Data Recovery, File Carving and Recovering Deleted, Hidden & Encrypted Content

Your journey to becoming a forensic professional starts here.

Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.

Start Free Mock Test Create Your Account

Data Recovery, File Carving and Recovering Deleted, Hidden & Encrypted Content | ForensicSpot

Half of digital forensics is recovery. The other half is interpretation, but you cannot interpret what you cannot recover. The phrase "deleted file" hides a stack of very different scenarios, and the examiner who treats them all as one problem will produce wrong conclusions in court. A file deleted from a Windows NTFS desktop is not the same problem as a file deleted from an Android phone's flash storage, which is not the same as a file overwritten by a paranoid suspect with shred -uvz. Each demands a different recovery technique, a different success probability, and a different way of writing it up under BSA 2023 Section 63.

This topic walks the recovery stack from easy to hard: filesystem-aware undelete on NTFS, ext4 and APFS; signature-based carving with PhotoRec, Foremost and Scalpel; the SSD/TRIM problem that makes consumer SSDs the worst recovery target in the lab; partition-table recovery with TestDisk; encrypted-volume recovery for BitLocker, FileVault, LUKS and VeraCrypt; cold-boot key extraction; hashcat brute force with the right mode numbers; and the steganography and hidden-partition tricks that come up in CERT-In and I4C casework. Image first, work on copies, log every step. That last rule is the only one that has no exception.

Key terms

Deletion vs erasure: Deletion marks the file entry as free; content blocks remain until overwritten. Erasure (shred, sdelete, secure-erase) overwrites the blocks before unlinking. The difference is the recovery probability.
File carving: Recovery technique that scans raw disk blocks for known file headers and footers, ignoring filesystem metadata. The only option when the filesystem is corrupted, formatted or deliberately wiped.
TRIM: ATA/SCSI command that tells an SSD which logical blocks are no longer in use. The SSD's garbage collector can then physically erase them. TRIM is why deleted data on a modern SSD is usually unrecoverable within seconds to minutes.
BitLocker: Microsoft's full-volume encryption on Windows. Volume Master Key wrapped under TPM, password, recovery key (48 digits), or AD/MBAM/Intune escrow. Hashcat mode -m 22100.
VeraCrypt hidden volume: A second encrypted volume nested inside the free space of an outer VeraCrypt volume, accessed with a different password. Designed for plausible deniability; statistical entropy and free-space patterns are how examiners flag the presence.
Steganography: Hiding data inside other data, typically by encoding payload bits into the least significant bits of pixels or audio samples. Tools: StegHide, OutGuess, F5. Detection: StegExpose, stegoVeritas, statistical chi-square against LSB plane.

What 'deleted' actually means

The file entry is freed. The content stays until someone writes over it. Sometimes.

When a user clicks Delete or runs rm, the operating system does not erase content. It updates a small piece of metadata that marks the file's directory entry as available for reuse. The data blocks holding the file's actual content remain on the storage device, untouched, until the filesystem allocator reuses those blocks for a new file. On a lightly used drive that can be weeks. On a heavily used drive it can be seconds.

The mechanism differs per filesystem:

NTFS holds every file's metadata in a Master File Table ($MFT) entry. Deletion flips the entry's in-use bit and marks the entry as available. The content extents are dereferenced but not overwritten. Recovery walks the MFT looking for entries with the bit clear that still have valid extent pointers. Tools: MFTECmd, analyzeMFT, X-Ways. The $LogFile and $UsnJrnl:$J journals can hold older MFT states and recover entries the live MFT has reused.
ext4 marks the inode as free and updates the block group descriptor, but the inode itself is usually preserved until reuse. The journal (typically /dev/<device>1 block group 0's journal inode) holds older inode states. Tools: extundelete, ext4magic, debugfs. ext4's delayed-allocation behaviour means recently created files might not even be on disk yet when deleted.
APFS is the hardest of the three for traditional undelete because copy-on-write plus aggressive TRIM means the original blocks are usually freed and discarded quickly. APFS snapshots are the recovery path that actually works; cross-link macOS Forensic Artifacts: plist, Keychain, Time Machine and Browser Traces.
FAT32 / exFAT still appear on Indian-investigation USB sticks and SD cards. Deletion replaces the first byte of the filename with 0xE5. The directory entry, FAT chain and clusters often remain. Recovery is straightforward with TestDisk's "undelete" view or PhotoRec.

