File Recovery
A
forensic investigator needs to understand the actual workings of the
computer and operating system, which can sometimes be quite different
from what people view as expected behavior. For instance, a file that is
“deleted” may actually still be intact. A computer forensics
investigator can, in many cases, locate and recover the contents of that
file; certain actions, however, can permanently destroy the contents of
an unwanted file.
When
you think of a computer file, you probably think of its contents as
stored on a medium such as a hard drive. Many people do not realize that
the file has a second important component: its directory entry. The
file system keeps a list of all the file names and locations, just like a
large building would have a directory of its occupants. When you delete
a file, the operating system changes or removes the directory entry,
but it seldom actually erases the file’s stored content. Programs called
undelete or file recovery software can search file directories for
deleted entries and can scan your entire disk for traces of file
contents. A secure delete program, popularly called a file shredder,
prevents anyone from recovering a deleted file. The shredder writes over
a file’s contents with a meaningless pattern, sometimes several times,
to ensure that the original data is no longer on the disk.
To
prepare for this application, locate and install both a file recovery
tool and a secure delete program. You can find many free versions of
these tools on the web, so if the first one doesn’t work well for you,
try another. Search the Internet for related resources.
When you have installed these programs, capture screenshots as you perform the following steps:
- Create
a new folder on your computer’s hard drive or a thumb drive. Add at
least three files to this folder, and then delete one or two of them. Be
sure to remove the files from your recycle bin or trashcan as well. - Run the file recovery program to locate and restore the deleted files.
- Delete the files again. This time, use the secure delete program.
- Run the file recovery program and try to recover the shredded files.
Write
a 1- to 2-page paper to report the process you followed and your
findings. Format your report as if you were preparing a forensic results
report for an official investigation. Also include your impressions
about the file deletion and recovery process. For example, were you
surprised at the number of old deleted files you could restore? Why
aren’t files deleted securely by default?
All work are to be in APA format
0 comments