Q: What happens when an electronic file is deleted?

A: When a file is deleted in a Microsoft Windows environment, the reference pointing to the location of the file on the hard drive is moved to the recycle bin.

By way of analogy, imagine looking through the card catalogue at the library for a book on the history of baseball that was published in 2000. The card gives the book's location in the library. If you take the card out of the card catalogue and put it in a shoebox, the book is still on the shelf but you won't be able find the correct shelf until you retrieve the card from the shoebox.

A deleted file may still be retrieved (recovered) by opening the recycle bin, right-clicking on the file and selecting "Restore" from the menu.

Emptying the recycle bin would be the same as throwing away the catalog card - the reference to the book's location is gone, but the book remains on the shelf. The book can still be found, but you'll have to look through every shelf in the library until you find it.

Likewise, when the recycle bin is emptied the reference to the location of the file is gone - but the data is still intact and resides somewhere on the hard drive in what is called Unallocated Space. It takes a trained computer forensic examiner using specialized forensic tools to find and recover it - particularly if the deleted file data becomes partially overwritten by new data.

TECH TIP

Cached Web Pages

Web browsers, such as Microsoft Internet Explorer or Mozilla Firefox, are designed to efficiently find and display Internet pages. One way to do this is to "cache" copies of Web pages of sites that a computer user frequently visits. For example, Internet Explorer keeps such cached pages in a folder called Temporary Internet Files.

A computer's operating system (for instance, Windows XP/Vista/7) stores and tracks metadata about every file.

For example, when you view the Home Page of the Lightstone Solutions website for the first time, a copy of the page is retrieved from our server and cached on your hard drive. The next time you visit the page, your Web browser will compare the cached page to the one on our server and, if they match, the page cached on your hard drive will pop up on your screen. Depending on the speed of your Internet connection, you may notice that a cached page loads faster than a Web page that you have not previously viewed.

Cached Web pages can provide a wealth of information to a computer forensic investigator:

  • Websites routinely visited;
  • Keywords entered into Google, Yahoo and other search engines;
  • Details of online purchases at Amazon, eBay and other e-tailers; and
  • Contents of Internet e-mail, such as Google Mail (Gmail) and Yahoo.

Like any other files on a hard drive, data from deleted cached Web pages can be located and retrieved using forensic tools until it is completely overwritten by new data.