Signature-based carving

When the filesystem is gone, headers and footers are all you have.

Filesystem-aware undelete works only while metadata exists. After a full format, a corrupted partition table or a deliberate mkfs, the metadata is gone but the content blocks often remain. File carving is the recovery technique that ignores filesystem metadata entirely and scans raw disk blocks for known file headers and footers.

The classic header/footer pairs every examiner memorises:

File type	Header (hex)	Footer (hex)	Notes
JPEG	FF D8 FF E0 / FF D8 FF E1	FF D9	JFIF (E0) or EXIF (E1); footer is the EOI marker
PNG	89 50 4E 47 0D 0A 1A 0A	49 45 4E 44 AE 42 60 82	Header is the PNG signature; footer is the IEND chunk + CRC
PDF	25 50 44 46 (%PDF)	25 25 45 4F 46 (%%EOF)	Multiple %%EOF possible (linearized / incremental update)
DOCX / XLSX / PPTX / ZIP	50 4B 03 04 (PK..)	50 4B 05 06 (PK..)	All ZIP-family; differentiation needs central-directory parse

SSDs, TRIM and the recovery reality

On a modern SSD with TRIM, your recovery window is measured in seconds.

The hardest part of teaching data recovery in 2026 is convincing students that everything they learned about HDD recovery is half-wrong on SSDs. The mechanism is TRIM.

When a file is deleted on an SSD-backed filesystem with TRIM support (Windows NTFS, macOS APFS, Linux ext4 with discard mount option or periodic fstrim), the OS issues the TRIM (ATA) or UNMAP (SCSI) command to tell the SSD which logical blocks are no longer in use. The SSD's garbage collector then erases the corresponding NAND pages physically. Within seconds to minutes, the actual content is gone from the flash cells. No carving, no journal walking, no MFT scanning will bring it back.

The practical implications for Indian casework:

An SSD seized hot, with the system running, may already have lost most recently-deleted content. The first responder's job is to image fast and minimise live OS activity. Pulling the plug stops TRIM operations in flight but the damage is largely already done.
Built-in encryption on SSDs (SED, OPAL) means the controller may secure-erase by key destruction. A factory reset on an SED takes milliseconds and produces unrecoverable media.
eMMC (used in Android phones, IoT devices, low-cost laptops) supports TRIM via the discard operation. Same problem class, slightly slower garbage collection.
Chip-off recovery from the raw NAND can sometimes find data in wear-leveling reserve pages that the FTL has remapped but not yet erased. This is a specialist procedure done by CFSL chip-off labs (Hyderabad, Chandigarh and a handful of state labs); equipment cost runs into crores and per-case turnaround is weeks.

For Windows BitLocker-encrypted SSDs the picture is even thinner: the underlying flash content is ciphertext, so even physical recovery of the bytes yields only ciphertext until the BitLocker key is provided.

Acknowledge media

Partition tables, formatted drives and TestDisk

The drive 'looks blank' until you fix the partition table.

A drive that "looks blank" to Windows or macOS often is not. Three scenarios show up regularly in Indian investigations:

Quick format. Most consumer OSes default to a quick format, which writes a new filesystem header (NTFS boot sector, FAT BPB, ext superblock) and a new empty file table. The data clusters remain untouched. Recovery is high probability with PhotoRec or filesystem-specific tools.
Full format. Windows 10 and later perform a full format by default if the option is selected, writing zeroes (or random data on encrypted volumes) over every sector. After a full format, signature carving has nothing to find. The drive is, for practical purposes, blank.
Damaged or deleted partition table. The first 512 bytes (MBR) or the first 17 KiB (GPT) of a drive can be corrupted, overwritten or deliberately deleted, while leaving the partitions themselves intact further down the disk. The drive shows as unallocated in Disk Management, but the data is whole.

