Recovering 'Deleted' Data in Japan: The Process and Its Evidentiary Value?

Japanese Attorney at Law - Bengoshi L.L.

10 min read

In the digital age, the concept of "deletion" is often misleading. When a user "deletes" a file from a computer or mobile device, the data rarely vanishes into thin air immediately. Instead, it frequently remains hidden on the storage medium, recoverable through the specialized techniques of digital forensics. This reality has profound implications for legal proceedings in Japan, where recovered "deleted" data can surface as crucial evidence, sometimes unexpectedly. Understanding the processes behind data deletion and recovery, and the evidentiary value of such information, is essential for legal professionals and businesses navigating disputes in a data-driven environment. The widely publicized recovery of deleted mobile phone messages in the Sumo match-fixing scandal in Japan, for instance, served as a stark reminder of these capabilities.

Chapter 1: The Myth of Digital Oblivion – Why "Deleted" Doesn't Mean "Gone"

The persistence of data after conventional deletion commands is a fundamental concept in digital forensics.

1.1. Understanding File Deletion in Common Operating Systems

In typical operating systems like Windows, the act of deleting a file is often a multi-stage process, or at least, its immediate effect is not total erasure:

  • Moving to the Recycle Bin (or Trash): When a user deletes a file through standard commands, it's usually moved to a temporary holding area like the Recycle Bin. At this stage, the file is not truly deleted from the file system's perspective; it's merely relocated, and can typically be restored with a few clicks.
  • "Emptying" the Recycle Bin or Direct Deletion: When the Recycle Bin is emptied, or if a file is deleted directly (e.g., using Shift+Delete in Windows), the operating system's behavior changes. However, even this action doesn't usually involve the immediate physical wiping of the data from the disk. Instead, the file system (the software that manages how data is stored and retrieved) typically modifies its records—often by marking the entry for that file in a master directory (like the Master File Table in NTFS) to indicate that the disk space occupied by the file's data is now "unallocated" or available for new data to be written. The actual data blocks on the disk that held the file's content often remain untouched, at least initially.

At this point—where the file is marked as deleted but its data still resides on the disk—recovery can sometimes be as straightforward as using specialized software to "unmark" the deletion flag in the file system's records, provided the underlying data has not yet been disturbed.

1.2. The Critical Factor: Data Overwriting

The true and often permanent loss of "deleted" data occurs primarily through overwriting. Once the file system designates a file's previously occupied space as unallocated, that space is available for the operating system to store new data. Subsequent computer activities, such as:

  • Saving new files or modifying existing ones.
  • Installing new software.
  • Operating system background tasks (e.g., creating temporary files, cache files, swap file usage).
  • Web Browse (which generates cache and history files).

can all result in new data being written into the very disk sectors where the "deleted" file's data resided. The location where new data is written is often unpredictable from a user's perspective. The more a computer system is used after a file has been deleted, the higher the probability that the original data will be overwritten, partially or completely, making recovery progressively more difficult or impossible. Furthermore, disk maintenance utilities like defragmenters, which reorganize data on a disk for efficiency, can significantly complicate or thwart recovery efforts by moving or overwriting data fragments from deleted files.

Chapter 2: The Forensic Approach to Data Recovery – A Disciplined Process

Recovering deleted data, especially for evidentiary purposes in legal contexts like those in Japan, is not a haphazard affair. It's a component of the broader digital forensic process, which emphasizes methodical procedures to ensure reliability and admissibility. This typically involves careful collection and preservation, followed by detailed examination and analysis.

2.1. Preservation: The Cornerstone of Reliable Recovery

Before any attempt to recover deleted data, the integrity of the source storage medium must be paramount.

(A) Forensic Imaging (Physical Copying): The Non-Negotiable First Step
The gold standard for preserving digital evidence, including potentially recoverable deleted data, is the creation of a forensic image. This is an exact, bit-for-bit (or sector-by-sector) duplicate of the entire original storage medium (e.g., hard drive, SSD, USB drive). It captures everything on the drive, including active files, deleted files residing in unallocated space, file slack (the unused space within a disk cluster allocated to a file), and other system areas.

This is critically different from a "logical copy" (e.g., copying files and folders through the operating system). A logical copy only captures active, visible files and typically misses deleted data, data in unallocated clusters, and can inadvertently alter crucial metadata like file access times. (Though some specialized logical copying tools, like robocopy.exe in Windows, can be configured to preserve certain timestamps for active files ). For the purpose of recovering deleted data and conducting a thorough forensic examination, a physical, forensic image is indispensable. All subsequent analysis, including attempts to recover deleted files, must be performed on this verified forensic image (or a working copy of the image), leaving the original evidence medium untouched to maintain its pristine state and evidentiary integrity.

