Why can deleted data be reconstructed at all?

Understanding why deleted data can be reconstructed begins with how modern file systems work. When a file is deleted, the operating system merely removes the reference to that file from the file system index. The actual data remains on the storage medium until the corresponding storage area is overwritten by new data.

This principle applies to all common file systems:

File SystemDeletion BehaviorReconstruction Chance
NTFS (Windows)MFT entry marked as deletedHigh, until overwritten
APFS (macOS)Inode marked as freeMedium to high
ext4 (Linux)Inode data partially deletedMedium
FAT32First character of filename overwrittenHigh
exFATDirectory entry marked as deletedHigh

In practice, this means: the less a storage medium is used after deletion, the higher the reconstruction chances. This is why the first and most important rule after data loss is: immediately stop using the affected storage medium and do not write any new data to it.

For a basic introduction to data recovery methods, we recommend our article How does professional data recovery work?.

What forensic methods are used for data reconstruction?

Forensic data reconstruction employs various techniques that are used depending on the situation and storage media type:

File Carving: File carving is a method that identifies files based on their characteristic byte patterns (signatures), independent of the file system. Each file type begins with a typical sequence: JPEG images with FF D8 FF, PDF files with %PDF, ZIP archives with PK. The carving tool searches the entire storage medium sector by sector for these signatures and extracts the found files.

File System Journal Analysis: Modern file systems such as NTFS and ext4 maintain a journal (transaction log) that records changes to the file system before they are finalized. By analyzing this journal, forensic investigators can trace which files were deleted, renamed, or moved and when.

Slack Space Analysis: When a file occupies less storage than the allocated cluster, the remaining space (slack space) may contain fragments of previously stored data. These residual data can contain valuable evidence.

Metadata Reconstruction: Even when file contents have been overwritten, metadata such as filenames, timestamps, and file paths can be reconstructed from the file system journal, the MFT (Master File Table), or shadow copies.

Volume Shadow Copy Analysis (Windows): Windows automatically creates shadow copies of previous file versions. These can still be present even when the original files have long been deleted.

How does reconstruction differ between HDDs and SSDs?

The difference between data reconstruction on traditional hard drives (HDDs) and solid-state drives (SSDs) is fundamental and directly affects the prospects of success:

HDDs (magnetic hard drives): On HDDs, deleted data remains intact until the corresponding sector is physically overwritten with new data. Since HDDs have no active mechanism for clearing free sectors, reconstruction chances remain high over extended periods.

SSDs (flash storage): SSDs operate fundamentally differently. The TRIM command, enabled by default in modern operating systems, instructs the SSD to physically clear storage blocks marked as deleted. After TRIM execution, data in the affected blocks is irrecoverably lost.

PropertyHDDSSD
Deletion behaviorOnly file system reference removedTRIM physically clears storage blocks
Reconstruction after deletionHigh (until overwritten)Very low (after TRIM)
Time window for recoveryDays to monthsSeconds to minutes
Fragmented filesOften recoverableRarely recoverable
Forensic analysisComprehensively possibleSeverely limited

However, there are scenarios where reconstruction can succeed even with SSDs:

  • TRIM is disabled or has not yet been executed
  • The operating system does not support TRIM for the specific SSD
  • The SSD is connected via a USB interface (TRIM is often not supported)
  • Wear-leveling algorithms have left copies of data on other storage cells
  • The SSD has a defect and the controller does not execute TRIM

Professional data recovery needed?

Request a data recovery quote now.

Request professional data recoveryProf. data recovery needed?0800/073 88 36
Can deliberately tampered data be forensically detected?

A central question in IT forensics is: can data manipulation be detected and the original contents recovered? The answer depends on the type and quality of the manipulation.

Detectable manipulations:

  • Timestamp changes: File systems store multiple timestamps (creation, modification, access, MFT modification). Manual changes to a timestamp leave inconsistencies between these different values.
  • File renaming: The journal records renaming operations. Forensic investigators can reconstruct the original filename.
  • Selective deletion: Deletion operations leave traces in the MFT, file system journal, and $UsnJrnl entries on Windows.
  • Data manipulation in documents: Office documents contain extensive metadata recording editing histories, author names, and editing times.

Difficult to detect manipulations:

  • Complete secure overwriting with specialized tools (e.g., DBAN, Eraser)
  • Sector-level manipulation with direct write access
  • Use of anti-forensic tools that deliberately erase traces
  • Encryption of original data before deletion

Evidence preservation must be performed with particular care in such cases to capture even subtle traces of manipulation.

What software tools are used for data reconstruction?

Forensic investigators and data recovery specialists use a range of specialized tools:

Forensic analysis suites:

ToolPrimary FunctionLicense
EnCaseComprehensive forensic analysis and carvingCommercial
FTK (Forensic Toolkit)Fast indexing, email analysisCommercial
Autopsy / The Sleuth KitFile system analysis, timelineOpen source
X-Ways ForensicsPowerful storage media analysisCommercial

Specialized carving tools:

ToolSpecializationLicense
PhotoRecMedia and documentsOpen source
ForemostGeneral file carvingOpen source
ScalpelConfigurable signature searchOpen source
R-StudioCommercial data recovery with carvingCommercial

NAND flash tools: For direct analysis of NAND flash storage chips, specialized hardware solutions are used that read the chip directly, bypassing the controller logic. Tools such as PC-3000 Flash or Flash Extractor are leaders in this area.

