DIY Computer Forensics: How to Recover a Deleted File

Was the file deleted? Yes. Is it really gone for good? Maybe not.

Doctor repairs laptop
Monica Rodriguez/The Image Bank/Getty Images

I'm a huge fan of zombie films and have always wondered if you could apply the same concept to bringing back files from the dead? I'm not talking about the virtual "recycle bin". That's easy. I'm talking straight-up I-deleted-the-stew-out-of-this-file-and-now-I-want-to-bring-it-back type stuff. Can it be done?

Well, I did some research and some hands-on testing and I am happy to report that you can, in some cases, bring files back from the dead.

Of course, there are some caveats and you also need some special forensic data recovery tools (free trials available for testing purposes), but we'll get to that in a minute.

What Happens When a File is Deleted?

Let's talk about what happens when a file is deleted. In many operating systems, the file's data is moved to a temporary holding area such as the "recycle bin" where it can be recovered or cleared so that the disk space it was taking up can be reclaimed. But what really happens? In many cases, only the pointer record to where the file's data was located on the physical disk is removed. This can be the case even after emptying the recycle bin.

What about the Data? Is it still there?

Unless the operating system is employing some kind of secure-delete functionality, the actual data may still remain, you just can't see it in the file directory, unless you have the right tool that is (cue CSI title music as the red-headed guy puts on his sunglasses).

I have tried a few purported file recovery tools in the past. The one I found to be most effective in actually doing what it claims to do is an application named R-Studio from R-Tools Technology. R-Studio is a heavy-duty forensic data recovery solution. It ranges in price from $49.99 up to $899.99 depending on what type of license you are purchasing and what type of file system you are trying to recover data from (i.e. FAT32, NTFS, etc).

A free demo copy is available that allows you to scan your disk for deleted files that may be recoverable. The demo will only let you recover files that are less than 64KB, but at least it lets you scan to see if the file that you believe is lost for good might still be recoverable.

R-tools warns that you should never install the tool to the same disk that you are trying to recover data from. The reason for this is because when you install any program on a disk that you want to recover something from, the act of installing the software itself may write over the area of the disk that contains the file you are trying to recover.

This software is not for the computer novice, but in the right hands, R-studio is a powerful solution for disaster recovery after a virus attack, system hack, or for when your Shih Tzu decides to knock a full bottle of beer onto your laptop. (it was no accident, she did it on purpose).

Can The Bad Guys Use These Tools Too?

You're probably wondering if anybody can use these forensic tools to bring back deleted files, how can I ensure that what I delete is really gone so the bad guys can't resurrect it using these same tools? Here are three ways to make your files as unrecoverable as possible.

  • Use a file or whole disk encryption solution such as TrueCrypt (available for free)
  • Use a disk De-fragmentation tool on a regular basis (not a guaranteed form of protection, but it does help)
  • When formatting a hard drive, use a secure drive erase utility that writes zeros or garbage data to the drive and makes multiple erase passes.

The R-tools software claims to be able to bring back data from a drive even after it has been reformatted and repartitioned (in some cases). Given this fact, If you're selling your computer it is probably a good idea to keep the hard drive, or use a secure drive erase utility before selling it.