(B) Verifying Integrity: The Role of Cryptographic Hash Values
To ensure that the forensic image is a true and accurate copy of the original media, and to maintain a verifiable chain of integrity throughout the forensic process, cryptographic hash values are used.

  • How Hashing Works: A hash function (e.g., MD5, SHA-1, SHA-256) is an algorithm that takes an input (any digital data, from a single file to an entire disk image) and produces a fixed-size string of characters, known as a hash value or digital fingerprint.
  • Key Properties: Good cryptographic hash functions are designed such that:
    1. The same input will always produce the same hash value.
    2. Any change to the input data, even a single bit, will result in a drastically different hash value.
    3. It is computationally infeasible to find two different inputs that produce the same hash value (collision resistance).
    4. It is computationally infeasible to reverse the process – to derive the original data from its hash value (one-way property).
  • Legal Recognition in Japan: The utility of hash values for verifying the identity of electronic files has been acknowledged in Japanese legal contexts. For example, a ruling by the Tokyo District Court on January 14, 2004, described a hash value as, "A value obtained by calculating electronic data such as electronic files or character strings using a specific calculation formula (hash function) and converting it into a character string of a specific length... because it shows a different hash value even if part of the electronic data is changed, it is useful for identifying electronic files".
  • Application in Imaging: Hash values are calculated for both the original storage medium and the created forensic image. If the hash values match, it provides strong assurance that the image is an identical duplicate. Hashes are also used to verify the integrity of evidence if it's copied or moved during the investigation.

(C) The Preservation Workflow in Practice:
A typical forensic preservation workflow involves several meticulous steps:

  1. Documentation: All actions are thoroughly documented, often including photographs or video recordings of the process, and detailed entries in a chain of custody (CoC) log. The CoC tracks the handling of the evidence from seizure to final disposition.
  2. Securing the Original: If feasible and necessary (e.g., a computer is seized), the device may be carefully disassembled to access the storage medium directly.
  3. Write Protection: Hardware or software write-blockers are used to prevent any accidental writes to the original evidence medium during the imaging process.
  4. Imaging: A dedicated hardware duplicator or validated forensic imaging software is used to create the bit-for-bit copy onto a forensically sterile (wiped) destination medium. Often, two images are created—one primary working copy and one backup.
  5. Hashing: Hash values are calculated for the original source and the forensic image(s) and compared to verify accuracy. These hashes are recorded. Many forensic duplicators perform this verification automatically.
  6. Secure Storage: The original evidence and the backup forensic image are securely stored. The working forensic image is often saved in a standard forensic image file format (e.g., .E01, .dd) on a separate analysis drive for efficiency and to prevent accidental modification of the primary image copy. Formats like E01 can also embed metadata about the acquisition, case information, and hash values within the image file itself.

The hash value of the original disk, captured at the time of acquisition, serves as the foundational reference point for proving the ongoing integrity of the digital evidence.

2.2. Examination: Techniques for Uncovering "Lost" Data

Once a verified forensic image is available, the examination phase, which includes efforts to recover deleted data, can begin.

(A) Recovering from File System Artifacts:
If a file was "deleted" in a way that primarily involved the removal or alteration of its entry in the file system's directory structures (e.g., marking it as deleted in the Master File Table for NTFS), but the actual data blocks remain untouched, specialized forensic software can often "undelete" such files. These tools attempt to locate these orphaned metadata entries and repair the pointers to the data, effectively making the file visible to the operating system again.

(B) File Carving: Reconstructing from Raw Data:
When the file system metadata linking to a deleted file is severely corrupted, overwritten, or unavailable (e.g., if a drive has been reformatted), a more advanced technique called file carving is employed.

  • Process: File carving involves scanning the raw data of the drive, particularly the unallocated (free) space, for known file signatures—unique sequences of bytes that mark the beginning (header) and sometimes the end (footer) of specific file types (e.g., JPEGs, PDFs, Word documents).
  • Challenges:
    • Fragmentation: Files are often not stored contiguously on a disk; they can be broken into multiple fragments scattered across different locations. Carving fragmented files is significantly more complex because simple header/footer matching is insufficient. Advanced carving tools may use algorithms to try and reassemble these fragments, but success is not guaranteed.
    • Partial Recovery: It's common to recover only partial or corrupted files, especially if some of the data blocks have been overwritten. However, even a partially recovered file (e.g., a fragment of a document or a damaged image) can sometimes provide valuable evidentiary clues.
  • Expertise Required: File carving, particularly for fragmented files or uncommon file types, can be a highly technical and sometimes manual process, potentially involving the direct examination of data in hexadecimal viewers by experienced forensic analysts. Standard, off-the-shelf recovery software might not possess the sophisticated carving capabilities needed for challenging cases.

