-
June 5th, 2003, 11:58 AM
#1
Recovering information on deleted files
Hi all,
Im new to the area of computer forensics, and was wondering if anyone on this board could clear something up for me;
When a file is deleted, it isnt 'deleted' (or as is my understanding), it is only "moved or something". Can someone tells me exactly what happens when you delete a file?
Also, when authorities such as the Police and the FBI seize a computer, how do they recover information on "deleted" files? Does it take a long time, or are there programs available that can help with the matter?
Thank you for your help in advance
-
June 5th, 2003, 12:30 PM
#2
You are correct in your assumption that a 'deleted' file is not really deleted. There are only some flags set that tell the OS the space the file occupied is ready to be overwritten.
The following scan of the month deals with deleted files and how to recover.
http://project.honeynet.org/scans/scan24/
The answers are on the links at the bottom of the page.
If you want to learn how the process works I suggest taking a look at the challenge. It is a great learning experience.
For file recovery in Windows there are some programs. The one better then the other.
Cheers
noODle
-
June 5th, 2003, 02:20 PM
#3
When a file is deleted, it isnt 'deleted'? Yes.
Exactly what happens when you delete a file? It depends on the file system (which loosely means the OS).
How do they recover information on "deleted" files? Does it take a long time, or are there programs available that can help with the matter? A quick web search of "Recovering information on deleted files" will give you useful links about this subject.
http://www.google.com/search?q=Recov...+deleted+files
Peace always,
<jdenny>
Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds
-
June 5th, 2003, 03:45 PM
#4
welll it really depends on the file system and the OS..in FAT when you delete a file, replaces the first character of the file name in FAT entry with a '?' and this is used to recognize the deleted file to restore it u need to supply the correct first word and replace it with the original character
guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;
-
June 5th, 2003, 04:05 PM
#5
Restorer2000 is a program that I use. It works for NTFS or FAT partitions and has a free demo available HERE.
You can get product information HERE.
Have fun.
Cheers:
-
June 5th, 2003, 05:04 PM
#6
welll it really depends on the file system and the OS..in FAT when you delete a file, replaces the first character of the file name in FAT entry with a '?' and this is used to recognize the deleted file to restore it u need to supply the correct first word and replace it with the original character
Yep, that would be the flag to overwrite the disk space occupied by the file.
On another note, you can get shredder which will overwrite the disk area and make it *extremely* difficult to restore the file. Even then, you may only get bits and pieces of the original content.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|