Digital Forensics Dispatch

Recovering Data from “Wiped” Computers

October 28, 2021

Often clients approach us at Sensei hoping to recover data from computer systems. Sometimes these requests come after a computer glitch or simple user error but other times they are hoping to retrieve data they suspect was deleted or “wiped” by a family member or employee.

A description of the latter scenario might sound something like “employee Mr. X recently resigned to work at a competitor and when he turned in his laptop it was wiped.” In digital forensics and data recovery circles, wiped has a specific meaning that others often don’t fully appreciate. If the drive has truly been wiped, data recovery is, unfortunately, likely not possible. However, commonly when users are cleaning up systems, they are not wiping data but are instead performing standard file deletions. In these instances, there is a decent chance deleted data will be recoverable, especially if you act fast.

When a file is deleted in a standard deletion operation the space the file is taking up is added back into the pool of free space on the drive where it is stored. That space will be available for new data that needs to be written to the drive but until that space is reused the deleted file is potentially recoverable. This is even true of quick drive reformatting operations on most computers. Wiping is different in that, once the file is deleted, the space it resided in on the drive is overwritten immediately rendering that file unrecoverable.

In summary, word choice is obviously key. What one person might think of as a wiped computer may still contain a wealth of data. A knowledgeable examiner should always ask some follow up questions to make sure they understand what the client means in this scenario.

Email:    Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics