Saturday, July 24, 2010

Undelete software

We all make mistakes, and deleted files, or directories is a common one. There are lots of software packages that claim to help, but some can actually make things worse, and all, if not used carefully can add to misery by permanately overwriting file that could have been recovered.

When a file is deleted the process is that either the directory entry is marked as deleted, or in the case of Macintosh systems, and some Unix file systems, the file name and details are also deleted. On most common systems (unless special scrubbing software is included) the data remains unchanged on the disk, but the area the data occupies is redesignated as unallocated. This means that any new file can use the space that was previously assigned to the deleted files. Unless you have the budget of the CIA and FBI combined, it is safe to say that an overwritten sector is just that, an previous data is lost for ever. The danger of downloading a data recovery, or undelete program onto the computer where files have been deleted, is very significant. There is no way to stop the program being copied to areas where the deleted files were, and so data will be lost for ever.

Any use of the computer, or even just leaving it one can cause files in unallocated space to be overwritten. For instance, virus checkers ar always having updates, and does Microsoft. Any web browsing generates many temporary files. Shut down must be as soon as possible. The only safe solution is to turn the computer off and remove the drive entirely. Any other approach, or delay increases the chance of permanant loss. Even shutting down the computer writes files. For many forensic investigations it is often suggested the best way is to literally pull the plug, and not try an organised shut down.

The safe solution is to remove the drive and set it up as a slave drive on a different computer running the undelete, or data recovery software. For critical application, or forensic investigation a write blocker should be used to ensure that no data is written to the slave drive.

When it comes to undelete software, gain it is very dangerous to atually try and undelete rather than recover the deleted files to a different drive. With a FAT device, the locations that the original file are stored in is delted when the file is marked as deleted. Undeleting will therefore just assume that the file is sequential - a good starting point, but not always true. Also, for FAT32 files, the starting point of the file is only partitally known, and very few recovery programs actually determine the correct location. Fortunately CnW Recovery does work out the correct location for files of a known type. See www.cnwrecovery.com/html/fat32.html for more details.

No comments:

Post a Comment