In the context of legal cases, the ability to recover deleted data from hard drives may be critical for litigation. Whether the data is being sought as evidence or to ensure that information isn’t lost, the process of retrieving it requires a deep understanding of technology and forensic techniques.

In this blog post, we will explore five primary factors that can impact the success of data recovery efforts in computers, including the following:

1. Type of storage media

2. Type of file system

3. Method of deletion

4. Method of data loss

5. Length of time since the data was deleted

Select the header below to jump to the section you would like to learn more about:

Storage Media

One of the key factors that can impact the success of recovering deleted data from hard drives is the type of storage media being used. There are two main types of storage media: hard disk drives (HDD) and solid state drives (SSD). These two types of storage media manage data differently which can impact the chances of successful recovery.

Hard Disk Drives

HDDs store data on spinning disks, making it sometimes possible to recover deleted data even after the file system has marked it as “deleted.” In this scenario, the file system designates the space the deleted file occupied as being available for reuse. Until this space is overwritten with new data, however, it remains on the disk and can be recovered. It’s important to note that the longer the data is designated as “available for reuse,” the greater the chance of it being overwritten with new data and becoming unrecoverable.

Solid State Drives

Solid state drives do not save physical data like HDDs due to fundamental differences in their underlying technology. Unlike HDDs, SSDs store data on flash memory chips. This makes it nearly impossible to recover deleted data, because SSDs use an algorithm called wear leveling to spread the data to multiple locations. From there, TRIM commands inform the controller which blocks of data can be deleted.

This process automatically deletes data from flash memory chips, which removes the mapping of the deleted file. As a result, the data on an SSD can be quickly overwritten, making it unrecoverable.

How Common are HDDs and SSDs?

Whether a computer utilizes a hard disk drive or solid-state drive may be dependent on the computer’s application, usage, or age.  HDDs have been widely used for decades and are still prevalent in many computers, servers, and data storage systems. They are a reliable and cost-effective storage solution for data that is frequently used and does not require high-speed access.

On the other hand, SSDs have become increasingly popular in recent years due to their faster data access speeds, lower power consumption, and improved reliability. They are commonly used in high-performance computers, laptops, and mobile devices where fast data access speeds are critical.

Type of File System

The file system used on the storage media can also impact the success of recovering deleted data from hard drives, because each type of file system manages files and directories differently. Some of the most common file systems include:

  • Windows: NTFS (New Technology File System)
  • macOS: APFS (Apple File System) or HFS+ (Hierarchical File System Plus)
  • Linux: EXT4 (Fourth Extended File System) or XFS (XFS File System)
  • Portable Storage: exFAT (Extended File Allocation Table)

NTFS (Windows)

The NTFS file system used on Windows computers keeps a record of deleted information in a special area of the disk called the “Master File Table.” This makes it possible to recover files in some cases, even after the file system has marked the data as “deleted.”

HFS+ and APFS (Mac)

The HFS+ file system used by older versions of Mac computers also keeps a record of deleted files, but the data is not always recoverable. The newer APFS file system used by recent versions of Macs is designed to be more secure. APFS uses a copy-on-write technology, meaning that when data is written to the storage media, a new copy of the data is created, and the original is marked for deletion.

exFAT (Portable Storage)

It’s worth noting that many devices also use exFAT. This is a common file system for portable storage devices, such as USB drives, due to its compatibility with multiple operating systems.  Typically, recovering data from exFAT file systems is relatively easy compared to APFS or NTFS. exFAT uses a straightforward file allocation table (FAT) that maintains a record of where files are saved on the storage media.

When a file is deleted, the system updates the FAT to indicate that the space previously occupied by the file is now free. This means that deleted data can be recovered by searching for unallocated space on the storage media and recovering the data from there.

Method of Deletion

The method of deletion is another critical factor that can impact the success of data recovery efforts. Different methods include simple file deletion, low-level formatting of the storage media, and secure deletion.

Deletion via Operating System

When a file is deleted using the operating system, it is usually marked as deleted in the file system, but the actual data remains on the disk. This data can often be recovered using specialized software or techniques.

For example, imagine you have a folder on your computer’s desktop. When you no longer need one of the files in that folder, you can right-click on the file and select “delete” or drag the file to the trash or recycle bin icon on your desktop. This is considered deleting the file using the operating system.

Deletion via Low-Level Formatting

When a storage media is low-level formatted, all of the disk’s data is erased, including the file system information. In this case, the data is permanently gone and cannot be recovered. Low-level formatting is similar to a factory reset, which is often performed when a computer is sold, given away, or prepared for a new employee.

Secure Deletion Methods

Secure deletion methods are designed to ensure that data cannot be recovered by overwriting the information multiple times. For example, when using the Department of Defense (DOD) 5220-22.M standard for secure deletion, data is overwritten three times with specific patterns of ones and zeros. Since data is physically overwritten and not just marked as deleted, it is impossible for forensic tools to locate and recover the information.

