When a file is "deleted," the file name in the directory has it's first letter changed to a sigma, and then the location of the stored file is considered unallocated (aka may be overwritten). When we save a file, it uses up sectors in a cluster, but the file may not use all of the sectors in a cluster, or even all the space in a block. In class we learned that FAT32 saves files in clusters of blocks. Here is something similar we learned in class:
However, I don't know how NTFS saves, deletes, and overwrites files in the first place!
The assignment asks me to think of any pieces of information that may be vital for forensics. I have a homework assignment to do in which I need state possible ways we can recover deleted files from a computer using NTFS.
0 kommentar(er)
