Skip to content
Field note

Digital Forensics: What’s Recoverable, and What’s Admissible

Deleted rarely means gone. Recovery is a technical problem; admissibility is a procedural one, and it depends on lawful access, forensic imaging and an intact chain of custody from the first hour.

There is a persistent myth that deleting a file destroys it. In most cases it does not. Digital forensics is the discipline of recovering, preserving, and analyzing data from devices in a way that holds up as evidence. The important distinction, and the one that determines whether recovered data is actually useful, is between what can be recovered technically and what is admissible legally. This piece explains both.

Why “deleted” usually isn’t gone

When a file is deleted, the operating system typically marks the space it occupied as available rather than erasing the contents. Until that space is overwritten by new data, the original often remains and can be recovered. Fragments persist in system logs, caches, backups, and unallocated space. Messages, call records, location artifacts, browsing history, and document metadata frequently survive well past the point at which a user believes they are gone.

This is why forensic recovery is possible. It is also why time matters: continued use of a device can overwrite the very data that would have been recoverable, which is why preservation should happen early and why a device at the centre of a dispute should be handled as little as possible.

Recovery is only half the discipline

Recovering data is a technical problem. Making that data usable as evidence is a procedural one, and it is where amateur efforts fall apart. Evidence is admissible not merely because it exists but because its integrity can be demonstrated. That requires a documented chain of custody, forensic imaging that preserves the original rather than altering it, and a methodology that another qualified examiner could follow and reproduce.

The moment someone starts digging through a live device looking for files, they risk changing it. Timestamps shift, data is overwritten, and the integrity that would have made the evidence persuasive is compromised. Sound forensics works on a preserved image, not the original, precisely so that the source remains intact and defensible. A recovered message that cannot be shown to be authentic and unaltered is an argument, not evidence.

Lawful access is the precondition

Recovery and admissibility both depend on a prior condition: lawful access to the device. Forensics is performed on devices the client is entitled to examine, a company-owned device, a device the client owns, or one examined under legal authority. Accessing someone else’s private device or accounts without authority is not an investigative technique. It is unlawful, and it renders whatever is found a liability rather than an asset, in exactly the way we describe in what a PI can and can’t do. A professional establishes the authority to examine before examining.

Where it fits

Digital forensics rarely stands alone. It supports family and civil matters where a device holds relevant records, corporate matters involving misconduct or data loss, and cases where online activity needs to be preserved before it disappears, which connects to open-source work covered in our OSINT service. Its value is greatest when the recovery is thorough, the handling is defensible, and the access was lawful from the outset. Any one of those missing, and the evidence weakens.

Not legal advice

This article is general information and is not legal advice. Whether particular evidence is admissible depends on the specific facts and the venue; consult a lawyer for a specific matter.

End of note

Forensically sound recovery and analysis, under proper chain of custody.

Every case starts with a free, confidential consultation and a written scope before any work begins.