We will be going over how to recover files that were deleted from a removable USB Drive using Recuva. These same steps can be used for any drive on your PC; however, it is recommended that you stop using the PC that housed the deleted file(s) due to the greater chance of the file(s) becoming overwritten with use. Data recovery is usually done with the target drive not in operation.
After putting files on our USB Drive, we will try three different methods to erase our data and then try to recover what we can:
1. Delete normally (Right-Click, “Delete”)
2. Quick Format
3. Standard Format
You will see that how you delete your files impacts the ability for them to be recovered.
How Windows File Deletion Works — General Overview
When you Right-Click on a file and select “Delete,” that file will generally be moved to the Recycle Bin to sit for easy recovery in case you want that file back. When the time comes and you Right-Click on the Recycle Bin and select “Empty Recycle Bin” (or Shift-Delete files directly), you might think that the file is gone for good, but what actually happens is that Windows simply marks that file for overwrite and the pointers for that file are removed. The file is still there until Windows wants to use the space the file occupies, then the file is overwritten.
If you want to recover a deleted file, you will need to start the recovery process immediately. You will also want to stop using the drive where the file was deleted, as the more the drive read/writes the more likely it will overwrite your file.
What We Are Using For the Test
1. USB Drive
I will be using an old 4GB USB Drive for this test. This USB Drive has been used, so I’m going to securely erase it using a program called Eraser.
2. Eraser
Eraser will erase the data on a drive to different industry standards. I’ll be choosing the Department of Defense 5220.22-M Standard (which is its own topic in and of itself). In short, it will make multiple passes over the USB Drive to ensure secure data deletion. You can get Eraser by clicking HERE.
If you are following along exactly, know that the DoD erasure will take a very long time — especially for a large drive. For the 4GB USB Drive I’m using, it takes about 1.5 hours.
3. Recuva
I’ll be using Piriform’s Recuva program to recover the deleted files on the USB Drive. Recuva is a free, super simple data recovery application that I have had good results with over the years. No real technical or forensic skills are required for Recuva. You can get Recuva free by clicking HERE.
Wiping the USB Drive
If you have a brand new USB Drive, you can skip this section (also because it might be interesting to see what, if anything, gets recovered from a brand new USB Drive).
As stated above, if you plan on wiping the USB Drive to DoD standards or anything higher, be aware that this may take a long time.
To Securely Wipe the USB Drive:
1. Plug in the USB Drive and take note of what Drive letter it is assigned (in my case the Drive letter assigned is E:).
2. Download, install, and open Eraser.
3. At the main screen, Right-Click anywhere in the “Erase Schedule” area and select “New Task.”
4. The “Task Properties” window should pop up. Select “Run Manually” and click “Add Data” at the bottom.
5. The “Select Data to Erase” window should appear:
- Target Type: Drive/Partition
- Erasure Method: Anything (I’m using the DoD Standard mentioned above)
- Settings: Choose your Drive letter. VERY IMPORTANT: Make sure you have the right drive selected. If you select the wrong one you will erase all of the wrong data
6. After septuple checking your settings above, click “OK” on that window as well as the “Task Properties” window.
7. Your “Erase Schedule” should now list the task you just created. Since we set it to manually run, it will only run when we tell it to. Right-Click on the task itself and then click “Run Now.”
8. Eraser will begin the process of wiping your drive. I’ll see you in 1.5 hours.
Note: If you minimize Eraser while it’s running and it disappears from the Task Bar, just open the program again and it should take you to where you were.
After Eraser finishes, your USB Drive will be totally wiped.
Windows may prompt you to format the USB Drive when you try to open it the first time after it is wiped. Format it with the default settings and you will be good.
Now let us get into the actual testing…
1. Test 1: Standard Deletion
We will add files to the USB Drive and then delete them using the standard Right-Click -> Delete method as most people do on a daily basis.
1–1. Add Files to the USB Drive
I’ll be adding different types of files to the USB Drive. I’ll add some .jpeg, .mp4, .pdf, .gif, .ogv, .webm, .txt, and a directory containing another .txt file inside of it (a total of 10 files). The .txt and .pdf files also have some text inside of them. Add whatever you want. Here are my files on the USB Drive:
For subsequent tests, I am going to use these same 10 files again so I kept the originals on my PC when I copied them to the USB Drive.
After you’ve added your files, safely remove the USB Drive from the PC and then just reinsert it. This is done to test the drive and make sure no errors appear on reinsertion. If you do get an error, allow Windows to try to fix it.
1–2. Erase the Contents of the USB Drive
We’ll just erase the contents of the USB Drive as you likely would under normal conditions:
A. With the USB Drive open in Windows Explorer, select all of the contents within it and then Right-Click and select “Delete.”
B. Since it is a removable device, Windows should prompt you and ask you to confirm if you want to “permanently delete” the USB Drive contents. Click “Yes” to delete them.
Your USB Drive should now have no content on it.
Go ahead and eject the USB Drive and reinsert it again.
1–3. Recover the Deleted Files
Now we will attempt to recover the files we just deleted.