For the third case, TestDisk (CGSecurity, same author as PhotoRec) is the canonical tool. TestDisk scans for filesystem signatures across the disk, reconstructs a probable partition table, and writes it back. After TestDisk's "Write" step, the drive mounts normally and recovery proceeds through standard tools. The workflow for a recovered MBR/GPT case:

Image the raw drive
dd or ddrescue the physical device to an .img or .E01 file, behind a hardware write blocker. Hash the source and image.
Run TestDisk on the image
Use the file-backed image so the original device is never modified. Choose the partition table type (Intel for MBR, EFI GPT for modern systems), let TestDisk Analyse, then Quick Search.

Encrypted volumes: BitLocker, FileVault, LUKS, VeraCrypt

Four mainstream encryption systems, four recovery paths, each with a hashcat fallback.

A correctly configured full-volume encryption system without the key is, to a first approximation, unbreakable. The forensic problem is therefore not "break the crypto" but "find the key, by any of the legitimate paths."

System	Platform	Recovery paths	Hashcat mode
BitLocker	Windows 10/11	TPM + PIN, user password, 48-digit recovery key, AD / Intune / MBAM escrow, RAM dump, hibernation file	-m 22100
FileVault 2	macOS APFS	User password, personal recovery key, institutional recovery key, iCloud-escrowed key, RAM dump (live system)	-m 16700
LUKS / LUKS2	Linux	Passphrase in any of 8 key slots, key file, TPM (LUKS2), RAM extraction of master key	-m 14600 (LUKS), -m 29541+ (LUKS2 by variant)
VeraCrypt	Cross-platform	Password, keyfile, PIM, RAM-resident master key while volume is mounted; hidden volume needs separate password

Hidden data and steganography

The data isn't deleted. It's somewhere else, hiding in plain sight.

The last category is data that was never deleted, just placed somewhere a casual examiner wouldn't look.

The locations Indian I4C and CERT-In analysts check by default:

Slack space. The unused portion of the last cluster of every file. NTFS file using 12 KB of a 16 KB cluster leaves 4 KB of slack. Tools: bulk_extractor, X-Ways. Useful for finding fragments of deleted-then-overwritten files, occasionally hand-placed payloads.
Alternate Data Streams (ADS) on NTFS. Covered in detail in Windows Artifacts: ShellBags, ADS, LNK, Hibernation and Slack. notes.txt:hidden.exe is the canonical pattern.
Bytes between MBR and the first partition. Sectors 1 through 62 (the first 31.5 KB) are typically unused and can host bootkits, hidden payloads or just text files. dd at the right offsets reveals them.
EFI System Partition. Hidden from Windows Explorer by default. Tools like BadRabbit and BlackLotus place persistence here. mount with mount -t vfat /dev/sdaX /mnt and check.
Host Protected Area (HPA) and Device Configuration Overlay (DCO). Reserved regions at the end of an ATA drive that subtract capacity reported by the firmware. hdparm --dco-identify and hdparm -N detect them; some forensic acquisition appliances temporarily disable the HPA to image the full physical capacity.
Encrypted ZIP / RAR / 7z containers. Password-protected archives are common in Indian financial-fraud and CSAM matters. Hashcat modes -m 13600 (WinZip), -m 12500 (RAR3), -m 13000 (RAR5), -m 11600 (7-Zip).

Steganography is a separate problem class. The technique embeds payload data into a carrier file (image, audio, video) in a way that is statistically subtle. The most common scheme is LSB substitution: replace the least-significant bit of each pixel's red/green/blue channel with one bit of payload. A 1920 by 1080 JPEG decoded to a bitmap has roughly 6 million pixels and 18 million channels, enough for a 2 MB payload while staying invisible to the eye.

The detection workflow:

Worked example

The CFSL Hyderabad WhatsApp DB recovery from a chilled RAM dump

A composite drawn from CFSL Hyderabad's 2023 memory-forensics workshop.

