Undeleting Data
It is common for people to delete files from their computers. Even criminals who are not very technically savvy think that deleting a file will keep authorities from discovering it. So you should expect that evidence will frequently be deleted from computers you examine. For this reason, one of the most fundamental tasks a forensic examiner will conduct is to retrieve deleted data.
This chapter does not delve into the specifics of the three major operating systems— Windows, Linux, and Macintosh. Instead, the focus is simply on recovering files from them. However, those operating system issues most closely related to deletion of files are discussed.
File Systems and Hard Drives
Hard drives store data as a sector. For many ...
Get System Forensics, Investigation, and Response, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
