DEV Community

Cover image for 🕵🏽‍♀️ Uncovering the Unseen: My Digital Forensics Journey with Deleted File Recovery
Shirley Mali
Shirley Mali

Posted on

🕵🏽‍♀️ Uncovering the Unseen: My Digital Forensics Journey with Deleted File Recovery

🌐Introduction

In the ever-evolving world of cybersecurity, one truth stands strong: attackers will try to hide their tracks — often by deleting files, logs, or data traces.

But deletion doesn’t mean destruction.

That's where digital forensics steps in. And in my latest project, I dove headfirst into a hands-on recovery scenario that challenged me to retrieve deleted files from a compressed archive. The result? A deeper appreciation — and, frankly, an obsession — with the art of uncovering what isn't meant to be found.

This post walks you through the full process, tools used, the learning outcomes, and why this kind of project is so critical in modern cybersecurity.


🚀 Background: From Burnout to Obsession
Since March 2025, I took a break from being active to focus on two big things:

  • 🧠 Studying for the CompTIA CySA+ certification
  • 🛌 Recovering from a bout of sickness that forced me to slow down

That downtime turned into something powerful: I began immersing myself in digital forensics — and this project marks the beginning of my practical journey.


💼 The Challenge: Recovering a Deleted File
The project was inspired by a Root Me forensics challenge, where you're given a .gz file — and that's it.

The objective?
➡️ Recover a deleted file that was hidden inside.

Sounds simple?

Not when you realize:

  • The original file was compressed
  • Then renamed
  • And the actual content inside had been deleted
  • You don’t know the file type, structure, or extension

This challenge forced me to think like a forensic investigator: follow the breadcrumbs, verify every assumption, and carve through digital noise.


🧰 Tools Used

Tool Purpose
gunzip Decompress the .gz archive
mv Rename and prepare the archive for extraction
tar Extract archived files
file Identify file types
Foremost File carving: recover deleted files based on known signatures

🛠️ Step-by-Step Walkthrough

1️⃣ Decompress the .gz Archive

gunzip ch39.gz
Enter fullscreen mode Exit fullscreen mode

This gave me a single file named ch39, with no extension. That hinted it might be a tarball — just renamed.

2️⃣ Rename and Extract the Archive

mv ch39 ch39.tar
tar -xvf ch39.tar
Enter fullscreen mode Exit fullscreen mode

This revealed a single suspicious file. I ran file on it:

file usb.image
Enter fullscreen mode Exit fullscreen mode

But even this didn’t give me clarity. That’s when I turned to Foremost.

3️⃣ File Carving with Foremost

Foremost is a digital forensics tool that searches raw data for file headers and footers to reconstruct files — even if they’re “deleted.”

foremost -i usb.image -o output/
Enter fullscreen mode Exit fullscreen mode

This carved out audit.txt & png. I then opened each recovered file, cross-checked the structure and content, and finally uncovered the flagged file — the one that had been deliberately deleted and hidden.


💡 Lessons Learned

  • File carving is essential when metadata is gone or tampered with.
  • Command-line forensics is powerful and foundational for incident response.
  • Even simple challenges can simulate real-world attacker behavior (e.g., renaming, compressing, deleting).
  • Foremost is a must-know tool for any digital forensics beginner.

_Why Digital Forensics Matters Now More Than Ever

With advanced attackers and insider threats rising, digital forensics plays a critical role in:

  • 🔓 Incident response
  • 📁 Legal & compliance investigations
  • 🔍 Threat hunting
  • 🔄 Root cause analysis

The ability to recover deleted or obfuscated files often makes the difference between knowing how a breach occurred — or staying in the dark.


💙 My Growing Obsession
This project reminded me that digital forensics is more than a skill — it's a mindset.

🕵🏽‍♀️ It’s about thinking like an investigator.
🧠 It’s about asking “what’s missing?”
🧩 It’s about piecing together broken data until the story becomes clear.

As someone pursuing a career in blue teaming and security operations, this project confirmed that forensics is where my passion lies — and where I’m investing even more time going forward.


📂 Full Project on GitHub

You can find the complete project (with detailed bash commands, recovery steps, and file carving output) here:

👉 Deleted File Recovery GitHub Repo


🗣️ Let’s Connect
If you’re:

  • Exploring cybersecurity
  • Studying for CySA+ or Security+
  • Interested in digital forensics and incident response

…then let’s connect here on Dev.to, or on LinkedIn. I’d love to exchange insights and support each other’s growth.

Top comments (0)