Forensic Method best practice vs Usual Recovery Tools Soft

Data recovery can often be a case of various compromises. Some files will be easy to recover, others harder. Different software works in different ways

One example is deleted files from a FAT32 disk. Most recovery programs looks for files bases on the location of the remaining cluster bits in the directory entry. Many files will be recovered. However, files where the upper bits of the FAT have been deleted (as is normal with FAT32 deletion) will not be recovered correctly - only a few programs will recover such files.

Data carving can be a case of simple signature searching, or more complex strings and conditions being tested.

Processing of fragmented files can also be a problem, and also reconstructing partially deleted files

I think what you are seeing is just different abilities of programs - and maybe how they are being used.

Thank for your Reply..

One more question..

How about difference between cloning mechanism, is it has an impact ?

Thanks
MRB

The results from a cloned disk should be identical to the original disk.

Cloning a disk is always good forensic practice and all work should be done on the copy - physical or image. The only time cloning may affect results is with a partially failed disk, and the way the clone deals with sectors, or areas that cannot be read.

Since I was just try to recover my file by using Recuva and I got more data than using
dc3dd,autopsy and foremost

Please define "more data".
We have at least one report of Recuva "recovering more data", BUT the actual data being "senseless"
http//reboot.pro/16812/
http//reboot.pro/16812/page__st__25#entry153863

More generally I would say that "Data recovery" apps are more suited to "data recovery" wink then "Forensic apps" (which are more suited to "Forensics"), and using the latter ones as "data recovery tools" involves far more manual interaction.

jaclaz