(C) Analyzing Other Data Remnants:
Beyond direct file recovery, forensic examiners also look for fragments of deleted data in other areas of the storage medium:

  • File Slack: The unused space between the end of a file's actual data and the end of the last disk cluster allocated to that file. This slack space can contain remnants of previously stored data.
  • Unallocated Space: The general free space on the drive, which is the primary target for carving.
  • System Files: Such as the operating system's swap file (virtual memory), hibernation file (which stores the contents of RAM when a system hibernates), and print spool files, can contain copies or fragments of user data, including parts of deleted files.

Chapter 3: Practical Implications and Best Practices in Japan

The technical ability to recover deleted data carries significant practical implications for legal and corporate situations in Japan.

3.1. If You Accidentally Delete Important Files: First Response

If important digital files are accidentally deleted:

  • Cease All Use of the Affected Computer or Device Immediately: This is the single most crucial step. Any continued use—even Browse the internet or opening other applications—can write new data to the storage device and overwrite the "deleted" files, permanently destroying them.
  • Do Not Install Software on the Affected Drive: If considering using data recovery software, it should be run from a separate device (e.g., a USB drive or another computer connected to the affected drive in a controlled manner, preferably via a write-blocker). Installing software directly onto the drive from which recovery is attempted will itself overwrite data.
  • Avoid Disk Utilities: Do not run disk defragmenters, disk cleanup tools, or error-checking utilities (like CHKDSK) on the affected drive, as these operations can extensively modify disk structures and overwrite recoverable data.
  • Power Down: If unsure, the safest immediate action is often to power down the system to prevent any further disk writes by the OS or applications.
  • Seek Professional Help for Critical Data: For highly critical data, especially in a corporate setting where legal implications might arise, engaging professional digital forensic or data recovery services is strongly advisable.

3.2. When Professional Expertise is Essential

While some user-level recovery tools exist for simple logical deletions (where file system pointers are intact), more complex situations demand professional intervention:

  • Physical Drive Failure: If the storage device is making unusual noises (clicking, grinding), is not recognized by the computer, or has suffered physical trauma (dropped, water damage), attempting self-recovery is likely to cause further damage. Such cases require specialized clean-room environments and hardware expertise. Recovery from physically damaged media, such as drives affected by the Great East Japan Earthquake, has demonstrated that even in severe circumstances, data can sometimes be retrieved by specialists.
  • Complex Deletions or Suspected Tampering: When data has been deleted through more sophisticated means, if a drive has been reformatted, if encryption is involved, or if there's a suspicion of intentional data wiping or tampering, standard user tools are inadequate.
  • Evidentiary Requirements: If the recovered data is intended for use as evidence in legal proceedings in Japan, the recovery process itself must be forensically sound and well-documented to ensure admissibility. This is the domain of qualified digital forensic professionals.

3.3. Extending Recovery Principles Beyond PCs

The principles of data persistence and recoverability are not limited to traditional computer hard drives:

  • Flash Memory Media: Devices like USB flash drives and SD cards also store data that can often be recovered after deletion, though the underlying technology (flash memory) has different characteristics than magnetic HDDs (e.g., wear leveling, TRIM commands on SSDs) that can affect recovery success.
  • Mobile Phones and Smartphones: As highlighted by incidents like the Sumo match-fixing case, mobile devices are significant sources of recoverable data. The increasing storage capacities of modern smartphones mean that deleted items like messages, photos, and application data may persist for longer periods before being overwritten. Even if a phone is physically damaged (e.g., by water or impact), data recovery may still be possible if the internal memory chip itself remains intact. However, the diversity of mobile operating systems (iOS, Android variants), proprietary hardware, and advanced security features (like full-disk encryption) make mobile forensics a particularly complex and specialized field.

Conclusion: The Lingering Traces of Digital Actions

The common user action of "deleting" a file is rarely an act of immediate and complete data annihilation. In Japan, as globally, the science of digital forensics provides powerful, methodical processes to uncover and reconstruct data that many might assume is lost forever. This capability to recover "deleted" information underscores the enduring nature of digital traces and has critical implications for evidence discovery, internal investigations, and litigation strategy. Understanding that deleted data can often be revived, and knowing the proper procedures for attempting such recovery while preserving evidentiary integrity, is a vital piece of knowledge for any legal or business professional operating in our data-saturated world. When the stakes are high, relying on disciplined forensic approaches rather than simple assumptions about data permanence is key.