Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers

Research Article

A Strategy for Testing Metadata Based Deleted File Recovery Tools

Download182 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-35515-8_9,
        author={James Lyle},
        title={A Strategy for Testing Metadata Based Deleted File Recovery Tools},
        proceedings={Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2012},
        month={12},
        keywords={Digital forensics tool testing deleted file recovery},
        doi={10.1007/978-3-642-35515-8_9}
    }
    
  • James Lyle
    Year: 2012
    A Strategy for Testing Metadata Based Deleted File Recovery Tools
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-35515-8_9
James Lyle1,*
  • 1: National Institute of Standards and Technology
*Contact email: jlyle@nist.gov

Abstract

Deleted file recovery tools use residual metadata left behind after files are deleted to reconstruct deleted files. File systems use metadata to keep track of the location of user files, time stamps of file activity, file ownership and file access permissions. When a file is deleted, many file systems do not actually remove the file content, but mark the file blocks as available for reuse by future file allocations. This paper describes a strategy for testing forensic tools that recover deleted files from the residual metadata that can be found after a file has been deleted.