Our first blog post was inspired by a common question our clients pose to us, how do you recover a deleted document?
You have probably heard by now that a deleted file is not necessarily deleted. You’ve come to the right place and this is a question that we often help our clients answer. The objective of this blog post is to provide you an overview of how a digital forensic examiner recovers a deleted file from a thumb drive. In this blog post, we are going to cover the FAT file system, which a lot of small removable media devices, such as the 1GB thumb drive referenced in this blog post store data. Larger capacity removable media storage devices use other file systems, such as NTFS for storing data. Your Windows PC is using NTFS as its file system (unless there is a small chance you are using an antiquated PC running Windows XP or older operating system). FAT and NTFS file systems are beyond the scope of this blog post, but something that forensic examiners are familiar with when it comes to performing forensic examinations.
There are many methodologies and tools that a forensic examiner may utilize when recovering a delete file. This blog post is going to focus on recovering a deleted Microsoft Word document from a thumb drive. There are many forensic artifacts associated with this exercise, but we are just focusing on viewing a deleted file from a thumb drive. The file that we are going to recover is called “secret.docx” and it was deleted from a FAT formatted 1GB Kemper Technology USB Thumb Drive as pictured below (Figure 1).