Why deleted is never really deleted

Something New Every Day – Lecture 14 – Computer forensics & digital evidence

If you’ve ever wondered how it is that forensic computer experts are able to ‘recover’ supposedly deleted stuff from criminal computers, here’s how.

Most computers store files in ‘contiguous’ circles/tracks in the memory. Each tracks have a limited size and so a computer will find a ‘gap’ big enough for whatever file you’re working on and slot it in there. This is ‘fragemented’ filing.  After time you develop a whole bunch of smaller ‘slack’ spaces between the actual files. Active ‘de-fragging’ by users can minimise this and tighten up some of that slack space which reopens new space for bigger files again, but computers (for whatever reason) decide to store deleted and temp files in the slack space and you don’t know about it.

Forensic experts have software tools to let them access and review slack space. And if your great hacking heist or your 250 peadophilic images that you thought you’d deleted are littering your slack space then they’re there to be found.  It’s unlikely to be a full document but it might be enough to incriminate someone to get them on a suspect list (part of a record, one image…etc)

BTW, this is also how hackers find juicy bits of high-security stuff on peoples PCs – like credit card numbers, temp files or sensitive material.

Will de-fragging protect you from hackers? Maybe. Less slack space means less likelihood that your computer will decide to pack them out with deleted/dead files.

‘Trails of Evidence: How Forensic Science Works” is a The Great Courses DVD lecture series