|(11 intermediate revisions by 7 users not shown)|
When the user requests to delete a file, most modern operating
systems don't really delete the information. That is, although some information is changed, the data often remains on the original media. For example [[Microsoft Windows]] alters the directory information for the data, but not the data itself. |+|
When the user requests to delete a file, most modern operating the . , the the . the , the .
| || |
|−|==Recovery Programs== |+|
| || |
|−|There are many programs that can recover these deleted files, some specifically designed for forensics purposes, some not. For example, [[ Scalpel]] and it's predecessor [[foremost]] were developed with forensics in mind, while others like Norton Unerase was not. |+|
Revision as of 16:54, 13 June 2008
When the user requests to delete a file, most modern operating systems do not erase the actual data. Instead, they merely erase a pointer to the file so that the file does not appear in directory listings. These files can be recovered by simply undeleting the file — that is, restoring the directory entry.
For some file systems, such as FAT, the deleted directory entry itself is easily recovered. In these cases the files can be recovered using an undelete program. In other cases, however, the directory entry is not available — perhaps because it was overwritten. In these cases the only way that the file can be recovered is through the use of File Carving.