Modern filesystems make forensic file recovery much more difficult. Tools like Foremost and Scalpel identify data structures and carve files from a hard disk image.
IT experts and investigators have many reasons for reconstructing deleted files. Whether an intruder has deleted a log to conceal an attack or a user has destroyed a digital photo collection with an accidental rm ‑rf, you might someday face the need to recover deleted data. In the past, recovery experts could easily retrieve a lost file because an earlier generation of filesystems simply deleted the directory entry. The meta information that described the physical location of the data on the disk was preserved, and tools like The Coroner’s Toolkit (TCT [1]) and The Sleuth Kit (TSK [2]) could uncover the information necessary for restoring the file. Today, many filesystems delete the full set of meta information, leaving the data blocks. Putting these pieces together correctly is called file carving – forensic experts carve the raw data off the disk and reconstruct the files from it. The more fragmented the filesystem, the harder this task become.
Stop by Rikki's Open Source Exchange for dispatches from the world of women in open source.
Rikki Kite examines the experience of women across the spectrum of open source – the people, projects, organizations, events, articles, issues, and news.
Comments
Missing page in print article
anon Jul 21, 2008 4:49pm GMT
Pg 32 of the print article is incorrect. Page 33 is duplicated on pgs 32 and 33.Thank you for providing correct article layout via PDF.