The choice of tool depends on the specific case. For simple deletions on HDDs, open-source tools often suffice. For complex SSD scenarios or manipulated file systems, commercial solutions with more comprehensive analysis capabilities are required.

When is data reconstruction after formatting possible?

The possibility of reconstruction after formatting depends critically on the type of formatting performed:

Quick format: A quick format merely creates a new file system. The actual data remains on the storage medium. Reconstruction chances are very high in this case, particularly if the storage medium was not written to further after formatting. More details in our article on data recovery after formatting.

Full format: A full format overwrites every sector of the storage medium with zeros or random values. After a full format, reconstruction through conventional means is virtually impossible.

Operating system reinstallation: When reinstalling an operating system, typically only part of the storage medium is overwritten (system partition). Data on other partitions or in the free space of the system partition can often still be reconstructed.

Formatting TypeData Overwritten?Reconstruction Chance
Quick format (HDD)No80 - 95%
Quick format (SSD)Yes (via TRIM)5 - 20%
Full format (HDD)YesBelow 5%
Full format (SSD)YesVirtually 0%
OS reinstallationPartially30 - 70%

What physical methods exist for data reconstruction?

When software-based methods fail, physical procedures are employed in specialized laboratories:

Chip-off procedure: The NAND flash storage chip is physically removed from the board (desoldering) and read in a specialized reader. This method enables access to raw data even when the controller is defective. The extracted data must then be decoded and the file system manually reconstructed.

JTAG extraction: Via the JTAG interface (Joint Test Action Group), present on many circuit boards, memory can be read directly. This method is less invasive than chip-off and is frequently used for mobile devices.

In-System Programming (ISP): This method accesses the chip's memory pins directly without removing it from the board. ISP is gentler than chip-off and reduces the risk of physical damage to the chip.

Microscopic analysis: In extremely rare cases, magnetic patterns on HDD platters can be analyzed under a magnetic force microscope. This method is extremely labor-intensive and in practice is used almost exclusively by intelligence agencies and specialized research institutions.

Physical procedures require not only specialized equipment but also considerable expertise. A single error during desoldering of a NAND chip can irreparably damage it.

What are the limits of forensic data reconstruction?

Despite advanced methods, there are clear technical limits to data reconstruction:

Definitively not recoverable:

  • Data removed with cryptographically secure overwriting (e.g., DoD 5220.22-M, Gutmann method)
  • SSD data after complete TRIM and garbage collection
  • Data on physically destroyed storage chips (crushing, melting)
  • Encrypted data without access to the key
  • Data on storage media treated with degaussing (demagnetization)

Severely limited reconstruction:

  • Multiply overwritten sectors on HDDs
  • Data on heavily fragmented file systems
  • Compressed or encrypted files of which only portions exist
  • Data on storage media with extensive wear-leveling activity

It is important to realistically assess these limitations. Popular culture often conveys the impression that deleted data can always be recovered. The reality is more nuanced: for HDDs without active overwriting, chances are good; for modern SSDs with TRIM, they are significantly limited.

How much does forensic data reconstruction cost?

The cost of forensic data reconstruction varies considerably and depends on several factors:

ServicePrice RangeTypical Duration
Software-based file carving$400 - $1,0001 - 3 days
File system journal analysis$600 - $1,8002 - 5 days
NAND flash chip-off$1,000 - $3,0005 - 14 days
JTAG/ISP extraction$700 - $2,2003 - 10 days
Complete forensic report$2,500 - $10,0002 - 6 weeks
Expert court testimony$200 - $400/hourVariable

When commissioning a reputable data recovery company, you should clarify in advance:

  • What are the realistic prospects of success?
  • Does the company work on a "no data, no fee" basis?
  • What certifications does the company hold?
  • How is the chain of custody ensured?
  • Are the results prepared in a court-admissible manner?

How can organizations ensure the reconstructability of their data?

Organizations that might need to rely on forensic reconstruction in an emergency should take proactive measures:

  • [ ] Implement a comprehensive logging strategy (file accesses, network activities, authentication)
  • [ ] Adequately size file system journals and regularly back them up
  • [ ] Enable volume shadow copies and reserve sufficient storage space accordingly
  • [ ] Strategically configure TRIM on forensically relevant systems
  • [ ] Use write-once media (WORM) for critical logs and protocols
  • [ ] Store network traffic logs centrally and tamper-proof
  • [ ] Operate email archiving systems with audit-proof capabilities
  • [ ] Conduct regular forensic readiness assessments
  • [ ] Train employees in the handling of digital evidence

The combination of proactive data backup, a well-conceived logging strategy, and established evidence preservation ensures that the best possible conditions exist for successful data reconstruction in an emergency. Organizations with such preparation not only reduce the risk of irrecoverable data loss but also significantly lower the cost and duration of a forensic investigation.

Professional data recovery needed?

Request a data recovery quote now.

Request professional data recoveryProf. data recovery needed?0800/073 88 36