Ray Wooden spent more than a year in a Pennsylvania jail for a shooting he did not commit. The evidence that would free him was sitting on his phone the entire time, completely overlooked by prosecutors.[s] A team of forensic science graduates from NJIT analyzed cellphone records, location data, and text messages to prove Wooden was at a storage unit, not at the alleged crime scene, when the shooting occurred. In July 2025, the Philadelphia District Attorney dismissed all charges.
Forensic data recovery, the science of reconstructing deleted or damaged digital evidence under evidentiary controls, has become one part of modern digital investigations. The tools and techniques that freed Wooden rely on the same basic principle used across many digital cases: deleted or damaged data may still be recoverable when devices are preserved quickly and examined methodically.[s]
Why Deleted Files Are Rarely Gone
The word “deleted” is misleading. When users delete files, the operating system does not erase the underlying data. Instead, it marks that storage space as available for reuse.[s] The actual bits remain on the drive until new data overwrites them. This distinction is the foundation of forensic data recovery work.
Consider a library analogy. Deleting a file is like removing a book’s entry from the catalog. The book itself still sits on the shelf until someone places a new book in that exact spot. Forensic examiners know how to search the shelves directly, bypassing the catalog entirely.
This persistence explains why examiners look beyond visible folders into unallocated space, file system artifacts, backups, and temporary caches.[s] It also explains why people who think they have destroyed incriminating evidence often discover, in court, that they have not.
The Extraction Hierarchy
Digital forensics specialists use a tiered approach to pulling data from devices. Logical extraction communicates with the device’s operating system to retrieve visible files, a fast method but one that cannot recover deleted material. Physical extraction bypasses the operating system entirely, creating a bit-by-bit copy of the flash memory that includes deleted files, unallocated space, and hidden partitions.[s]
A more specialized method, RAM extraction, captures data from a device’s volatile memory while it is still powered on. This technique can recover decryption keys, passwords, and open chat windows that would be lost the moment the device powers down.[s]
The shift toward mobile devices has transformed the field. MSAB describes the change this way: ten years ago, a phone was an accessory to a crime; today, the phone is the crime scene.[s] Mobile forensic data recovery now supports investigations ranging from local drug trafficking to international law enforcement cooperation on child exploitation networks.
When Recovery Fails: The SSD Problem
Traditional hard drives leave deleted data in place until overwritten. Solid-state drives operate differently. They use a command called TRIM to tell the SSD controller which blocks are no longer in use. Once TRIM executes, most SSDs stop returning the original data through normal reads, making it gone from any standard forensic approach.[s]
Recovery prospects tell the story. Non-overwritten data on traditional drives can remain accessible, but TRIM-enabled SSDs and full-disk encryption without key access can make ordinary recovery impractical or impossible.[s]
Some forensic write-blockers, devices designed to prevent evidence tampering during imaging, fail to block TRIM commands, which operate separately from standard write operations.[s] This creates a gap where evidence can be destroyed even when examiners follow proper protocols.
New Tools for Fragmented Evidence
Traditional file carving tools scan raw storage for recognizable file signatures, the digital equivalent of finding the first and last pages of a book and assuming everything between belongs together. This works when deleted data sits in continuous blocks. When files are scattered across damaged or heavily used drives, traditional carving fails.[s]
LSU computer scientist Golden G. Richard III, the original author of the Scalpel carving tool, has developed a successor called Scalpel3. The tool uses DNA-sequencing-style algorithms to match overlapping data fragments, aiming to reconstruct files that traditional carving tools cannot handle.[s] In LSU’s example, an unauthorized drone crashes with damaged storage; Scalpel3 could potentially rebuild fragmented flight logs to help determine its origin and function.
From Evidence to Verdict
Recovered data means nothing if it cannot survive courtroom scrutiny. Every action from acquisition to analysis must be documented: tools used, hash values generated, timestamps, and handling procedures.[s] This chain of custody documentation demonstrates that evidence has not been tampered with or contaminated.
The forensic examiner who extracted Ray Wooden’s phone noted that having direct access to the device, rather than relying on data the prosecution had already extracted, allowed the team to ensure data was collected carefully and completely.[s] That methodological rigor made the difference between freedom and continued imprisonment.
As digital evidence becomes central to everything from murder trials to forensic analysis of synthetic media, the science of forensic data recovery will continue to evolve. The question is no longer whether deleted histories can be reconstructed, but whether we are looking for them in the first place.
