Monday, August 2, 2010

Recovering deleted MAC files

If a file on MAC has been deleted and removed from the trash bin, recovery is difficult. On may operating systems and file systems, a deleted file remains in the directory, but is marked as deleted. With a MAC, the catalog entry is cleared entirely and then the catalog sector is rewritten with no residual information on the file remaining.

The only way to recover MAC deleted files is with data carving. This is a process where the disk is scanned and the start of each sector is examined for known file signatures. For instance, a JPEG file will always start with the bytes 0xFF 0xD8 0xFF then normally a 0xE0 or 0xE1. A clever carving program will then go a few stages further and analyse the data. CnW will try and reconstruct a file name based on metadata within a file, so most JPEGs will be recovered with an original date.

The problem with data carving is that directory structure is retained.

When the file is deleted, so is all the information of where different setions of the file have been saved. Fortunately, most MAC files are sequential so a high recovery rathe can be expected.

No comments:

Post a Comment