How to Recover Deleted Files on Windows and Mac

Deleted files are recoverable far more often than most people assume. The deletion may be accidental, the result of a system failure, or the subject of an investigation. Understanding how deletion works on Windows and macOS is the first step toward knowing what is possible.

How File Deletion Works

On both Windows and macOS, deleting a file does not immediately remove its data from storage. Instead, the file system marks the space the file occupied as available for reuse. The data itself remains until new data overwrites it.

When you move a file to the Recycle Bin (Windows) or Trash (macOS), the file is not deleted at all. It is simply moved to a designated folder. Only when you empty the Bin or Trash does the file system mark that space as available.

This means recently deleted files are often recoverable. Files deleted some time ago may still be recoverable, depending on how much new data has been written to the drive since deletion.

Windows File Recovery

Recycle Bin. Check here first. If the file was deleted normally and the Bin has not been emptied, the file is there and restoration is a right-click away.

File History. Windows 10 and 11 include File History, a backup feature that periodically snapshots libraries and selected folders. If File History was enabled before the file was deleted, previous versions may be available.

Previous Versions. Windows creates shadow copies of files through the Volume Shadow Copy Service. Right-clicking on a folder and selecting "Restore previous versions" can surface older versions of deleted files without third-party software.

Windows File Recovery. Microsoft offers a free command-line tool called Windows File Recovery. It works on local drives, USB drives, and memory cards. It is not a forensic tool, but it can help in straightforward personal recovery scenarios.

Third-party recovery tools. Applications like Recuva (free), R-Studio, and GetDataBack are widely used for consumer file recovery. These tools scan unallocated space for recoverable file data.

macOS File Recovery

Trash. As on Windows, macOS's Trash retains deleted files until emptied. Check here first.

Time Machine. If Time Machine was configured before the file was deleted, the backup contains the file. Open Time Machine and browse back to a point in time when the file existed.

iCloud Drive. Files deleted from iCloud Drive are kept for 30 days in a Recently Deleted section, accessible through iCloud.com.

Third-party recovery tools. Disk Drill, Data Rescue, and PhotoRec are commonly used on macOS for consumer file recovery.

When These Approaches Are Not Enough

Consumer recovery tools work in many accidental deletion cases, but they have real limits:

• They may not recover files that have been overwritten.
• They are not designed to recover from encrypted APFS volumes (common on modern Macs) or from SSDs with TRIM enabled, which more aggressively zeroes deleted blocks.
• They do not produce legally defensible results.

Forensic File Recovery

In legal or investigative contexts, file recovery must follow forensic standards. That means working from a verified forensic image of the original storage, not from the original media directly. It means documenting the methodology, the tools used, and the findings. It means results that can be authenticated and that will hold up to challenge in court.

Consumer recovery tools, used directly on the original evidence, can change timestamps and other metadata, write data to the original media, and compromise the integrity of the evidence.

Forensic tools including EnCase, Magnet AXIOM, and X-Ways Forensics perform file carving and recovery in a way that is documented, repeatable, and defensible.

The Role of SSD and TRIM

TRIM is a feature of solid-state drives. It lets the operating system tell the drive which data blocks are no longer in use. SSDs with TRIM enabled zero deleted content more aggressively than traditional hard drives. This significantly reduces the window for recovery. On modern macOS systems running on Apple Silicon, recovery of deleted files from the internal SSD can be very limited.

External drives, USB drives, and older hardware are less affected by TRIM and typically present better recovery prospects.

What to Do Immediately After a Deletion

Stop using the device. That is the most important action after a critical file is deleted. Every write to the storage medium can overwrite the very blocks that hold recoverable data. Common sources of writes include:

• Saving documents
• Browser caching
• Automatic updates
• Background indexing services

For desktops and laptops, power the machine down rather than continuing to work on it. For external drives and USB media, unplug the device and set it aside. If the deletion occurred on a server or shared workstation, disconnect the machine from the network. This prevents synchronization processes from spreading the deletion to backups or replicas.

