Case Study 2 — When "Wiped" Means Gone, and "Deliberate" Cannot Be Proven

A client is certain a departing contractor maliciously wiped the company's files and wants two things: the data back, and proof of sabotage for a lawsuit. The honest answers are the hard ones — the data is genuinely unrecoverable, and the cause is indistinguishable from ordinary deletion on a modern SSD. This is the cautionary mirror of Case Study 1: the same skills, used to resist a conclusion the evidence cannot support.

Background

A dental practice owner arrived at a data-recovery and forensics shop in distress. An IT contractor whose engagement had ended badly had, on his last day, "deleted everything" from the practice manager's Windows 11 laptop — a 1-TB Samsung NVMe SSD. Missing were the QuickBooks company file and a folder of scanned patient and billing records. The owner wanted the files recovered and a forensic report stating the contractor had "deliberately wiped the drive to destroy evidence," to support a civil claim and a complaint to the state board.

Two pressures arrived with the client. First, a competing "deep recovery" outfit had already quoted $6,000 to "recover the wiped SSD in our clean-room lab." Second, the client's litigation consultant wanted strong language about deliberate destruction. You took the engagement on the condition that you would report only what the evidence supported — and you imaged the SSD immediately through a write-blocker, hashing the image before any analysis, because on flash media every minute powered on risks further garbage collection (the original is sacred, and on an SSD it is also perishable).

The recovery question: is anything left?

You started where the client's hope lived: could the files be recovered? The MFT still held deleted entries for Practice_2024.qbw and several scanned PDFs — names, sizes, and $STANDARD_INFORMATION timestamps intact, deletion recorded late on the contractor's final afternoon. This is the first theme of the book, and ordinarily it is good news: deleted ≠ destroyed; the pointer is gone but the data often is not.

Not here. When you ran icat against the data runs those MFT entries referenced, the clusters came back as zeros. PhotoRec and foremost carving across unallocated space returned nothing with a QuickBooks or PDF signature. The reason is Chapter 9 — SSD and Flash Recovery's hard lesson: this drive had TRIM enabled. When the files were deleted, the operating system told the SSD controller those logical blocks were free, and the controller zeroed the underlying NAND in the background within seconds. The flash translation layer had already reclaimed the cells. There was no faint magnetic remnant to chase, no clean-room procedure that could help — those apply to mechanical platters, not reclaimed flash pages.

icat -o 2048 LAPTOP-SSD.E01 91244        (deleted Practice_2024.qbw data run)
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
   ... clusters zeroed by the SSD controller after TRIM — no content to recover ...
MFT entry survives (name, size, deletion time) — DATA does not.

You told the client the truth in plain words: the files on this drive are gone, no software and no lab can return them, and the $6,000 "deep recovery" quote is a charge for an impossibility — protect your money. The professional move on a single-pass-wiped or TRIM-reclaimed region is to stop and manage expectations honestly, not to bill hours against false hope. Then you did the genuinely useful recovery work: you checked elsewhere. An external backup drive in a desk drawer held a three-week-old copy of the QuickBooks file, and the practice's cloud accounting export (a matter for Chapter 31 — Cloud Forensics) held more. The client recovered most of what mattered — from copies, not from the wiped SSD.

The forensic question: was it deliberate?

Now the harder request: the report stating sabotage. The recovery and forensic disciplines read the same zeroed clusters, but they ask different questions, and the forensic one demanded proof of intent that the disk had to supply. You ran the full anti-forensics detection pass — and it came back conspicuously empty in a way that mattered.

A deliberate wipe with a tool leaves tool tracks. You looked for all of them. There was no Prefetch, Amcache, or registry artifact for CCleaner, Eraser, BleachBit, SDelete, or cipher /w. There was no giant freshly deleted temp file marking a free-space wipe. There were no deleted MFT entries renamed to junk patterns like ZZZZZZZZ.ZZZ before deletion — the signature of tool-driven secure deletion. Task Scheduler held no recurring secure-delete job. UserAssist and the event logs showed an ordinary logoff at the end of the contractor's last day, not a flurry of cleaner executions.

What the evidence actually showed was ordinary deletion — files sent to deletion, then the SSD's normal TRIM behavior zeroing the blocks. The result is identical to a wipe: unrecoverable data. But the cause could not be distinguished, from this disk alone, between deliberate destruction and routine deletion-plus-TRIM. The competing-hypotheses table from the chapter is exactly the discipline this case required:

Observation                     Anti-forensic cause   Innocent cause (here, supported)
Deleted files' blocks zeroed    secure-wiped          TRIM (normal SSD behavior, Ch.9)
No carvable remnants            free-space wipe        TRIM reclaim of deleted clusters
No wiping-tool artifacts        (would corroborate)    none present → no tool used

Your report said so precisely: the named files were deleted on the contractor's final afternoon and are unrecoverable from this device; the absence of any recoverable content is fully explained by normal TRIM behavior on this SSD; no artifacts of a deliberate secure-wiping tool were found; and therefore the evidence is insufficient to determine whether the deletion was malicious or routine. You declined the consultant's preferred sentence. Had you written "the contractor deliberately wiped the drive," opposing counsel would have asked one question — "which wiping tool, and where is its artifact?" — and your report would have collapsed, taking the recoverable-from-backup good work down with it. The honest finding was less satisfying to the client and far more durable.

The analysis

  1. A genuinely wiped or TRIM-reclaimed region is gone — recognizing that early is the professional skill. No clean room recovers reclaimed flash or single-pass-overwritten data. "The data was destroyed and cannot be recovered" is a complete, honest finding, and it protects the client from fraud.
  2. Normal behavior mimics anti-forensics — test the innocent explanation first. TRIM zeroing deleted blocks produces the same unrecoverable result as a deliberate wipe. The difference is provable only through tool artifacts, and here there were none.
  3. The absence of wiping-tool artifacts is itself a finding — in the other direction. Case Study 1 used a tool's surviving artifacts to prove deliberate destruction. Here the missing tool artifacts undercut the sabotage theory; absence cuts both ways, and the disciplined examiner follows it wherever it points.
  4. Do not let the client's desired conclusion become the finding. Pressure to assert sabotage is real, and refusing it is part of the job. "Insufficient evidence to determine intent" has ended fewer careers than a confident conclusion the data could not support.
  5. Recovery and forensics read the same bytes for opposite purposes. The zeroed clusters told the recovery technician to stop and look to backups; they told the forensic examiner to look for — and not find — tool artifacts, and to report the limit. Same evidence, two honest, different answers.

Discussion questions

  1. The client wanted both data recovery and a sabotage finding, and got neither in the form requested — yet the engagement was a professional success. Explain why, and what "success" means for an examiner whose honest findings disappoint the client.
  2. Contrast this case with Case Study 1: both involved deleted files and zeroed regions, but one supported a deliberate-destruction finding and the other did not. Identify the specific evidence present in one and absent in the other that made the difference.
  3. The $6,000 "clean-room SSD recovery" quote was effectively a fraud. Explain the technical reason no clean room can recover TRIM-reclaimed flash, and draft the two sentences you would give the client to protect them without disparaging a competitor unfairly.
  4. ⭐ Suppose that, on re-examination, you had found a single sdelete Prefetch entry and a Task Scheduler secure-delete job created under the contractor's account two days before departure. Rewrite the report's conclusion to reflect this, stating exactly how much it does — and does not — let you assert about intent.
  5. Connect this case to the book's fifth theme (know your limitations) and to the chapter's warning against "mistaking normal behavior for anti-forensics." Why is the discipline of testing innocent hypotheses more important when the client is paying for a particular answer?