A. Download and install Recuva (if you haven’t already) and open it. The wizard will begin. Click “Next.”
B. Choose the File Type. In my case, I’m trying to recover images, videos, and documents — so I’ll choose “All Files.” Click “Next.”
C. Choose the File Location. This is the location where we want Recuva to find the deleted files. You can select “On my media card or iPod” since the USB Drive is a removable drive, but I would suggest selecting “In a specific location” and browsing to your USB Drive. After that, click “Next.” NOTE: Since you ejected your USB Drive, it is possible that the Drive letter assigned has changed. Make sure you double-check that you are selecting the target USB Drive.
D. We will not be enabling “Deep Scan” at this point. Go ahead and click “Start.”
E. Recuva will start going through the USB Drive and recovering what it finds. This usually doesn’t take too long.
F. Almost immediately, this is what Recuva presented to me:
Each file in the list is a deleted file that Recuva found. The colored icon to the left of the file name is a color indicator on the file’s condition. If you look under the “State” column, you can see that all of the files are in “Excellent” condition, which corresponds to the green color. According to Recuva, all 10 files are able to be recovered.
G. Tick the top checkbox on the left to select all of the files in the list. Once they are all selected, click “Recover…” in the bottom-right corner.
H. You will then be prompted to select a recovery location. This is where the files in the list will be saved. Always save to a different location than the drive you are recovering from, as you could overwrite the deleted files while you are trying to save them. I will be saving to Documents/RecuvaTest1. After you have selected your location, click “OK.”
I. Recuva will then begin recovering the deleted files in the list. After a couple of seconds, you should be prompted with the results summary:
J. Now head to the directory where you told Recuva to save your files and you should see your deleted files as if you never trashed them in the first place:
All files recovered contain the same exact data they did before they were deleted: the .gif, .mp4, .ogv, and .webm files all play normally; the .txt, and .pdf files all contain the same contents:
You may notice a couple of things:
1. The directory that was on the USB Drive (“ADirectory”) is no longer there. That is to be expected because a directory is not a file. The file within that directory (“ATextInsideADirectory.txt”) has been recovered.
2. The original .gif file was titled “niceguys.gif” but after recovery it is now labeled “_iceguys.gif.” The “n” was most likely overwritten before it was recovered, but the .gif file itself plays normally.
Also consider the fact that this USB Drive was wiped using Eraser prior to data recovery. No files that were erased by Eraser were found by Recuva.
So, as you may know, deleting files the standard way isn’t very secure. Next, we will Quick Format the USB Drive and try from there.
2. Test 2: Quick Formatting
We will add files to the USB Drive, delete them by Quick Formatting, and then see if recovery differs from Test 1.
I am going to wipe the drive with Eraser as I did at the beginning to have a clean canvas again.
2–1. Add Files to the USB Drive
I wiped the USB Drive with Eraser again so now I will add the same files I had in Test 1 to the USB Drive. Note that I am using copies of the original files, not the recovered files from Test 1.
After the files are added, safely eject and then reinsert the USB Drive again.
2–2. Quick Format the USB Drive to Erase All Contents
We are going to reformat the USB Drive, which will erase the contents of the drive. Some people believe that reformatting the drive will securely erase the data on it so it cannot be recovered. We shall see…
A. From the “This PC” window or on the Windows Explorer side bar, Right-Click on the USB Drive and click “Format…”
B. The Format Options window will open. You should be able to leave everything at default, but make sure “Quick Format” is selected.
After a few seconds, the Quick Formatting should complete and your USB Drive should have no content in it.
Go ahead and eject the USB Drive, reinsert it again, and ensure that the USB Drive is empty.
2–3. Recover the Deleted Files
As with Test 1, we will now attempt to recover the files we just deleted.
If you followed along with Test 1 and have a grip on Recuva, feel free to skip to D.
A. Open Recuva. The wizard will begin. Click “Next.”
B. Choose the File Type. In my case, I’m trying to recover images, videos, and documents — so I’ll choose “All Files.” Click “Next.”
C. Choose the File Location. This is the location where we want Recuva to recover the files. You can select “On my media card or iPod” since the USB Drive is a removable drive, but I would suggest selecting “In a specific location” and browsing to your USB Drive. After that, click “Next.” NOTE: Since you ejected your USB Drive, it is possible that the Drive letter assigned has changed. Make sure you double-check that you are selecting the target USB Drive.
D. We will not be enabling “Deep Scan” at this point. Go ahead and click “Start.”
E. Recuva will start going through the USB Drive and recovering what it finds.
F. Quickly, Recuva said:
Looks like Recuva was unable to find a single shred of a file on the quick formatted USB Drive.
G. Recuva is asking if we want to enable “Deep Scan,” and we are going to select “Yes.” Recuva will then begin searching the USB Drive again. Depending on how large your drive is, this may take a good bit of time. It took about four minutes for mine to complete.
H. After Recuva finishes its “Deep Scan,” you will be presented with what it found:
I. You will then be prompted to select a recovery location. This is where the files in the list will be saved. Always save to a different location than the drive you are recovering from, as you could overwrite the deleted files while you are trying to save them. I will be saving to Documents/RecuvaTest2. After you have selected your location, click “OK.”