Do not install recovery software onto the same drive you hope to recover from. The installation itself writes data to free space, which is precisely where the deleted file's contents still reside. Instead, connect the affected drive as a secondary device to another machine, or boot from external media. For organizations with potential litigation exposure, the best practice is to preserve the device in its current state. Contact a qualified examiner before anyone attempts recovery. Our digital forensics team regularly receives cases where well-meaning IT staff reduced the chances of successful recovery by running consumer tools on the original evidence.

Common Scenarios We See in the Field

Deletion cases rarely arrive as simple accidents. Common patterns include:

• A departing employee wipes a company laptop the day before returning it, and the employer suspects trade secrets were taken.
• A school administrator discovers that key communications related to a student matter have vanished from a shared drive.
• A spouse finds that text messages, photographs, and financial records disappeared from a shared computer in the days before a separation.
• A small business owner realizes that a bookkeeper deleted months of QuickBooks transactions along with supporting receipts.

Each case calls for a different mix of recovery techniques and investigative context. In embezzlement and financial exploitation matters, our certified fraud examiners pair recovered files with bank records, accounting data, and interview findings. Together, these reconstruct what happened and quantify the loss. In employment and trade-secret disputes, recovered files often sit alongside USB device history, cloud sync logs, and email artifacts. This shows not only what was deleted but whether it was copied first. In family law contexts, recovered photographs, messages, and location data can support or refute claims made in declarations and depositions.

Beyond Files: Other Artifacts Worth Recovering

Traditional file recovery focuses on documents, spreadsheets, photographs, and videos in user folders. A thorough forensic examination goes further. Browser history and cache entries can persist in unallocated space long after a user clears their history. Chat and messaging databases from applications like Signal, Telegram, Slack, and Microsoft Teams store records in local SQLite files. Fragments of these can sometimes be carved even after the application has been uninstalled. Email clients such as Outlook and Apple Mail keep local stores that retain deleted messages well beyond what the user sees in the interface.

Registry hives on Windows and plist files on macOS record which USB devices were connected, which files were recently opened, and which applications were run. These artifacts often survive attempts to delete user data. They can be decisive in executive misconduct investigations, where the question is not simply what was deleted, but what the subject did with the data before deleting it. Shadow copies, hibernation files, swap files, and unallocated memory regions all hold fragments that a skilled examiner knows where to look for.

Cloud Storage and Collaborative Platforms

Modern work is rarely confined to a single device. Files deleted from a local machine may still exist in OneDrive, Google Drive, Dropbox, Box, or SharePoint. They often live in recycle bins or version histories that administrators can access even when end users cannot. Google Workspace and Microsoft 365 both offer administrative recovery windows that extend beyond what individual users see. Enterprise tenants frequently have retention policies that preserve data well past any deletion at the user level.

For corporate matters, we frequently work with IT departments and outside counsel to preserve tenant-level data before retention periods expire. Law firms engaging us for discovery support benefit from early conversations about where data might exist beyond the custodian's laptop. The window to preserve cloud artifacts can be short and is controlled by the administrator rather than the investigator.

When to Call a Professional

Try consumer recovery yourself when the stakes are low, the file was recently deleted, the drive is a traditional spinning hard disk or a non-TRIM external device, and no one disputes the facts. For anything else, engage a professional before anyone else touches the device. This includes matters that may touch litigation, regulatory inquiry, insurance claims, or internal discipline. The cost of a proper forensic examination is small compared to the cost of evidence being excluded because it was handled improperly.

Our team performs professional file recovery for legal matters, corporate investigations, and individuals who need documented, defensible results. Law firms use our recovery work in discovery and litigation. Our fraud examiners integrate recovered files into embezzlement, trade-secret, and data-exfiltration investigations. Corporate clients rely on us for due diligence and internal inquiries where digital evidence is central. Contact us to discuss your recovery needs.