Digital Forensics Tool Evaluation on Deleted Files

In a world where data is deleted every millisecond, whether on purpose or unintentionally, the question is whether deleted digital files still exist or if they are simply invisible to us on digital devices. Over the years, researchers have answered the question, but the rapid development of technologies and software makes the topic relevant. The global pandemic (coronavirus disease 2019) affected the physical and cyber worlds. Cyber attacks and data breaches have increased by over 400%. During these attacks, data is frequently deleted, mismanaged, or overwritten, making it difficult for users and digital investigators to recover and trace. Commercial tools that analyze deleted files are often expensive, and the unknown factor of free tools has always been a concern. In this paper, we evaluated two digital forensics tools, Magnet AXIOM, a commercial tool, and Autopsy, a free digital forensics tool, to partially bridge the gap for this era. We also used a differential analysis approach to investigate the persistence of deleted files. Moreover, for the best evaluation of the tools, we created files of various types and activities that mimic the daily usage of an average user on a Windows 11 operating system. The activities are divided into phases based on the processes that will most likely overwrite the deleted files. We also discussed the findings of these phases and presented the recommendations and challenges faced during the research process.