MemberWe are a Charter Member of the Cyber Lab Group
Examination Standards|Questions to Ask an Examiner|Our CV|Fees|About Us|Contact Us|Fee Estimate
Who are We?Our Self Paced Training Web SiteThe D.A.V.E. Forensic Examination MachineOur FSUITE Foresnic SoftwareForensic Examination StandardsQuestions to Ask When Selecing a Forensic ExaminerOur Qualifications StatementWhat Do We Charge?Services for AttorneysServices for Private InvestigatorsServices for Corporations or other CompaniesServices for ProsecutorsServices for Law EnforcementSome Theory on Deleted FilesOur Password Recovery ServicesFinding Lost and Hidden DataOur Data Copying ServicesOur Data Conversion ServicesEMAIL Us
We How files are Stored, Deleted and Recovered (FAT file systems) 

When a file is created three things occur: 

1. An entry is made into the File Allocation Table (FAT) to indicate where the actual data is stored in the Data Area. (A File Allocation Table is the means by which the operating system keeps track of where the pieces of a   file are stored on a hard disk.)

2. A Directory entry is made to indicate file name, size, the link to the FAT and other information. 

3. The data is written to the Data Area. 

FAT Entry

 
Directory Entry

 
Data Area Entry
 

When a file is deleted only two things occur: 

1. The File Allocation Table entry for that particular file is zeroed out and shown as available for use by a new file. (A File Allocation Table is the means by which the operating system keeps track of where the pieces of a file are stored on a hard disk.)

2. The first character of the Directory Entry file name is changed to a special character. (E5 HEX) 

3. Nothing is done to the Data Area.  The data is untouched. 

FAT Zeroed Out
Directory Entry Name Changed 
Data Area Nothing Done

 

When a file is restored only two things need to be done: 
 

1. The File Allocation Table entry for that particular file is linked to the particular location in the data area where the file data is stored. 
2. The first character of the Directory Entry file name is changed to a legal character. 

3. Nothing is done to the Data Area. 
 
 

FAT Linked to Data
Directory Entry Changed to Legal Character
Data Area

Not Touched

As long as the actual data in the Data Area is not overwritten by a new file, deleted files can be recovered. 

Windows Long File Names have separate directory entries, but are not directly linked to the FAT.  The first character of the Long File Name is also changed to a special character (E5 HEX) upon deletion.  The Long File Name can be recovered, but does not need to be recovered to restore the deleted file. 

When a Hard Disk Drive or Diskette is formatted, the Data Area is also left untouched.  The FAT and Directory Entry are zeroed out and more steps are required to recover this data. Normally most of the original data can be recovered from formatted media.
 

 

Contact us at

(305)453-7862

or


What can Computer Forensics do for Me?|About Us|Our Qualifications|Questions to Ask an Examiner|Prosecutors|Law Enforcement|Lawyers|Private Investigators| Insurance Companies| Unlocking Passwords|Deleted Files| General Protocols|CV|Fees|Our Training|Contact Us|EMAIL Us

Copyright © 2003 Key Computer Service, Inc.