Results 1 to 6 of 6

Thread: Recovering information on deleted files

  1. #1

    Recovering information on deleted files

    Hi all,

    Im new to the area of computer forensics, and was wondering if anyone on this board could clear something up for me;

    When a file is deleted, it isnt 'deleted' (or as is my understanding), it is only "moved or something". Can someone tells me exactly what happens when you delete a file?
    Also, when authorities such as the Police and the FBI seize a computer, how do they recover information on "deleted" files? Does it take a long time, or are there programs available that can help with the matter?

    Thank you for your help in advance

  2. #2
    You are correct in your assumption that a 'deleted' file is not really deleted. There are only some flags set that tell the OS the space the file occupied is ready to be overwritten.
    The following scan of the month deals with deleted files and how to recover.
    http://project.honeynet.org/scans/scan24/
    The answers are on the links at the bottom of the page.
    If you want to learn how the process works I suggest taking a look at the challenge. It is a great learning experience.

    For file recovery in Windows there are some programs. The one better then the other.

    Cheers
    noODle

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    When a file is deleted, it isnt 'deleted'? Yes.

    Exactly what happens when you delete a file? It depends on the file system (which loosely means the OS).

    How do they recover information on "deleted" files? Does it take a long time, or are there programs available that can help with the matter? A quick web search of "Recovering information on deleted files" will give you useful links about this subject.
    http://www.google.com/search?q=Recov...+deleted+files

    Peace always,
    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    472
    welll it really depends on the file system and the OS..in FAT when you delete a file, replaces the first character of the file name in FAT entry with a '?' and this is used to recognize the deleted file to restore it u need to supply the correct first word and replace it with the original character
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Restorer2000 is a program that I use. It works for NTFS or FAT partitions and has a free demo available HERE.

    You can get product information HERE.

    Have fun.

    Cheers:
    DjM

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    welll it really depends on the file system and the OS..in FAT when you delete a file, replaces the first character of the file name in FAT entry with a '?' and this is used to recognize the deleted file to restore it u need to supply the correct first word and replace it with the original character
    Yep, that would be the flag to overwrite the disk space occupied by the file.

    On another note, you can get shredder which will overwrite the disk area and make it *extremely* difficult to restore the file. Even then, you may only get bits and pieces of the original content.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •