Recovering deleted data

From ForensicsWiki
Revision as of 20:03, 15 May 2006 by Uwe Hermann (Talk | contribs)

Jump to: navigation, search

40px-Ambox warning pn.png

This article, and others, needs to be wikified.
Please remove this template after wikifying.

When the user requests to delete a file, most modern operating systems generally do not erase the actual data. For example, when a file in a FAT file system is deleted, the Root Directory entry and FATs are updated, but the data residing in the Data Area remains intact.

Recovery Programs

There are many programs that can recover these deleted files. Some of these software packages are specifically designed for forensics purposes. For example, Scalpel and its predecessor, foremost, were developed to facilitate forensics investigations.

Recovery challenges and test images

[1] File Carving Challenge - DFRWS 2006

[2] FAT Undelete Test #1 - Digital Forensics Tool Testing Image (dftt #6)

[3] NTFS Undelete (and leap year) Test #1 - Digital Forensics Tool Testing Image (dftt #7)

[4] Basic Data Carving Test - fat32 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #11)

[5] Basic Data Carving Test - ext2 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #12)