Difference between revisions of "Recovering deleted data"

From ForensicsWiki
Jump to: navigation, search
m
 
(7 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Man shot dead at vehicle checkpoint
+
When the user requests to delete a file, most modern [[operating system]]s do not erase the actual data. Instead, they merely erase a pointer to the file so that the file does not appear in directory listings. These files can be recovered by simply ''undeleting'' the file — that is, restoring the directory entry.
A man has been shot dead by police at a vehicle checkpoint in Northern Ireland. Officers fired a number of rounds during the incident on Church Street in Ballynahinch, County Down. The man shot dead was the , County Down. The man shot dead was the
+
 
 +
For some file systems, such as [[FAT]], the deleted directory entry itself is easily recovered. In these cases the files can be recovered using an ''undelete'' program.  In other cases, however, the directory entry is not available — perhaps because it was overwritten. In these cases the only way that the file can be recovered is through the use of [[Carving|File Carving]].
 +
 
 +
=See Also=
 +
[[Carving]]

Latest revision as of 11:54, 13 June 2008

When the user requests to delete a file, most modern operating systems do not erase the actual data. Instead, they merely erase a pointer to the file so that the file does not appear in directory listings. These files can be recovered by simply undeleting the file — that is, restoring the directory entry.

For some file systems, such as FAT, the deleted directory entry itself is easily recovered. In these cases the files can be recovered using an undelete program. In other cases, however, the directory entry is not available — perhaps because it was overwritten. In these cases the only way that the file can be recovered is through the use of File Carving.

See Also

Carving