Carving
Hard disks and other media bearers work similar to a book. At the beginning of it, you can find a table of contents with a page number next to each chapter. Hard drives are no different, they also use a table of contents. Even more, they do so for each file. Furthermore, with a document, photo, email or any file you can always find the exact location on the hard disk, the so-called “offset”. When ‘opening’ a document, the head of the hard disk jumps to that exact location in order to show the file. Of course in reality it is technically a little more difficult, but as such it is understandable for everyone.
When deleting a file, only the table of contents is adjusted and the offset is released. This means that the real data remains on the hard disk, but can no longer be found by the computer. We call this the deleted space.
To recover deleted data, forensic analysis software must check the entire hard drive for patterns of types of files. This proces is called carving. The documents can be completely recovered, as long as this deleted space has not been overwritten with new information. That is why it is also important to use the computer as little as possible in order to successfully recover your data. Sometimes a part has already been overwritten, but not everything. For example, we can still find the last 5 pages of a document that consisted of 7 pages, the top half of a photo can be found, etc.
Slack space
All the above steps can also be repeated in the “slackspace”. The hard disk is in fact divided into clusters of equal size. If a file does not fit in such a block, then a second block is used. But that doesn’t mean that this last block is fully overwritten. The remaining space in such a block is called the “slack space”. There can also be useful information, such as fragments of an internet history or an email. Keywords from a certain document that was deleted, from which it can be shown that this document was present on that computer, the date on which a particular program was installed, etc.