J. Recuva will then begin recovering the deleted files in the list. After a couple of seconds, you should be prompted with the results summary:
K. Now head to the directory where you told Recuva to save your files and you should see your recovered files:
You’ll notice we have some different results from Test 1:
1. Not every file was able to be recovered. We are missing two files (“someText.txt” and “Two_Gondolas.webm”).
2. The file names are changed.
3. The “.ogv” file extension has been changed to “.Ogg.” Note: .ogv files use the .ogg container format.
4. The directory that was initially on the USB Drive (“ADirectory”) is missing. See Test 1 for this explanation.
With the recovered files, without getting into the forensic side of things, all of the content still exists as it did before it was deleted by formatting — with the exception of the .gif file. The .gif file now exists as a single frame and no longer plays. The contents of the recovered documents still have the same content:
We have had less success with recovery from a Quick Formatted drive, but it’s still a success. Take note that quick formatting a drive makes recovery a tiny bit more difficult, but it is far from ideal if you are hoping to erase all of your data.
2.5. Quick Extra — Quick Format Again (and Again)
Before I move on to Test 3, I want to see what happens if I Quick Format the USB Drive again.
A. I’ll be following the same steps as I did in 2–2 and Quick Format the USB Drive one more time. Recall that this drive was already Quick Formatted once.
B. Now that the USB Drive is Quick Formatted again, I’ll follow 2–3 and run Recuva again on it.
C. As expected, Recuva found no files using its normal scan, so I enabled “Deep Scan.”
D. Recuva finished its Deep Scan and recovered the following:
These are the same results as Test 2. All of the files are in the same condition as they were in Test 2.
I’m going to Quick Format the USB Drive again three more times and do the same thing…
After running Recuva’s “Deep Scan” on the now thrice + twice Quick Formatted drive, you probably aren’t surprised at the results:
Exact same results as in Test 2 and the second Quick Format of Test 2.5.
So remember, Quick Formatting a drive multiple times does nothing to ensure the deleted content gets “more deleted.”
We will now try out standard formatting (not Quick Format).
3. Test 3: Standard Formatting
We will add back our files from Tests 1 and 2 to our USB Drive and erase them with standard formatting (not Quick Format).
As I did with Test 2, I’m going to use Eraser and wipe the USB Drive before I place the files back on it.
3–1. Add Files to the USB Drive
Same as before, I wiped the USB Drive with Eraser and added the original files back to it.
Once you get the files added, safely eject it and then reinsert it.
3–2. Format the USB Drive to Erase All Contents
Just as in Test 2, we are going to format the drive to erase its contents. This time we will not use “Quick Format.”
A. With the Format Options window open, make sure “Quick Format” is NOT selected. We want to do a full format this time. With “Quick Format” not checked, click “Start” to begin the full formatting process:
B. Full formatting will take longer than Quick Format. In my case it took about 10 minutes.
Once more, safely remove the USB Drive and then reinsert it into the PC.
3–3. Recover the Deleted Files
Just as we did with Tests 1 and 2, we will use Recuva to attempt to recover the deleted files.
A. Open Recuva, choose “All Files” (or whatever is most appropriate for your situation). Click “Next.”
B. Choose “In a specific location” and select your USB Drive.
C. We will not be enabling “Deep Scan” at this point. Go ahead and click “Start.”
D. Recuva will start going through the recovery process. As with Test 2, you will likely be prompted with the “No files were found” dialog. Click “Yes” to start the “Deep Scan” [see Test 2 for more information on this].
E. After that finishes, Recuva will tell us what it found during its “Deep Scan”:
Recuva was unable to pull remnants of any of the 10 files we had on the USB prior to full formatting. There is certainly a difference between Quick and standard formatting in regard to data recovery.
Conclusion
This test showed the following results:
– For secure data removal, use a free program such as Eraser and choose one of their erasure methods.
– Full formatting a drive does a much better job at wiping data than Quick Formatting does (Recuva was unable to recover any files). It takes longer, but it is more effective.
– Quick Formatting a drive to erase data may get rid of some data, but most can be recovered.
– Quick Formatting a drive multiple times does nothing more than Quick Formatting it once does.
– Right-Clicking a file and selecting “Delete” does little to nothing for actual data deletion.
– Recuva is an excellent tool for the technically capable and non-tech savvy alike for recovery of deleted files on Windows. Just remember to not use the storage medium you are recovering from to increase the chances of successful recovery.
Tools/Sources:
Note: I have no affiliation with any tools/sources listed.
Eraser: https://sourceforge.net/projects/eraser/
Recuva: https://www.ccleaner.com/recuva
More about the DoD Standard: https://www.blancco.com/blog-dod-5220-22-m-wiping-standard-method/
Files:
Avocado image: https://www.pexels.com/photo/sliced-avocado-2228553/ — thought catalog
Tree image: https://www.pexels.com/photo/green-pine-tree-at-daytime-802127/ — Nashrodin Aratuc
Gosling Gif (from the movie “Nice Guys” — go watch it): https://giphy.com/gifs/mrw-walks-presenter-IOx18kwUmbM0U
Gondolas: https://coverr.co/videos/two-gondolas-UyrZdjgg8D
