Recovering deleted files: digital forensics for the everyday person


I believe the everyday person should know how to recover deleted files or messages. That way, you don’t have to hire someone or say goodbye to important or sentimental data.

I stumbled upon digital forensics seemingly by accident many years ago. In the early 2000s, I used to do what is called 'trashing,' a term used by the hacker subculture synonymous with 'dumpster diving.' That’s how I got all my computer gear before I could afford my own.

One person’s trash became another person’s treasure. That’s when it hit me: whoever owned these computers before I found them had a life on them, filled with hobbies and, most importantly, secrets. The history of that person was embedded in these machines. What if I could retrieve it?

ADVERTISEMENT

Armed with a copy of Autopsy, I created a bootable CD and immediately went to work. Sometimes, the previous owners didn’t format the hard disks or flush their RAM. Sometimes, they did.

jurgita Ernestas Naprys Jesse William McGraw Niamh Ancell BW
Don’t miss our latest stories on Google News

Either way, it didn’t matter what they deleted. Autopsy was able to run a deep examination of the hard disks and RAM and piece them together enough information to incriminate the users.

I’m talking about deleted files, file access logs, web history, compressed images, and videos – the works. I got good enough to monetize this as a service in mid-2009, and before long, I was being hired to investigate cheating partners routinely.

Presently, the same methods apply to current-day technology, especially smartphones and tablets. No matter how many factory resets you do, there’s recoverable data. Think about all the data that’s hiding on the second-hand smartphones you buy online.

Let’s dive right in and learn how to recover deleted information across platforms.

Extracting hidden secrets with Autopsy

One of the most common uses for digital forensic tools is artifact extraction coupled with file carving, which I will explain below.

ADVERTISEMENT

If you need to restore deleted files from the operating system, extract browser history, recover emails and chat logs, or any kind of embedded metadata from images or documents, then you’ve got to piece together a user’s activities using Autopsy, an open-source digital forensics tool.

Autopsy

This is also used by law enforcement and members of the cybersecurity industry in cases involving cybercrime, fraud, or data breaches and, by extension, for incident response.

I’ll tell you this much: if you become proficient at Autopsy, you will become the one person everyone goes to recover lost files or to find and analyze a person’s computer and internet habits. This means you’ll be monetizing this as a service in no time.

Here are some things you should know about the functions provided by Autopsy:

  • Cross-platform: meaning compatibility with Windows, Linux, and OS X.
  • Artifact extraction: allows exhumation of history, cached images and videos, metadata, documents, call logs, messages from various apps, cookies, web bookmarks, downloads, etc.
  • File carving: allows recovery of fragmented or deleted files by identifying file headers and footers, regardless of whether directory entries are missing.
  • Timeline analysis: provides a timeline feature for visualizing file creation, access, and timestamps when a file was modified. This is a vital feature when trying to understand the chronological sequence of events, especially in cases involving cheating spouses.
  • Metadata extraction: functions within the app can extract metadata from files, yielding useful information such as creation dates, modification timestamps, and user history.
  • Team collaboration: allows multi-users for simultaneous case collaboration.
  • Generate custom reports: Autopsy can generate customized, detailed reports in HTML, PDF, and Excel format based on the needed criteria.
  • Hashing and signature matching: used for checking file integrity and identifying known files by comparing them against hash databases, which can help flag malicious files or modified apps.
  • Examining network activity: by analyzing network logs from firewalls or intrusion detection systems (IDS) can allow users to perform intrusion detection by identifying suspicious TCP/IP connections or data exfiltration attempts.
Hash set

Android and iOS data recovery

Whenever I second-hand smart devices such as phones and tablets, there’s going to be compressed data on them. Something to consider when buying used devices like these is this: What did the previous owner use their phone for? Curious? I’d be. There might be malware on it or something worse.

More importantly, for the investigating cyber sleuths out there who want to leverage digital forensic tools on mobile devices, Autopsy is also able to parse and analyze both iOS and Android devices. But first, you must create a disk image of the device you want to analyze and recover from.

ADVERTISEMENT
  • Create the disk image: the best, free way for users who want to create a logical backup of an Android device is simply to download ADB (Android Debug Bridge) on your computer. This is included in SDK Platform tools. Download the latest build and unzip the archive.
  • Enable Developer Options on Android: to do this, go to Settings> About Phone and tap on the Build number seven times in order to enable Developer Options. For Samsung users, Settings> About Phone> Software information> Build Number.
Settings for forensics
  • Connect the Android device using a USB cable: ensure that it’s recognized by your computer.
  • Check device connectivity: by navigating to the unzipped folder, right-clicking anywhere in the folder (in Windows), and then clicking on ‘Open in Terminal.’
  • Enter the command ./adb devices: to list the device’s serial number.
  • Create a logical backup: or mirror image by typing ./adb backup -all -f backup.ab
  • Open the backup with Autopsy: by selecting the Data Source Type> Disk Image or VM File. You will be prompted to browse to the backup file you just created using adb and the rest is history.
Data source

Simpler mobile forensics for the layperson

If you got lost in the details using Autopsy and want an autonomous app, you can search the Google Play Store or the Apple Store using the keywords ‘file recovery’ and ‘restore messages.’ Most of these file and message recovery apps have the same functionality, with only minor differences.

For example, one Android app I used in the past is EaseUS MobiSaver. It is also cross-compatible with Windows. Each of these apps is useful for getting the job done, whether you accidentally deleted a photo or need to learn what someone has used their phone for.

Another tool I’ve used is Dr. Fone, which is a more streamlined digital forensics Swiss Army knife for Windows. Better yet, it’s designed for easy operation for everyday people to recover data not only from hard disks but also from Android and iOS devices. It can even remove phone locks from the lock screen. Let me just say it’s efficient.

There could be any reason under the sun why dabbling in digital forensics is important. I can’t think of a single person who hasn’t accidentally deleted something important, only to resign to their supposed fate and just shake their head and move on, grinding their teeth with regret.

Don’t be that person.

ADVERTISEMENT