The FBI recovers deleted files to help with investigations and prosecution. Bad guys will never stop trying to cover their tracks by deleting files–so the good guys developed a suite of free tools that let anyone recover deleted files. The tools presented in this article were used in FBI investigations that processed 1,756 terrabytes of data as part of over 4,500 cases in 2009, the most recent year for which data is available.
For whatever reason, you decide to delete the file
foo.docx from your computer. You open Windows Explorer, go to the directory holding
foo.docx, highlight the file, and press the delete key on your keyboard. Sometime later–maybe minutes later, maybe weeks later–you clear out your Trash folder. As far as Windows is concerned, this means you want to permanently delete
foo.docx, so Windows gets to work:
- Windows checks to see if the file appears in multiple directories, a feature borrowed from Unix and Linux called hard links. If the file exists in multiple locations, Windows doesn’t delete the file–it just removes its entry from your Trash directory.
- Windows puts a note in its journal that foo.docx should be deleted. It may sound silly for an operating system to have a journal, but the journal ensures that the computer can quickly recover if there’s a sudden crash or power loss.
- Windows opens up the Master File Table (MFT), finds
foo.docx, and removes its entry. Note: this does not delete the file, it just makes it impossible for Windows to find it anymore.
- Windows removes the note it put in its journal earlier. Windows is done deleting
After the file is deleted, all of its data still exist on your disk drive. There’s just no record of where the file is on your disk drive, so standard programs can’t find it. I use a Super Data Rescue Package to recover clients files and save time but there are free options available.
The Four Secrets To Recovering Deleted Files
Secret One: The sooner you try to recover a file after its been deleted, the greater your chance of success. That’s because Windows will write new files on top of old, deleted files. Once a new file gets written on top of the deleted file, there’s no way to recover the whole deleted file.
If you just deleted a file that you really need, you can almost guarantee it won’t be overwritten by immediately unplugging your computer from the wall. Of course, this means none of the other open files on your computer will be saved.
Secret Two: Smaller files are easier to recover than bigger files. That’s because the Window’s filesystem (NTFS) uses fragmentation to maximize the amount of space you can use on your disk drive. Smaller files have fewer fragments, making it easier to find all the parts of the file. The ideal number of fragments is one.
A useful corollary is that you’ll have better success retrieving deleted files if you regularly defragment your drive. After defragmenting, almost every file will have only one fragment.
Secret Three: You need to know the type of file in order to recover it. The only place the filename is stored on Windows is the Master File Table (MFT), so you can’t search for files by filename after the file is removed from the MFT. You need to know what type of file it is in order to find it–in our example, we assume
foo.docx was a Microsoft Word 2007 or 2010 file.
Secret Four: You need to ensure the disk drive runs as read-only before you attempt to recover files. This is to prevent Windows from overwriting the file you want to recover. Many USB drives and some USB disk drive enclosures have a read-only switch–this works great: safely remove the drive or unplug the USB cord like usual, toggle the switch, and reinsert the drive or cord.
Some internal disk drives have a read-only switch, although you may need to mess with electric jumpers to toggle it. Unfortunately most internal disks don’t have a read-only switch and, what’s worse, Windows doesn’t like to boot from a read-only disk. We’ll deal with this problem in the next section.
How the FBI Recovers Deleted Files
The original set of programs for low-level file recovery is called The Coroner’s Toolkit (TCT). TCT was incorporated into other more advanced toolkits which will be described here called The Sleuth Kit (TSK) and Autopsy.
Although there are many Linux live DVDs and virtual environments that contain TSK and Autopsy, we suggest BackTrack Linux available at backtrack-linux.org. Unless you’re familiar with VMWare, you should download the DVD ISO image and burn it to a DVD. Then place the DVD in the computer with the deleted file and reboot.
After BackTrack finishes loading, you’ll find a stylized K where the Start menu usually appears in Windows. Click the K, go to the BackTrack menu, Go do the Digital Forensics menu, and choose Launch Autopsy. Then open the Web Browser (a globe icon next to the K icon) and browse to
Autopsy is an easy-to-use HTML-based frontend to the dozens of commands in TSK. On the main screen of Autopsy, you want to create a New Case, then follow the menus. When you get to the File Analysis screen, choose “Show All Deleted Files”. It will take a long time for all of the files to appear–TSK must scan every unused bit of your disk drive to see if it contains a deleted file. You can expect the process to take about 1 minute for every 10 GBs on your disk drive.
After TSK finds all the deleted files, you can sort through them to find the file you need. Then all you need to do to recover the deleted file is click on its link and save it.
To use these tools, sometimes you need to fix failed hard disks before proceeding to get your files back like the FBI recovers deleted files.