Computer Forensics

Imaging the Hard Drive

By Philip C. Levi, CFE, CMC, FCA, CPA, CAoIFA

Tech Corner 

In this column, the author reviews hardware and software products that could aid the fraud examiner. The author avows no relationship of any type with the companies that represent or manufacture the reviewed products. The author’s opinions are solely his own and aren’t necessarily those of Fraud Magazine or its staff. – ed.

Most people don’t realize that when they delete files they aren’t totally deleted. When you press that delete key, the operating system actually only deletes the first letter of the file name from the hard disk index of files (the “file allocation table” or FAT) and reports the sectors containing the “deleted” data as “empty,” or available for the storage of new data. However, the old data remains unchanged and intact until new data is stored in the same physical location on the disk. The old data is truly deleted during this process of overwriting with new data. But because data is randomly stored in the millions of potentially available sectors on a hard disk, it’s unusual for all sectors containing a file to be overwritten with new data. Therefore, portions of deleted files can be recovered from “unallocated” clusters long after a user has deleted a file from the computer. Of course, that’s good news for fraud examiners.

For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.