Recovering deleted data

From ForensicsWiki
Revision as of 16:28, 11 May 2006 by Jfbeckers (Talk | contribs)

Jump to: navigation, search

When the user requests to delete a file, most modern operating systems generally do not erase the actual data. For example, when a file in a FAT file system is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.

Recovery Programs

There are many programs that can recover these deleted files. Some of these software packages are specifically designed for forensics purposes. For example, Scalpel and its predecessor, foremost, were developed to facilitate forensics investigations.

Recovery challenges and test images

[1] File Carving Challenge - DFRWS 2006

[2] FAT Undelete Test #1 - Digital Forensics Tool Testing Image (dftt #6)

[3] NTFS Undelete (and leap year) Test #1 - Digital Forensics Tool Testing Image (dftt #7)

[4] Basic Data Carving Test - fat32 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #11)

[5] Basic Data Carving Test - ext2 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #12)