What is unallocated space and is it useful to my investigation? Can I retrieve deleted messages?
A common misunderstanding is that deleted data is permanently gone. This is not always the case. A newer belief is that deleted data can always be recovered. This is also incorrect. Partly thanks to more and more technologically-oriented crime shows displaying heroic acts of deleted data recovery, the public is starting to believe this is always possible.
The shorthand answer:
It depends. I know, this answer doesn’t appear to help much initially, but please let me explain. Just like with any legal investigation, there are specifics about the case that make it slightly different from any other investigation. This is no different when it comes to Digital Forensics, especially when in reference to deleted data. Three main things to look at when asking this base question are:
- When the data was deleted
- How much has the device been used since the deletion
- What device the data was on
Unallocated Space & Time:
The sooner you can try to recover the deleted data, the better. In order to understand the reasoning, it helps to know the basics of “unallocated space” (a.k.a “free space”).
Imagine your hard drive like an empty cardboard box, and imagine a stack of books is like data. If you want to put a book inside of your cardboard box, you will have to allocate some of its empty space to the book. This is just like how you need to allocate empty space on a disk if you want to save a file to it. You now have less room inside the box, and less room on your hard drive. The more books you put in the box, the less unallocated space you have. Now imagine you want to put the box away in storage, so you write a list of all the books inside your cardboard box. This list will help you stay organized and find where a specific book is kept. Your book tracking list therefore works very similarly to a file within your computer called the “Master File Table” ($MFT). The purpose of this file is to create an index that basically keeps track of all files on your hard drive. It lets your computer know where to find the data for a file, and tells the hard drive that a file exists in a certain spot, so it shouldn’t try to store a new file in the same location.
This is where it might start to get a little confusing. The method of deleting a file on the hard drive is not exactly as simple as it just being “gone”. Instead, the Master File Table simply removes the index entry for the file by overwriting a few bytes of the location. This action now tricks the computer into thinking that there is no data at the location of the file so it is free to write new data there. Essentially, it is saying that previously allocated (used up) space on the hard drive is now unallocated (free). Going back to our cardboard box of books analogy, this is like scratching off a book’s title on your list. Since you no longer care about remembering the location of the book, it can be viewed as empty space. If you’re following along though, you will recognize that the book is still in the box! We haven’t actually removed it, just removed our note of it. Now, if we had a new book that we wanted to put in storage, we would check our list and see that there is room in our box because a name was scratched off. Once we get to the box, we see that the box is full so we just pull out the old book we don’t care about, and replace it with the new book. The old book is just thrown away at this point, and now we write the title of the new book on our box’s list. This is exactly what the computer is doing with the data. The data is not actually ‘deleted’ on the hard drive, until a new book (file) is added to it.
As long as new data is not intentionally written to the hard drive, the data has a better chance of still being on the disk in “unallocated space”. Your device may write data to the hard drive automatically for its own functions, which has a potential to overwrite your data residing in the unallocated space. System updates, typical processes, and user interaction on the device all increase the chance of new data writing over the deleted data. The best chances of recovering deleted data is by trying to recover it as soon as possible, while limiting your activity on the device as much as possible.
Your deleted data recovery chance is also heavily reliant on your device. Storage size, device type, data size, and internet connectivity all can affect the potential for it to be retrieved. Obviously, devices with smaller storage space have a higher chance of being overwritten sooner since there are fewer alternative places for the system to place the new data. The device you have the data on is also very important when retrieving data. Some computers have Hard drives, some have Solid State Drives, and some have the combination of the two known as “Hybrid Drives”. Since data deletion is a different process on each of these drives, your luck of recovering the deleted data varies. It is also dependent on how your device normally stores the data. For instance, a cell phone will act differently than a desktop computer because of different storage sizes and the amount of processes the system writes to the disk. Lastly, if your system is connected to the internet, or connected to a cell network, there are more chances of data being received and overwriting the unallocated data. An automatic update could start without your knowledge and write to the disk in the same spot as your deleted content. You could also receive a text message on your cell phone and have it store it in the same unallocated space of a previously deleted message. Regardless of the device, it is always best practice to try and recover any lost data as soon as possible. However, no deleted data is guaranteed to be recoverable.
Text Message Carving:
Since deleted data still resides on the disk before it is overwritten, it is possible to be recovered. The same thing goes for deleted text messages. There are numerous ways to recovered deleted messages on a phone, but one method is through term-based file carving. If you get a dd image of the cellular device (which is a bit-for-bit copy or clone of the device), you can search through the hexadecimal data for keywords that are related to the deleted data. This can be done manually in a hex editor display, or with some programs that are designed to do this. By knowing how the text message data is stored, you can search for key words. The SMS database on an iPhone for example, uses the term “handle_id” to associate a phone number with the messages sent by that person. Once you know the contact’s handle_id, you can search for it within the hex. This method is a lot more effective than searching for a word that the deleted message included, but both are possible. In the end, text messages have the potential to be recovered, but again it is dependent on many factors.