NetEvidence Home Page

Investigative Services

Litigation Support

Information Security

Contact Us

About Us

What is Electronic Evidence?

Do you need
NetEvidence?

NetEvidence Partnership

CPE Seminars

 


 
 
  Deleted?

As technology continues to play a larger role in litigation and internal company investigations, lawyers and investigators are expected to comprehend the inner workings of computers and how they relate to any computer conduct at issue.

Most lawyers by now understand the basic rule that "delete does not mean delete." However, learning exactly how computers retain deleted data is a technological lesson that most attorneys have not encountered.

When a computer file is deleted, several behind the scenes processes occur. For a FAT based file system, the first character of the file's name is replaced with a special character that tells the computer system that the file has been deleted. For example, a file named "thesmokinggun.doc" would become "E5hesmokinggun.doc," making it virtually impossible to find the file by searching for it under its title. Also, the file’s mapping of the File Allocation Table (FAT) and its associated sectors of the drive are marked as available to store new data. This available space is now deemed as "unallocated space." Until new data, which is stored in a random fashion on the drive, is written to each and every sector that has been marked as available, portions of that data are recoverable. Even then, if the new file is smaller in size than the footprint of the deleted file, portions of the deleted file might still be recoverable. This area of space is called "slack space."

Deleting a computer file can be compared to a library’s "card catalog" system, where when a book’s index card is pulled from the card catalog, the book still remains on the shelf. The book is not removed from the shelf until the space it occupies is physically removed by the librarian and replaced by a new book.

How long is computer data retrievable? Factors influencing the recovery of deleted files include: how the files were deleted, the amount of time passage and computer usage since deletion, the use of file deletion/destruction programs, etc. Typically, data does not change or grow as rapidly on a user’s laptop or desktop as it does on a file server. In addition, with larger hard drive space becoming cheaper to acquire, deleted data tends to remain for longer periods of time after a deletion occurs. Unless steps are taken to hide or remove deleted data more permanently, the possibility exists for computer forensic experts to recover or examine data otherwise thought to be destroyed.

 

  

 - File Deleted: Are you sure?

 - Digital Evidence

 - Spoliation Liability

 -  

 - Theft of Intellectual Property

 - Employee Fraud

 - Forged Employment Contract

 - Large Litigation Support Case

Copyright © 2004 - 2009 NetEvidence, Inc. All Rights Reserved.