Research Article
A Strategy for Testing Metadata Based Deleted File Recovery Tools
964 downloads
@INPROCEEDINGS{10.1007/978-3-642-35515-8_9, author={James Lyle}, title={A Strategy for Testing Metadata Based Deleted File Recovery Tools}, proceedings={Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2012}, month={12}, keywords={Digital forensics tool testing deleted file recovery}, doi={10.1007/978-3-642-35515-8_9} }
- James Lyle
Year: 2012
A Strategy for Testing Metadata Based Deleted File Recovery Tools
ICDF2C
Springer
DOI: 10.1007/978-3-642-35515-8_9
Abstract
Deleted file recovery tools use residual metadata left behind after files are deleted to reconstruct deleted files. File systems use metadata to keep track of the location of user files, time stamps of file activity, file ownership and file access permissions. When a file is deleted, many file systems do not actually remove the file content, but mark the file blocks as available for reuse by future file allocations. This paper describes a strategy for testing forensic tools that recover deleted files from the residual metadata that can be found after a file has been deleted.
Copyright © 2011–2024 ICST