Data Carving, File System, and Compound File Analysis

Are deleted files really physically removed from a system and unrecoverable?

When a file is deleted, it is typically only logically deleted. Logically deleting a file makes the file invisible to the end user and allows the operating system to use the space occupied by the deleted file to store new files or data. However, the bits of data remain in storage until the operating system saves new data.

Digital crimes often involve suspects or criminals attempting to delete files before the evidence is seized. More advanced criminals or suspects may try to hide files in hidden storage partitions. By using data or file carving methods, an investigator may be able to obtain all or part of previously deleted or hidden files.

Carving activities may focus on areas of the storage system such as deleted files, file slack, and unallocated file space. Data carving, also called file carving, recovers data through structures in the data itself, rather than metadata or the computer's file system. This process can be performed in both FTK and EnCase software. What are some of the skills and knowledge that an investigator must obtain in order to effectively carve data and files? The resources below will provide insight.

References

US Department of Justice. (2004). Forensic examination of digital evidence: A guide for law enforcement. https://www.ncjrs.gov/pdffiles1/nij/199408.pdf

File Carving (n.d.). https://resources.infosecinstitute.com/file-carving/

Check Your Knowledge

Choose the best answer to each question:

Question 1
Changing the file extension is a technique that is often used to hide files. 
True
False
Question 2
Creating a hidden partition is a technique that is often used to hide files. 
True
False
Question 3
Formatting a disk drive is a technique that is often used to hide files. 
True
False
Question 4
Once a file is deleted from a computer and the trash or recycle bin is emptied, it is impossible to recover the file. 
True
False