What happens when I delete a file? Can you recover deleted files?

Computers keep track of files using a Table Of Contents (TOC) similar to the one you find at the beginning of a book. Without this feature, the computer would have to scan every file on the system whenever you opened a document since it wouldn’t know where to look. Imagine trying to find a chapter on torts in a legal textbook without the TOC or an index. You’d be forced to flip through each page until you found the right section. Clearly the TOC improves the performance of locating files but it is also used to speed up the deletion of files as well. When a file is deleted, the computer erases the entry in the TOC for the file rather than deleting the file itself since this is much faster. At this point, if you were to look for the file using your file manager it would appear to be deleted since there is no entry in the TOC. Forensic software would still be able to find the file since these tools ignore the TOC and examine all files directly. A file whose entry has been removed from the TOC will eventually be truly deleted when a new file is stored directly on top of the old one and overwrites its data. Formatting a disk creates a new TOC which effectively removes all files from the current TOC and makes them appear deleted. Most formats are quick formats which means the actual files themselves are not deleted and can be recovered by ignoring the TOC and scanning the files directly. Some disk wiping software will actually delete both the TOC entry as well as the contents of a file, effectively deleting it for good. Fortunately, these secure deletion programs often leave timestamped evidence of their use which means it is easy to prove spoliation of evidence in these cases.


About the Author: