Finding Missing Files

 < Day Day Up > 



Many people believe that when a file is deleted, it is gone. Others know that deleted files are often stored in the Recycle Bin but, if they are deleted from there, then they, too, are gone forever. But are they? In reality, deleting files and emptying the Recycle Bin may not actually remove the deleted document from the disk. It is similar to taking the label off a paper file folder and placing the folder back in the file cabinet. The folder may be more difficult to locate, but by leafing through the file cabinets you will eventually find it. The Master File Table (MFT), for example, keeps a record of where files are stored. When a file is deleted, the MFT entry is changed to indicate that the area is now available for reuse, but the data can sit there for hours or even weeks until it is finally overwritten by new files; that is, the deleted files remain on the disk until the computer writes another file in that same location. Thus, investigators have often found large volumes of data that had just been "deleted" from a disk in an attempted coverup, but even if some files are overwritten, earlier file data may not be completely gone. Remember back to when you used pencil and paper; if you erased what you had written and then wrote something else over the top of it, it might still have been possible to discern what was written underneath.

Even when the deleted file is actually unrecoverable, other versions of that same file might exist elsewhere on the disk. Windows makes many additional copies of files that the user never sees and is usually unaware of. On Windows XP, for instance, when I receive an attachment and open it, the default folder used is a temporary folder named OLK4. Sometimes when I have opened an attachment, made a few changes, and saved it without thinking, it gets dumped in OLK4 — and I have wasted hours trying to find that directory. It does not show up in any other folder. Fortunately, I have worked out how to solve this puzzle, but the point is that Windows has dozens of nook and crannies that even veteran IT professionals are unaware of, and each of these places can be accessed to recover lost or incriminating data.

For example, consider the swap file (or Paging File). This is a large section of the hard drive that the computer uses as additional memory space, and forensics experts can access this area to recover vital documents. Printer files are another source of hidden information. Whenever a document is printed, Windows creates an enhanced metafile (EMF) on the hard disk and sends that temporary copy to the printer. Even if the user never saves it, the printer version often sticks around on the disk, as one bank robber discovered in court. He had typed up his demand notes on a computer and printed them out without saving the files so he would not leave any evidence behind; however, investigators accessed the EMF files and he was convicted of robbery. It is the same with e-mail attachments. Windows creates a MIME file when sending files over the Internet, and these files may remain long after the original file is deleted.



 < Day Day Up > 



Server Disk Management in a Windows Enviornment
Server Disk Management in a Windows Enviornment
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 197

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net