 |
EVIDENCE
RECOVERY: WHY IS DELETED NOT ALWAYS DELETED?
|
 |
When a user deletes a file, the operating system only deletes the first
letter of the file name from the file allocation table, and reports the
sectors containing the "deleted" data as "empty," or available for the
storage of new data.
For
example, files called:
Assignment1.doc Exercise1.xls
MyPage.htm
(located in this graphic with the corresponding color)
would look like:
_ssignment1.doc _xercise1.xls _yPage.htm
to the operating system. However the data remains unchanged and
"intact" until new data is written to the specific sector and cluster
containing the "residual" data. During the process of ‘overwriting’ new
data onto the sectors containing the old data that is when the residual
data is truly deleted.
However,
since data is randomly stored into the millions of potentially
available sectors, it's unusual for all sectors containing a file to be
overwritten with new data. This provides an opportunity for portions of
deleted files to be recovered from "unallocated" clusters long after
the user has deleted the file from the computer.
