Difference between revisions of "Recovering deleted data"

From ForensicsWiki
Jump to: navigation, search
m
m
Line 1: Line 1:
 +
{{Wikify}}
 +
 
When the user requests to delete a file, most modern [[operating system]]s generally do not erase the actual data. For example, when a file in a [[FAT]] [[file system]] is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.
 
When the user requests to delete a file, most modern [[operating system]]s generally do not erase the actual data. For example, when a file in a [[FAT]] [[file system]] is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.
  

Revision as of 19:03, 15 May 2006

40px-Ambox warning pn.png

This article, and others, needs to be wikified.
Please remove this template after wikifying.

When the user requests to delete a file, most modern operating systems generally do not erase the actual data. For example, when a file in a FAT file system is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.

Recovery Programs

There are many programs that can recover these deleted files. Some of these software packages are specifically designed for forensics purposes. For example, Scalpel and its predecessor, foremost, were developed to facilitate forensics investigations.

Recovery challenges and test images

[1] File Carving Challenge - DFRWS 2006

[2] FAT Undelete Test #1 - Digital Forensics Tool Testing Image (dftt #6)

[3] NTFS Undelete (and leap year) Test #1 - Digital Forensics Tool Testing Image (dftt #7)

[4] Basic Data Carving Test - fat32 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #11)

[5] Basic Data Carving Test - ext2 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #12)