I consider myself a moderately savvy computer user and I’ve known for a long time that deleted — even deleted and emptied from the trash — doesn’t mean that a file is completely gone. It was theoretical knowledge though until earlier this week when, following one of the exercises from the Open University module I am studying at the moment on Digital Forensics, I downloaded and tested PhotoRec, an Open Source file recovery program.

The instructions were to use a small USB stick, copy a file to it and then delete it including emptying the trash. I then followed the step-by-step guide to see what it would find. Note the word small; the programme will create a copy of everything it finds in a location you specify so, for a test, you want to avoid giving it too much to trawl through and in practise you would need a sufficiently large storage area to cope with the expected contents.

Although I think photo recovery was the original intention of the program, as suggested by the name, it can dig up the remnants of a whole range of file types. I found not only the directory of photos I had earlier deleted but a slew of presentations, PDF documents, text files and other things that have had residence on the disk over at least the last few months. I didn’t explore everything to see how far back it could go, and some of the information was clearly partially broken but it was an impressive and rather sobering haul.

This is why you need to be very cautious about putting anything sensitive on a disk without wrapping it up in further levels of encryption. No wonder the course materials took pains to emphasise that it was best to use a disk which has been entirely in your own possession rather than risk invading the privacy of someone else!