Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

How does forensic software detect deleted files? When a file is deleted, the poi

ID: 662129 • Letter: H

Question

How does forensic software detect deleted files?

When a file is deleted, the pointer from MFT in NTFS system is deleted and the file is no longer accessible from the OS. If our disk is fragmented how can software like Autopsy or Recuva detect where each fragment from a single file is located and how can the software order the fragments correctly to "reproduce" the file as it looked before it was deleted?

I've noticed that when you delete something with CCleaner the first thing it says is "Wipe MFT free space", so my guess is that MFT works like a linked list where, when you delete a pointer the nodes still remain in the memory but are no longer accessible and this is how forensic software detect deleted files.

Explanation / Answer

There are any number of different ways it can be done. In large part, the easiest way is following the link pointers to each of the chunks, but that isn't the only way by any means. (The MFT isn't the only source of those links in many file systems as well.)

At a lower level, it can identify all the chunks and try to match some of them up on content if the files have an internal structure that allows one chunk to be matched to another. That won't work for all files though if the pointers are removed, since some don't have much of a pattern to them, but it will work with enough that it's still a major concern, especially since unless your drive is highly fragmented, even a large file probably isn't more than a few dozen large pieces.

Basically, there are a ton of different ways you can try piecing stuff together based on either the physical structure of the drive (contiguous blocks are generally preferred if available), file system features (such as forward and reverse block links) or file structure features, which vary from file to file.

Short of total destruction, there are any number of possible ways to recover the file. In some cases, simply removing the pointers may be enough, but a truly determined analysis can likely still put the jigsaw together by looking for fragments that make sense together, particularly if they are looking for something in particular.

Related Questions

How does an epigenetic change differ from a mutation? Mutations involve nucleoti
Question #224559
How does an exon-junction complex (EJC) protect the translation process from pre
Question #141109
How does an increase in sea floor spreading rate u influence the depth of the oc
Question #230440
How does an increase in temperature affect the equilibrium concentration of C an
Question #1028930
How does an inhibitor of N-acetylglucosamine phosphotransferase affect lysosomal
Question #192053
How does an inhibitor of N-acetylglucosamine phosphotransferase affect lysosomal
Question #192170
How does an interval estimator differ from a point estimator? A point estimator
Question #3153364
How does an ionic bond differ from a covalent bond? A. An ionic bond has electro
Question #675562
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
How does evolution occur? The genetic makeup of a population changes of generati
Next
How does histone modification silence transcription? Histone demethylase demethy

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.