When a suspect wipes or deletes data from a computer hard drive, police investigators face significant challenges in recovering that information as evidence. However, with the right tools and expertise, it is often possible for police forensic experts to restore all or some of the deleted data.
What does it mean to “wipe” a hard drive?
Wiping a hard drive is a process that overwrites the existing data on the drive with new meaningless data, with the goal of making the original information non-recoverable. There are several methods that can be used:
- Using the operating system’s delete/format function – This simply marks the disk space as available for new data, but does not overwrite the existing data.
- Using wipe utility software – This repeatedly overwrites the entire hard drive with data like zeros or random bits multiple times.
- Physically destroying the disk – This means physically damaging the platters and mechanism inside the hard drive casing, usually by crushing or grinding it up.
In most cases, police are dealing with a software data wipe rather than physical destruction. Wiping software works by overwriting the hard drive with new meaningless data in an effort to obscure the old data. The more times this is done (up to 35 passes), the more difficult it becomes to recover the original data.
Why can wiped data be recovered?
There are a few reasons why data wiped from a hard drive can still be recovered:
- No wipe is perfect – There may still be traces of the old data embedded in the drive’s magnetic encoding.
- The wipe is interrupted – If the process is disrupted, some data may remain intact.
- Not all sectors are wiped – Protected system sectors may not be reachable by wipe utilities.
- Deleted files may still be recoverable – Wiping the disk does not remove all index references to the deleted data.
In most cases, only a partial recovery is possible, but forensic experts may be able to reconstruct files and uncover clues about the wiped data. The more times the disk is overwritten, the less likely recovery becomes.
What techniques can police use to recover wiped data?
Police have a number of digital forensics techniques at their disposal to attempt to recover wiped data:
- Metadata analysis – Metadata such as file timestamps may indicate the presence of deleted files.
- File carving – Searches raw data for specific file headers and patterns to reconstruct files.
- Magnetic force microscopy – Special equipment can read magnetic trace data on the drive Platters.
- Magnetic force scanning tunneling microscopy – Similar MFM, but examines electric current flows.
- Forensic software tools – Tools like Encase and FTK use advanced algorithms to find wiped data.
Police may also work with professional data recovery services that have specialized clean room facilities and engineering expertise for hard drive analysis and data reconstruction.
What are the challenges police face in recovering wiped data?
There are several challenges police investigators face when trying to recover wiped data:
- The more wipe passes, the less data can be recovered – After 20+ passes, almost nothing usable remains.
- It is very time consuming and expensive – Reconstructing wiped data takes expertise and resources.
- Advanced encryption makes data unrecoverable – Encrypted data appears random when wiped.
- Damaged hard drives are harder to recover from – Physical damage adds complexity.
- Reconstructed data is fragmented – It may lack context or structure.
Without the proper training, tools, time and budget, police may be unable to recover meaningful evidence from a wiped hard drive. But an expert forensic team has a chance of recovering at least some data in most cases.
What kind of data can be recovered from a wiped hard drive?
Examples of data police may be able to recover include:
- Deleted emails and documents
- Internet browsing history
- Cached web pages and images
- Log files and metadata
- Remnants of unencrypted files
- Partial file fragments
- Password hints
- System registry information
Critical evidence like incriminating communications, photos, or financial information could remain on a wiped drive. The amount and type of recoverable data depends on the wipe technique used and how thoroughly it was implemented.
Can police recover data from a damaged hard drive?
Damaged hard drives, such as drives that have been burned, broken, or exposed to water provide additional challenges for police data recovery:
- Damaged components may prevent any access to the drive.
- Severely damaged platters can wipe out magnetic data.
- Contaminants can corrode and obscure the magnetic encodings.
- Physical damage may prevent forensic tools from interfacing with the drive.
- Mechanical failures may prevent the disk from spinning up.
However, as long as the disk platters retain magnetic encodings intact, forensics experts can attempt to transplant them into a working drive and reconstruct the data. This requires a dust-free cleanroom environment and specialized skills.
What are some famous cases where police recovered wiped data?
Some notable criminal cases where police successfully recovered wiped hard drive data include:
- Paul Ceglia – Emails alleging Facebook contract fraud were recovered after wiping.
- Catherine Greig – Deleted documents helped locate Whitey Bulger’s girlfriend.
- David Kernell – Palin email hacker attempted data wipe of his laptop.
- Senator Joseph Biden – Recovered wiped emails from 1973 Senate election case.
- Enron – Deleted accounting documents helped build the corporate fraud case.
These examples demonstrate that while wiping data can present a challenge for investigators, it is still possible in many cases to uncover vital evidence from wiped hard drives using the right forensic techniques.
Can police recover data from solid state drives (SSDs)?
Solid state drives (SSDs) present particular challenges for recovering wiped data compared to traditional hard disk drives:
- No magnetic platters – Data is stored in flash memory chips.
- Built-in encryption – Most SSDs encrypt data using AES algorithms.
- Wear leveling – Data is moved frequently to prevent wear.
- Trim command – Permanently deletes data blocks not in use.
However, some recovery is still possible in certain scenarios:
- Deleted files before trim command was issued may be recoverable.
- Encryption keys may still be stored on the drive.
- Wear leveling data fragments can be reconstructed.
- Proprietary tools exploit SSD controller flaws.
But overall, SSDs make data recovery much more difficult once wiping and encryption techniques are applied.
Should police attempt to recover wiped hard drives on their own?
Police should exercise caution before attempting to recover wiped hard drives themselves:
- Attempting recovery may further damage the drive.
- They likely lack the special skills and tools required.
- The drive should be imaged first to avoid changing evidence.
- The process can be extremely costly in resources.
- It may not be possible to validate recovered data.
Unless police have trained digital forensics specialists and equipment, it is best to entrust drive recovery to a professional data recovery service to have the greatest chance of successfully recovering wiped evidence.
Recovering wiped data from hard drives is challenging but possible with the right expertise and tools. Police need to use specialized forensic software and equipment like magnetic microscopy to extract remnants of deleted files and reconstruct evidence. While SSDs and encryption raise the bar, patient experts can still uncover wiped fragments and clues from even damaged drives. With more cases hinging on digital evidence, police must either develop data recovery capabilities in-house or partner with data recovery specialists to achieve drive recovery success.