The case involved a director of a Hyderabad-based logistics firm accused under IT Act Section 66C (identity theft) and BNS Section 318 (cheating). The seized device was an Android phone in a powered-on, unlocked state. The first responder followed the cold-boot-aware seizure protocol: place the device in a Faraday bag, transport to the lab without losing power, and capture RAM before shutdown.

WhatsApp on Android encrypts its message database at rest with a key stored in /data/data/com.whatsapp/files/key. Without root, neither the database nor the key is directly accessible. The on-device decrypted state, however, lives in RAM while the app is foregrounded or recently used.

The lab workflow:

The phone was placed in a chilled enclosure (-40 degrees Celsius) for 60 seconds to slow DRAM bit decay.
A modified bootloader was loaded over USB and a 6 GB RAM image was extracted.
The image was scanned by a custom Volatility plugin (developed in-house at CFSL Hyderabad's memory forensics group) looking for the WhatsApp crypto14 key signature in heap regions.
The key was recovered. A separate logical extraction had captured the encrypted msgstore.db.crypt14 from the phone's storage.
The key plus the encrypted DB produced a plain SQLite file. Three months of messages, including thirty-six entries that the user had "Delete for Everyone"-ed, were recovered (because Delete for Everyone removes the message from the remote display, not from the local DB until WhatsApp's housekeeping job runs).

The recovered messages, hashed and produced under BSA 2023 Section 63 with the lab's certificate, established the fraudulent identity claim and the cheating element. The case turned on the cold-boot RAM capture; had the first responder simply pulled the battery, the key would have been gone and the database opaque.

This workflow is the template for any encrypted-app-in-RAM problem: WhatsApp, Signal, Wickr, Telegram secret chats. The capability is not unique to CFSL Hyderabad but the institutional muscle to execute it reliably is, and Indian state FSLs are building the same capability through NFSU's training pipeline.

Practice

Question 1 of 5· 0 answered

A 200 MB MP4 video was deleted from an NTFS volume on a 7200-rpm HDD, four hours ago. The volume is 60% full. Which recovery approach is most likely to succeed?

Frequently asked questions

What is the difference between deleting a file and securely erasing it?

Deletion marks the file's directory entry as available for reuse but leaves the content blocks intact on disk until the filesystem allocator overwrites them. Secure erasure (shred, sdelete, SSD ATA Secure Erase, or self-encrypting drive key destruction) overwrites the blocks before unlinking, or destroys the encryption key that made them readable. The first is recoverable until overwrite; the second is not. The recovery probability for any given case depends on which one was performed and on the storage medium.

Is data on a TRIM-enabled SSD ever recoverable after deletion?

Rarely. Once TRIM has been issued and the SSD's garbage collector has erased the underlying NAND pages, the data is gone from the flash cells. The window between deletion and TRIM-plus-GC is typically seconds to minutes. Recovery from wear-leveling reserve pages via chip-off is sometimes possible for specific cells the FTL has remapped but not yet erased, but this is a specialist operation. Practically, examiners working SSD evidence focus on snapshots, backups and cloud-side copies rather than on-device carving.

What is file carving and when is it the right tool?

File carving recovers files by scanning raw disk blocks for known file headers and footers, ignoring filesystem metadata. It is the right tool when the filesystem is corrupted, formatted, or deliberately wiped, leaving content blocks intact but metadata gone. PhotoRec, Foremost and Scalpel are the open-source standards; X-Ways and ReclaiMe are commercial. The weakness of pure signature carving is fragmented files; filesystem-aware carving in X-Ways handles fragmentation where PhotoRec cannot.

How do examiners deal with BitLocker-encrypted Windows drives?

Four legitimate paths exist. First, ask the user (BNSS Section 94 production notice). Second, retrieve the 48-digit recovery key from the user's Microsoft account, Azure AD / Intune / MBAM escrow, or printed copy. Third, extract the BitLocker master key from a RAM image captured while the volume was mounted. Fourth, recover the key from hiberfil.sys if the laptop hibernated while unlocked. Brute force with hashcat -m 22100 is a last resort and only viable against weak user passwords, not against the 48-digit recovery key itself.