Can the police recover the files you have deleted?

When you delete a file from your computer hard drive, it will not disappear. With enough effort and technical skill, it is often possible to retrieve documents and photos that you thought were deleted.

In cybercrime this feature is a useful law enforcement tool, but how does it really work?

Before we get into the technical details, it is worth discussing the boring procedural and legal aspects of cybercrime in the context of law enforcement.

Adjusting the legal framework


First, let's break him down myth that police always need a warrant to search a digital device such as a phone or computer. Although a prosecutorial order is usually required, there are many "loopholes" in the law.

Authorities around the world, such as in the United Kingdom and the United States, allow customs and immigration officials to examine electronic devices without a warrant. U.S. Customs and Border Patrols may also examine the contents of devices without a warrant if evidence is suspected of being tampered with. according to a decision of the 11th district from 2018.

Compared to Americans, UK police have more access to the contents of the devices without having to make a request to a judge. They can, for example, download the contents of a telephone using a law called the Police and Criminal Evidence Act (PACE), regardless of whether charges have been filed. However, if the police finally decide that they want to examine the contents of those who downloaded a device, they must have a court signature.

Legislation in almost the entire Western world gives the police the right to examine devices without a warrant, in some cases where there is an urgent need, as in a terrorist case or when there is a real fear that a child may be a victim of sexual exploitation.

terrorism

But in the end, regardless of the "how", when one is confiscated , is the beginning of a long process, starting with placing a laptop or phone in a plastic bag and often ending with evidence presented in the courtroom.

The police must follow certain rules and procedures to ensure the admissibility of evidence. Cybercrime teams document their every move so that, if necessary, they can repeat the same steps and achieve the same results. They use special tools to ensure the integrity of the files. An example is "registration blocker", Which is designed to allow police officers to extract information without accidentally modifying the information being examined.

This legal basis and procedural rigor determine whether a computer forensics investigation is successful.

Hard drives


Despite the legal issues, it's always interesting to point out the many factors that can determine the ease with which deleted files can be recovered by the police (and beyond). These include the type of disc that files, if there is encryption and if it was successful, as well as the file system of the drive.

Take hard drives, for example. Although they are far ahead of the fastest SSDs, mechanical hard drives (HDDs) have been the dominant storage device for over 30 years. They are widely used by those who want an economical storage solution or have a very large volume of data.

Hard drives use magnetic concentric disks to store data. If you've ever taken apart a hard drive, you've probably noticed how they look a little like CDs. It is Msoi and silver in color.

When these discs are in use they spin at incredible speeds, usually either 5.400 or 7.200 rpm, and in some cases, up to 15.000 rpm. On these concentric discs rest special "heads" that perform reading tasks and s. When you save a file to the disk drive, this "head" moves to a specific part of the disk and converts an electric current into a magnetic field, thereby changing the properties of the disk.

But how does he know where to go? Well, it looks at something called an allocation table, which contains a enrollment for each file stored on a disk. But what happens when a file is deleted?

Not many things.

Here is the correct answer: The record for this particular file is deleted, allowing the space on the hard disk to be replaced for something else later. However, the data naturally remains present on the magnetic disks and is actually deleted only when new data is added to that location on the disk.

After all, the full them would require the magnetic head to move to the physical location of the file on the disk and overwrite it. This could slow down the computer's performance. So when it comes to hard drives, it's simpler to pretend that the deleted files just don't exist!.

This makes recovering deleted files much easier for the police authority. They just have to recreate the missing pieces in the partition, which can be done even with free tools.

SSD


Of course, SSDs are different. They do not contain moving parts. Instead, the files are depicted as electrons held by trillions of tiny transistors. Collectively, they combine to form NAND flash chips.

SSDs have some similarities to hard drives, such as that files are only deleted when they are replaced. However, some key differences inevitably complicate the work of police officers. And like hard drives, SSDs organize data into blocks, with sizes varying greatly between manufacturers.

The main difference here is that for an SSD to store data, the block must be completely empty of content. To ensure that the SSD has a continuous flow of available blocks, the computer issues something called "TRIM Command, Which informs the SSD which blocks are no longer required.

For researchers, this means that when they try to find deleted files on an SSD, they may find that the drive put them much further away than they were.

SSDs can also scatter files in multiple blocks on the drive to reduce the amount of wear caused by everyday use. Because SSDs can only withstand a finite number of recordings, it is important that they are distributed throughout the drive rather than in a small location. This technology is called wear leveling and is known to make life difficult for digital forensics professionals.

Then there is the fact that SSDs are more difficult to get an image because on some devices you can not remove them. While hard drives are almost always replaceable and connected via standard interfaces, such as IDE or SATA, some laptop manufacturers choose to integrate storage onto the machine's motherboard. This makes it difficult for police to extract content.

The real complications

Conclusion: Yes, the police can recover deleted files if they so desire. However, advances in storage technology and extensive encryption complicate matters somewhat. Especially if you have done an extensive encryption and with a very large code, it will be very difficult to be able to decrypt your data. Remember that example of a widow who she couldn't get her husband's Bitcoins because the had a strong encryption.

However, whatever the technical problems, they can often be overcome. With regard to digital investigations, the biggest challenge facing the police authority is not the mechanisms and encryption, but rather the lack of resources.

There are not enough trained professionals to do the job. And police forces around the world often face a large number of unprocessed phones, laptops and servers.

A article from the British newspaper The Times reported that the 32 police forces across England and Wales have over 12.000 devices waiting to be tested. The processing time of a device varies from one month to more than one year.

And that has consequences. The foundation of any system of proper justice is that justice should be immediate. When justice is delayed, it does not exist justice.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

2 Comments

Leave a Reply

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).