Deleted Files

Files that have been deleted can also be reconstructed, either partially or completely. The Windows operating system will not delete files when the user selects deletion. The operating system will mark the space a deleted file takes up in the Master File Table as available to write new files to. As a result, analysts may be able to view deleted files that have not been overwritten.

One challenge that is facing forensic analysts is the use of Solid State Drives (SSDs) in tablets and computers.Deleted files can often be recoverable from traditional platter hard drives even after a system is powered down.With SSDs, the operating system will often remove deleted files to make the storage of files more efficient.For more information on this challenge, the following website has an excellent breakdown: https://www.forensicmag.com/article/2013/05/forensic-insight-solid-state-drives

To view the deleted files on a system, click on the Deleted Files in the left pane.From here, the analyst can see all of the files that are marked for deletion:

From here, the analyst can search through deleted files.These files may hold evidentiary value. For example, in the case of malicious insider activity, if several sensitive files are found in the deleted files, all deleted within the same time period, it may be indicative of the insider attempting to cover their tracks by deleting suspicious files.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.139.83.199