0

My question is not about the recovery of deleted file, nor is it about the complete wiping of a disk; it's to ask about the traces deleted files leave, and how I could possibly 'see' them or visualise them?

I'm very much interested in the right to be forgotten, data loss, technological decay etc. Which made me question the traces of the deleted files. I have read that unless you physically destroy the harddrive or override the files/disk the deleted files leave traces of some sort- loose fragments of the file that used to be there.

Is there a way for me to see those fragments and access them? Can I pull metadata from them, for instance how many files were deleted, what the extensions were of those files, sizes, names etc.

  • I added a tag that should help you find what you are looking for. You want a forensic analysis of deleted file fragments. – schroeder Mar 16 '20 at 13:19
  • 1
    Potenital duplicate: https://security.stackexchange.com/questions/58515/how-does-forensic-software-detect-deleted-files – schroeder Mar 16 '20 at 13:19
  • 1
    make an image of the hard drive and then plug it into forensics software like autopsy – john doe Dec 11 '20 at 20:18

2 Answers2

0

At a high level, the answer is, that we know something about the files or directory structure. If we know something, that means that we can look for it on a disk, even if it is not in the current directory tree.

This may sound very abstract, and it probably is. If you have a Linux system available, you can use a small (stay below the 1G if you can) USB stick for experimentation. I say small, because larger takes more time.

On the USB stick, create a file with an text editor, with something like this:

't Was brillig and the slythe toves
 did gyre and gimble in the wabe

Once you are satisfied that the file is there, delete it.

Plug it in your Linux system and do

sudo strings /dev/sdx1 | grep brillig

(replace devx1 with our actual device name). You should see the first line of Jabberwocky. It this case we knew it was ASCII-text (so we used strings to filter it out) and it contained brillig.

In most files, there is a starting set of bytes (called Magic Number) that allows you to determine what kind of file it is. For example, if you see a sector starting with 0xffd8, there is a fair chance that it is the beginning of a JPEG file (not certain, but a fair chance). Wikipedia has a whole list of those magic numbers.

There are many tools in the forensics discipline, that might even allow the recovery of files. On the low-level, the Linux/Unix dd allows you to low-level copy parts of the disk file.

Ljm Dullaart
  • 2,007
  • 5
  • 11
  • Thank you! However I don't have a linux system nearby (and the schools etc closed). I do wonder, with these magic numbers, is is possible to figure out how many files of which extension where deleted on the said usb? Even if this is an estimate maybe? (just some random thoughts here, just writing down my stream of thought) – user229077 Mar 16 '20 at 18:40
  • @user229077 You can use `binwalk` to check for such file signatures. It will read the file (in this case, `/dev/sdx1`) to check for things like those magic bytes. `binwalk` will report what files (using their file signatures) are embedded in a file and where they are in the file, – ChocolateOverflow Aug 14 '20 at 03:25
0

If you're interested in the contents of the files, you might want to have a look at PhotoRec. The metadata is largely lost (but not metadata embedded in the files such as EXIF data in JPEGS). Filenames are also lost. It recovers file contents (not just photos, but office documents, archives, multimedia etc.) even after formatting the drive. It essentially works its way through the entire drive and reconstructs what it sees as best it can. You can then count the files of a particular type, for example. Unless the drive has been overwritten it does a rather good job. You can then use standard filesystem search tools on the output if you have a lot of files (which you will).

It's FOSS and cross-platform, so you should have no trouble downloading and running it.

Chris H
  • 4,375
  • 2
  • 16
  • 23