Acquiring Data, Duplicating Data, and Recovering Deleted Files

Publisher Summary Operating systems provide commands to remove data from a hard disk or other media, such as menu items or commands used from a Command Prompt. When a file is deleted using the Del key or commands in compliant programs, it is generally sent to the Recycle Bin. When this occurs, the user can recover the file. If the file is emptied from the Recycle Bin or deleted using other methods, one may need to use tools to recover the file. Even if an entire partition is deleted, and the volume is formatted, this doesn't mean the data is gone. Data recovery and computer forensic tools may still be able to retrieve the data from a system. Although many data recovery tools are available on the market, not all of them should be used for computer forensics. Disk imaging software that creates a bitstream image of the disk should be used so that an exact duplicate of the data is created. As a result, computer forensic software can be used to analyze the data, without worry of modifying the original data. Any image files that are created should be made on forensically sterile media, and any disks that are reused should be overwritten using special software or demagnetized using a degausser. Hard disks that are to be disposed of should similarly have their data overwritten or destroyed. To ensure that the image files stored on CDs or DVDs are properly destroyed, they should be destroyed using a CD/DVD shredder once a retention date has been met.