. With enough effort and technical skill, it is often possible to retrieve documents and photos that you thought were deleted.
In cybercrime this feature is a useful law enforcement tool, but how does it really work?
Before we get into the technical details, it is worth discussing the boring procedural and legal aspects of cybercrime in the context of law enforcement.
Adjusting the legal framework
First, let's break down the old myth that a police warrant is always required to examine a digital device, such as a telephone or a computer. Although a prosecutorial order is usually required, there are many "gaps" within the law.
Authorities around the world, such as in the United Kingdom and the United States, allow customs and immigration officials to examine electronic devices without a warrant. U.S. Customs and Border Patrols may also examine the contents of devices without a warrant if evidence is suspected of being tampered with. according to a decision of the 11th district from 2018.
Compared to Americans, UK police have more access to the contents of the devices without having to make a request to a judge. They can, for example, download the contents of a telephone using a law called the Police and Criminal Evidence Law (Police and Criminal Evidence Act = PACE), regardless of whether charges have been filed. However, if the police finally decide that they want to examine the contents of those who got on a device, they must have a court signature.
Legislation in almost the entire Western world gives the police the right to examine devices without a warrant, in some cases where there is an urgent need, as in a terrorist case or when there is a real fear that a child may be sexually exploited.
But ultimately, no matter how "how" a computer is confiscated, it is the beginning of a long process, starting with putting a laptop or phone in a plastic bag and often ending with evidence presented in the courtroom.
The police must follow certain rules and procedures to ensure the admissibility of evidence. Cybercrime teams document their every move so that, if necessary, they can repeat the same steps and achieve the same results. They use special tools to ensure the integrity of the files. An example is "registration blocker", Which is designed to allow police officers to extract information without accidentally modifying the information being examined.
This legal basis and procedural rigor determine whether a computer forensics investigation is successful.
Despite the legal issues, it is always interesting to point out the many factors that can determine the ease with which deleted files can be recovered by the police (and not only). These include the type of disk used, if encrypted and successful, and the drive system file.
Take hard drives, for example. Although they have been largely surpassed by the faster units SSD, mechanical hard drives (HDDs) have been the dominant storage mechanism for over 30 years. They are widely used by those who want an economical storage solution or have a very large volume of data.
Hard disks use magnetic concentric disks to store data. If you've ever disassembled a hard drive, you've probably noticed how it looks a bit like a CD. They are circular and silver in color.
When used, these discs spin at incredible speeds, usually either 5.400 or 7.200 rpm, and in some cases, reach 15.000 rpm. These concentric disks rest on special "heads" that perform read and write tasks. When you save a file to the drive, this "head" moves to a specific part of the drive and converts an electric current into a magnetic field, thus changing the properties of the drive.
But how does he know where to go? Well, it looks at something called an allocation table, which contains a sign up for each file stored on a disk. But what happens when a file is deleted?
Not many things.
Here is the correct answer: The record for this particular file is deleted, allowing the space occupied by the file on the hard disk to be replaced for something else later. However, the data naturally remains present on the magnetic disks and is actually deleted only when new data is added to that location on the disk.
Ultimately, deleting them completely would require the magnetic head to physically move the file to disk and replace it. This could slow down the performance of the computer. So when it comes to hard drives, it's simpler to pretend that deleted files simply do not exist!
This makes recovering deleted files much easier for the police authority. They just have to recreate the missing pieces in the spreadsheet, something that can be done even with free tools.
Of course, SSDs are different. They do not contain moving parts. Instead, the files are depicted as electrons held by trillions of tiny transistors. Collectively, they combine to form NAND flash chips.
The SSD have some similarities to hard drives, such as that files are only deleted when they are replaced. However, some key differences inevitably complicate the work of police officers. And like hard drives, SSD organize data into blocks, the size of which varies greatly between manufacturers.
The main difference here is that for one SSD for data entry, the block must be completely empty of content. To ensure that the SSD has a constant flow of available blocks, the computer issues something called "TRIM Command", Which informs the SSD which blocks are no longer required.
For researchers, this means that when they try to find deleted files in one SSD, they may find that the drive put them far away from where they were.
The SSD they can also scatter files in multiple blocks on the drive to reduce the amount of wear caused by daily use. Because the SSD can only withstand a finite number of recordings, it is important that they are distributed throughout the drive and not in a small location. This technology is called wear leveling and is known to make life difficult for digital forensics professionals.
Then there is the fact that SSD are more difficult to get an image because on some devices you can not remove them. While hard drives are almost always replaceable and connected via standard interfaces, such as IDE or SATA, some laptop manufacturers choose to integrate storage onto the machine's motherboard. This makes it difficult for police to extract content.
The real complications
Conclusion: Yes, the police can recover deleted files if they so desire. However, advances in storage technology and extensive encryption complicate matters somewhat. Especially if you have done an extensive encryption and with a very large code, it will be very difficult to be able to decrypt your data. Remember that example of a widow who she could not get her husband's Bitcoin because the laptop had a strong encryption.
However, whatever the technical problems, they can often be overcome. With regard to digital investigations, the biggest challenge facing the police authority is not the mechanisms and encryption, but rather the lack of resources.
There are not enough trained professionals to do the job. And usually police forces around the world deal with a large number of unprocessed phones, laptops and servers.
One article from the British newspaper The Times reported that the 32 police forces across England and Wales have more than 12.000 devices waiting to be tested. The processing time of a device varies from one month to more than one year.
And that has consequences. The foundation of any system for a proper justice is that theirs should be immediate. When justice is delayed, then there is no real justice.