Method of Data Loss

Data loss can occur due to various reasons such as human error, cyber-attacks, software failure, or hardware failure. Understanding the cause of data loss is crucial in determining the appropriate recovery method. Data loss due to software and hardware failure are two of the most common causes, and each requires a different approach to recover lost data.

Frequency of Hardware and Software Failure

Both hardware and software failures can lead to data loss, but the frequency of each type of failure can vary depending on the situation. For example, hardware failure may be more common in cases of physical damage to a device, such as a hard drive or phone.

Software failure, on the other hand, may be more common in cases of corruption or errors within an operating system or application. Ultimately, it is difficult to determine which type of failure is more common as it can depend on a variety of factors, including the type of device and how it is being used.

Software Failure

Software failure can occur due to a variety of reasons such as bugs, viruses, malware, or human error. These issues can lead to data loss in different ways. For example, a bug in an application can corrupt files or cause them to become inaccessible. Malware or viruses can delete or encrypt data, making it impossible to access without paying a ransom or using decryption tools. Finally, human error such as accidentally deleting files or formatting a drive, can also result in data loss.

The likelihood of recovering data due to software failure can vary depending on the specific circumstances of the data loss. In some cases, it may be possible to recover all or most of the lost data with the help of specialized tools and techniques. In other cases, however, the data may be permanently lost or unrecoverable due to the extent of the damage or corruption to the software or file system.

Hardware Failure

Unlike software failure, data loss due to mechanical failure refers to the situation where the physical components of a storage device, such as a hard drive, fail. This could be due to a variety of reasons, such as wear and tear over time, damage from physical impact or shock, or manufacturing defects.

Hard disk drives are more likely to suffer from mechanical failure than solid-state drives, because they contain moving parts. HDDs use magnetic disks to store data that are read and written to by a mechanical arm with a read/write head, which means there are many components that can break or wear out over time.

SSDs, on the other hand, use flash memory to store data and have no moving parts, which makes them less prone to mechanical failure. SSDs can still experience other types of failure, however, such as electrical or logical failures.

The likelihood of recovering deleted data from hard drives that resulted from a mechanical failure depends on the specific case, the age and type of the storage device, and the extent of the damage. In some cases, it may be possible to recover some or all of the data using specialized hardware and techniques. In other cases, data recovery may not be possible at all, especially if the damage is too severe or the device is too old. Overall, the chances of success are lower compared to software failures.

How to Tell the Difference

One way to distinguish between a software and mechanical failure is to look at the symptoms of the problem. For example, if the computer is freezing or crashing frequently, this could be a symptom of software issues such as corrupted files or malware. On the other hand, if the computer is making unusual noises or has difficulty spinning, this could be a symptom of mechanical failure.

Another way to determine the cause of the failure is to run diagnostic tests on the hardware components of the computer. These tests can help identify whether a problem is caused by a hardware or a software issue. A digital forensic analyst may also examine system logs, file metadata, and other data to help determine the cause of the data loss.

Length of Time

Finally, the length of time that has elapsed since the data was deleted is one of the most important factors in determining the chances of recovery. When data is deleted, the information remains on the storage media until new data overwrites it.

There is no set time limit for when data will be overwritten and become unrecoverable. This process can depend on a number of factors, such as the amount of free space on the storage media, the type of file system being used, and the computer’s usage patterns.

To maximize the chances of successfully recovering deleted data, it’s best to initiate the recovery process as soon as possible. It is also essential to avoid using the computer or storage media in question until an attempt has been made to recover the data. This helps to minimize the chances of the information being overwritten.

Recover Deleted Data from Hard Drives: Conclusion

In conclusion, recovering deleted data from hard drives requires careful consideration of various factors such as the type of storage media, file system, method of deletion, method of data loss, and length of time since the data was deleted. Despite the use of advanced techniques and technologies, however, there is never a guarantee of successful data recovery. Therefore, it is essential to set realistic expectations with the client and communicate that data recovery is a complex and often challenging process.

Working with a trusted and experienced digital forensics provider is crucial to ensure the best possible outcome. The provider should possess the expertise and resources necessary to handle the most challenging data recovery cases. By leveraging their deep understanding of technology and forensic techniques, they may be able to overcome the barriers that impede the data recovery process.

Joe Anguilano

Author

Share article:

Joe Anguilano is the Managing Director, Cybersecurity at TCDI. With nearly 20 years of experience in the fields of cybersecurity and digital forensics, Joe specializes in building and empowering teams of experts focused on solving our clients’ most challenging problems. Specialties include, eDiscovery collections, digital forensic investigations, penetration testing, incident response, and other cybersecurity services.