“Was the file deleted before his resignation?”
“Was the file deleted before or after the data preservation order?”
“If the file was deleted on the 1st rather than the 31st, than that means there was a breach of a court order. Can you say when it was deleted?”
All of these questions are asking the same thing: “When was a file deleted?”; this article looks at this issue (for Windows operating systems)
Broadly there are two scenarios for when a file is deleted, it is deleted via the recycle bin and when the file is not deleted during a recycle bin.
Deleted Dates: Recycle Bin
If a user hits the delete key on a file it, in virtually all scenarios, goes to the Recycle Bin in Windows. Windows 9x, 2000, XP, and Vista all have a recycle bin/trash bin. Many users are familiar with this and know that if they delete a file, they can go into the recycle bin and recover it at a later date.
What many users are not aware, but all forensics investigators should be, is that when a file is placed in the recycle bin the date that occurs is recorded. i.e. the date of deletion is recorded, if the file is deleted file the recycle bin. This information is recorded via the INFO2 file in Windows 9x, 2000 and XP. In Vista the information is recorded, but it’s in a slightly different location.
Therefore if a file is deleted via the recycle bin the information is easily obtained.
If the recycle bin is emptied, can the deleted date still be recovered?
Yes, for a period of time. The information about the deleted date is, itself, deleted after the recycle bin is emptied. This means that the information can be recovered using data recovery methods. But as it is not a file that is being searched for, but rather metadata about the deleted file, it is only a fragment of data that needs to be recovered.
Therefore methods such as keyword searching and date carving are required to locate this information.
Why does the file not go into the recycle bin?
Not all files are deleted via the recycle bin, this can occur for couple of reasons. The most common are:
- System deletion: If the computer deletes files, automatically, e.g as part of the routine cleanup, the files do not go via the recycle bin
- User initiated system deletion: If a user clears the internet history, or uninstalls a program, then the system deletes files. These files do not go to the recycle bin.
- Third party tools: If an individual runs a deletion tool such as EvidenceEliminator those files that are deleted do not go via the recycle bin. Therefore their dates of deletion are not recorded (in the recycle bin, though they may be elsewhere, see Part 2)
- Shift-Delete: If a user presses shift and delete when deleting a file the file is “hard deleted”, this means that the file does not go to the recycle bin, it is simply deleted. In this case the dates of deletion are not recorded by the recycle bin.
Part 2 will cover the issue of determining the deletion dates of files that are deleted via the recycle in.