Loading...

File System Analysis and Data Recovery

How File Deletion Works

When a user 'deletes' a file, the operating system typically does not erase the file's data—it merely marks the file's directory entry as available and returns the disk clusters to the pool of free space. The actual data remains on the disk until new data overwrites those clusters. This is why forensic analysts can often recover 'deleted' files weeks or months after deletion—especially on large drives with ample free space. File carving tools (like Scalpel and PhotoRec) scan unallocated space for file headers and footers (known byte sequences that mark the beginning and end of specific file types), reconstructing files without relying on file system metadata. NTFS, the Windows file system, maintains a Master File Table (MFT) containing metadata for every file including timestamps, permissions, and data locations—even for deleted files whose MFT entries have not yet been reused.

File System Analysis and Data Recovery

How File Deletion Works

When a user 'deletes' a file, the operating system typically does not erase the file's data—it merely marks the file's directory entry as available and returns the disk clusters to the pool of free space. The actual data remains on the disk until new data overwrites those clusters. This is why forensic analysts can often recover 'deleted' files weeks or months after deletion—especially on large drives with ample free space. File carving tools (like Scalpel and PhotoRec) scan unallocated space for file headers and footers (known byte sequences that mark the beginning and end of specific file types), reconstructing files without relying on file system metadata. NTFS, the Windows file system, maintains a Master File Table (MFT) containing metadata for every file including timestamps, permissions, and data locations—even for deleted files whose MFT entries have not yet been reused.