File System Mechanics of Forensic Data Recovery
When files are deleted on file systems such as NTFS, FAT, or APFS, the operating system typically marks the storage space as available for reuse rather than immediately erasing the underlying data.[s] The recoverable remnants depend on the file system, the storage device, and whether later activity has overwritten the relevant blocks.
Forensic examiners exploit this behavior through unallocated space analysis. Advanced carving techniques extract identifiable file signatures directly from unallocated regions, reconstructing documents even when file names and directory paths are no longer intact.[s] Tool performance varies by file type, storage medium, fragmentation, encryption, and whether the relevant blocks have been overwritten.
Extraction Methods: Logical Through Volatile
Forensic data recovery operates across four extraction levels. Logical extraction communicates with the device’s operating system via API to request visible data, a fast approach that cannot recover deleted material. File System extraction (FFS) accesses the entire file system structure and its decryption keys, offering deeper access than logical methods.
Physical extraction bypasses the operating system entirely, creating a bit-by-bit image of the flash memory. This method recovers deleted files, unallocated space, and hidden partitions.[s] Not all modern encrypted devices permit physical extraction, limiting this approach on high-security configurations.
Volatile memory extraction is a specialized level of forensic access. RAM contains decryption keys, passwords, and open chat windows that would be lost if not extracted before device shutdown.[s] Specialized tools capture this data while the device remains powered, preserving evidence that no post-shutdown method can recover.
TRIM, DRAT, and DZAT: The SSD Recovery Barrier
Solid-state drives fundamentally alter forensic data recovery possibilities. The TRIM command instructs the SSD controller that specific blocks are no longer in use. Once TRIM executes, most SSDs return zeros when those blocks are read, even if the NAND cells still physically hold the original bits.[s]
Three SSD behaviors affect recovery: undefined mode (older drives may return stale data, random data, or zeros unpredictably), DRAT (Deterministic Read After Trim, where reads return a consistent result after TRIM), and DZAT (Deterministic Zeroes After Trim, where reads return zeros). Most modern NVMe drives support at least DRAT; enterprise drives typically implement DZAT.[s]
A critical gap exists in forensic tooling. Some forensic-grade write blockers block standard write operations but fail to block TRIM, which operates as a separate command.[s] Examiners must verify their write-blocker’s TRIM handling before imaging SSDs.
Scalpel3: DNA-Sequencing for Fragmented Data
Traditional carving tools can recover data available in a single continuous block, or in specialized cases, a limited number of fragments. Truly fragmented data defeats these tools.[s] This limitation has historically prevented recovery from damaged drives where files were scattered across non-contiguous sectors.
Scalpel3, developed by LSU’s Golden G. Richard III, applies overlap-matching algorithms similar to DNA sequencing. The tool aligns small overlapping pieces of data to reconstruct files that exist only as scattered fragments.[s] LSU describes it as a framework designed for fragmented recovery at scale, including damaged devices where the origin and function of recovered data must be established.[s]
Chain of Custody and Admissibility Standards
Every action from acquisition to analysis must be recorded: tools used, hash values generated, timestamps, and handling procedures. This documentation demonstrates transparency and prevents challenges related to evidence tampering or contamination.[s]
In the Ray Wooden exoneration, the defense team obtained a court order requiring the prosecution to hand over Wooden’s device directly, rather than relying on prosecution-extracted data. This allowed independent forensic extraction and analysis.[s] Location data was plotted using mapping software; at the exact time of one alleged incident, the phone was at a storage unit, with a contemporaneous text message confirming Wooden’s presence there.[s]
The information that cleared Wooden was on his phone from the start, completely overlooked by prosecutors.[s] This case raises an uncomfortable question: how many other individuals remain incarcerated with exonerating evidence sitting on their devices?
The Evolving Forensic Landscape
Mobile devices now occupy a central place in digital forensics. MSAB describes the shift this way: ten years ago, a phone was an accessory to a crime; today, the phone is the crime scene.[s] International law enforcement cooperation on digital evidence can enable investigations that span jurisdictions and legal systems.
New challenges continue to emerge. Digital forensic methods also intersect with forensic analysis of synthetic media, where investigators must determine whether audio or video evidence is authentic or AI-generated. As storage technologies evolve and encryption becomes ubiquitous, the arms race between evidence destruction and evidence recovery will intensify. The science is clear: deleted does not always mean gone. The question is whether investigators know where to look.
