Difference between revisions of "Recovering deleted data"

From ForensicsWiki
Jump to: navigation, search
m
m (moved data to Carving page.)
Line 1: Line 1:
 
{{Wikify}}
 
{{Wikify}}
  
When the user requests to delete a file, most modern [[operating system]]s generally do not erase the actual data. For example, when a file in a [[FAT]] [[file system]] is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.
+
When the user requests to delete a file, most modern [[operating system]]s do not erase the actual data. Instead, they merely erase a pointer to the file so that the file does not appear in directory listings. These files can be recovered by simply ''undeleting'' the file---that is, restoring the directory entry.
  
== Recovery Programs ==
+
For some file systems, such as [[FAT]], the deleted directory entry itself is easily recovered. In these cases the files can be recovered using an ''undelete'' program.  In other cases, however, the directory entry is not available---perhaps because it was overwritten. In these cases the only way that the file can be recovered is through the use of [[Carving|File Carving]].
  
There are many programs that can recover these deleted files. Some of these software packages are specifically designed for forensics purposes. For example, [[Scalpel]] and its predecessor, [[foremost]], were developed to facilitate forensics investigations.
+
=See Also=
 
+
[[Carving]]
== Recovery challenges and test images ==
+
 
+
[http://www.dfrws.org/2006/challenge/]
+
File Carving Challenge - [[DFRWS]] 2006
+
 
+
[http://dftt.sourceforge.net/test6/index.html]
+
FAT Undelete Test #1 - Digital Forensics Tool Testing Image (dftt #6)
+
 
+
[http://dftt.sourceforge.net/test7/index.html]
+
NTFS Undelete (and leap year) Test #1 - Digital Forensics Tool Testing Image (dftt #7)
+
 
+
[http://dftt.sourceforge.net/test11/index.html]
+
Basic Data Carving Test - fat32 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #11)
+
 
+
[http://dftt.sourceforge.net/test12/index.html]
+
Basic Data Carving Test - ext2 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #12)
+

Revision as of 13:07, 13 February 2007

40px-Ambox warning pn.png

This article, and others, needs to be wikified.
Please remove this template after wikifying.

When the user requests to delete a file, most modern operating systems do not erase the actual data. Instead, they merely erase a pointer to the file so that the file does not appear in directory listings. These files can be recovered by simply undeleting the file---that is, restoring the directory entry.

For some file systems, such as FAT, the deleted directory entry itself is easily recovered. In these cases the files can be recovered using an undelete program. In other cases, however, the directory entry is not available---perhaps because it was overwritten. In these cases the only way that the file can be recovered is through the use of File Carving.

See Also

Carving