Difference between revisions of "Recovering deleted data"

From ForensicsWiki
Jump to: navigation, search
(it's->its)
(Rewrote the stub that was there)
Line 1: Line 1:
When the user requests to delete a file, most modern operating systems don't really delete the information. That is, although some information is changed, the data often remains on the original media. For example [[Microsoft Windows]] alters the directory information for the data, but not the data itself.  
+
When the user requests to delete a file, most modern operating systems generally do not erase the actual data. For example, when a file in a [[FAT]] file system is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.
  
 
==Recovery Programs==
 
==Recovery Programs==
  
There are many programs that can recover these deleted files, some specifically designed for forensics purposes, some not. For example, [[Scalpel]] and its predecessor [[foremost]] were developed with forensics in mind, while others like Norton Unerase was not.
+
There are many programs that can recover these deleted files.  Some of these softare packages are specifically designed for forensics purposes. For example, [[Scalpel]] and its predecessor, [[foremost]], were developed to facilitate forensics investigations.

Revision as of 04:51, 25 January 2006

When the user requests to delete a file, most modern operating systems generally do not erase the actual data. For example, when a file in a FAT file system is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.

Recovery Programs

There are many programs that can recover these deleted files. Some of these softare packages are specifically designed for forensics purposes. For example, Scalpel and its predecessor, foremost, were developed to facilitate forensics investigations.