Computer data recovery principles
From CrimeLine from Andrew Keogh
See also:
- Wikipedia: Computer forensics
- Computer forensics international: Evidence recovery
- Hard Drive Eraser: Free version
WhiteCanyon: Computer data recovery principles
Hardware Data Recovery
A hard drive contains a number of disks, called platters, which are coated with a magnetic substance. These platters spin at high speeds under a mechanical arm (the actuator arm) that moves backwards and forwards over the surface of each platter....More
File Allocation Tables (FAT) and Master File Tables (MFT)
On older Operating Systems such as Windows 98 there is a storage area known as the Root Directory. This is the place that stores the name of a file, the location of its' starting cluster, and its' size. In order to find a file, the Operating System uses this information to get to the first cluster. It then uses a special table at the start of the disk know as the File Allocation Table or FAT to identify the remaining clusters that are used to store the file. It is important to realize that this information is stored completely separate from your file data and is part of the reason why data recovery is possible.
In newer Operating Systems the FAT and Directory Entry method have been merged and replaced by a single table known as the Master File Table or MFT. While the MFT is more complex, the principle of locating the start of a file and it's subsequent storage clusters is essentially the same.....More
What happens when I delete a file?
Let's look at what happens when you intentionally delete a file and why it may be possible to bring that file back. When you select a file and press the delete key on a Windows computer, the file is sent to the Recycle Bin. You may think of the Windows Recycle Bin as just another fancy storage folder on your hard drive. The real deletion is what happens when the Recycle Bin is emptied or the deletion bypasses the Windows Recycle Bin altogether......More
When a file is deleted, the Operating System marks the file name in the MFT with a special character that signifies to the computer that the file has been deleted. The computer now looks at the clusters occupied by that file as being empty and therefore as available space to store a new file. What the Windows Operating System does NOT do is go out to the clusters on the hard disk where the files data is actually stored and wipe the contents of these clusters. The deleted file data is still there, but the Computer Operating System no longer knows that it exists. Permanently removing this data requires the use of a special disk wiping tool like SecureClean or WipeDrive to completely overwrite the file clusters.
The underlying principle of data recovery is simply finding data that still exists on the hard drive but which currently can't be located by the Operating System.
The only way that your deleted MFT record or your file data itself will permanently be destroyed is if it is overwritten by other data. This means that any computer activity after the deletion has the potential to permanently erase otherwise recoverable files.....More
