How does digital forensics contribute to tracking deleted data?

Palo Alto Networks International reviewed the role of digital forensic analyzes in examining computers whose data was deliberately deleted in order to hide some evidence and illegal activities on them.

Many people believe that deleting data from a computer is similar to burning copies of paper documents with the intention of destroying them that is, as if those who are missed is dead, and some may take additional measures to ensure that the data has been deleted irreversibly, perhaps with the aim of concealing any trace of the practices. It relates to criminal behavior, but on the other hand, we will find another group trying to collect and retrieve this data to form a trail of evidence.

Use digital forensics to recover deleted data

Every action that the user takes leaves a digital footprint on the computer, and digital forensic experts use tools and techniques to track these traces by taking a look at the data at the level of the hard disk or private disk, for example, digital forensic analysts can determine when the user called to a coffee shop's Wi-Fi network, detect chat history between two co-workers, identify previously connected external storage devices, and other actions.

And digital forensic analyzes can tell details of the user’s interaction with his personal computer, especially when it comes to the procedures that the user took to hide or delete data, and in the world of digital technologies, what missed does not necessarily mean that he died.

Examples of digital forensics work in data recovery operations

Palo Alto Networks presented two examples of cases where forensic analysis uncovered details and detected malicious practices.

Example 1: Data recovery operations reveal attempts to hide intellectual theft

In the first example, a female employee quits her job and joins a competitor company working on a similar project. The former company suspects that the employee may have shared some organizational information with the new competitor before formally resigning, but the employee actually returned her personal computer after she "deleted" all of the user's data.

Ultimately, digital forensics revealed the theft of intellectual property and the destruction of data. A digital forensic expert was able to recover separate fragments of files as well as some other traces previously deleted from a former employee's personal computer.

The results of the analysis revealed evidence indicating that an external flash memory disk was used to view design review files, publishing plans, and other information that is the intellectual property of the company, while the computer was connected to the network of the competitor (the company that the employee moved to work with) two days after the resignation was submitted.

However, the biggest damage revealed by the digital forensics analysis was the relatively long way this former employee made when trying to remove any trace of her action by deleting files en masse. Just days before she returned her computer to the company, the former employee installed a remote login tool and received a call from an Internet protocol number that later turned out to be one of the sites of an external maintenance contractor with the company, who was suspected of participating in this crime, and only seconds after the success of the operation Communication, the mass deletions of data from the computer were carried out, and had it not been for the use of digital forensic analyzes, the company would not have been able to detect and prove these illegal practices that the former employee undertook in collusion with the external maintenance contractor.

Second example: Digital forensics prove the theft of files

In another case, a company suspected that a former employee had violated the company's intellectual property rights by stealing them before he was recently received from work for it, but the company did not have the evidence to prove this. After conducting an initial check on the employee's Mac computer, it was found that most files and folders had been deleted.

However, digital forensic analyzes proved that the former employee logged into his personal account on his personal iCloud account, synchronized a number of folders that contained data from the intellectual property of the company, and then deleted the same folders from his personal computer just days before submitting his resignation.

The experts succeeded in analyzing the impact of digital forensics and system records that kept previous historical records of these folders, and the approximate time it took to sync them with the iCloud account and then delete them from the computer.

Digital forensics established that the data had been backed up during about the same period. These results strengthened the legal basis that enabled the company’s lawyer to request a previous employee’s personal equipment inspection.

As is evident from the two previous examples, just deleting data does not necessarily mean that it has completely disappeared, as digital forensic analyzes have allowed different details to be told about each of the former employees stealing information belonging to the intellectual property of companies that they previously worked for, and then attempting to destroy and conceal No trace of their actions.

It is possible that the perpetrators in both cases did not realize what digital forensics experts can do, and the ability of these experts to trace the impact of their digital actions and uncover the truth.