Abstract
Deleted file recovery tools use residual metadata left behind after files are deleted to reconstruct deleted files. File systems use metadata to keep track of the location of user files, time stamps of file activity, file ownership and file access permissions. When a file is deleted, many file systems do not actually remove the file content, but mark the file blocks as available for reuse by future file allocations. This paper describes a strategy for testing forensic tools that recover deleted files from the residual metadata that can be found after a file has been deleted.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Carrier, B.: File System Forensic Analysis. Addison Wesley, New York (2005)
Garfinkel, S.L.: Carving contiguous and fragmented files with fast object validation. In: DFRWS, pp. S2–S12. Elsevier Ltd. (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Lyle, J.R. (2012). A Strategy for Testing Metadata Based Deleted File Recovery Tools. In: Gladyshev, P., Rogers, M.K. (eds) Digital Forensics and Cyber Crime. ICDF2C 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 88. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35515-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-35515-8_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35514-1
Online ISBN: 978-3-642-35515-8
eBook Packages: Computer ScienceComputer Science (R0)