Difference between revisions of "Recovering deleted data"

From Forensics Wiki
Jump to: navigation, search
(Rewrote the stub that was there)
m
Line 1: Line 1:
When the user requests to delete a file, most modern operating systems generally do not erase the actual data. For example, when a file in a [[FAT]] file system is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.
+
When the user requests to delete a file, most modern [[operating system]]s generally do not erase the actual data. For example, when a file in a [[FAT]] [[file system]] is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.
  
==Recovery Programs==
+
== Recovery Programs ==
  
There are many programs that can recover these deleted files. Some of these softare packages are specifically designed for forensics purposes. For example, [[Scalpel]] and its predecessor, [[foremost]], were developed to facilitate forensics investigations.
+
There are many programs that can recover these deleted files. Some of these software packages are specifically designed for forensics purposes. For example, [[Scalpel]] and its predecessor, [[foremost]], were developed to facilitate forensics investigations.

Revision as of 20:32, 21 March 2006

When the user requests to delete a file, most modern operating systems generally do not erase the actual data. For example, when a file in a FAT file system is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.

Recovery Programs

There are many programs that can recover these deleted files. Some of these software packages are specifically designed for forensics purposes. For example, Scalpel and its predecessor, foremost, were developed to facilitate forensics investigations.