Could anyone answer this one, please? (am doing an article for an ezine)
1. When you use data mining to recover a file - say a jpg image - does it return the filename and/or date of the file?
2. If one or both of these are not recoverable, is there any significance in that - ie, does it mean an attempt was made to wipe the file, or is the loss just a 'natural' process occuring to files in the unallocated area?
3. I assume the recovery software can provide a filename, but can this be 'tailored' to your own specs or is it just random?
Phew! And sorry about the descriptions, I don't know all the technical terms yet!
Regards
robbo
Data mining is looking at all files and trying to extract information from them.
I think you actually mean Data Carving. Data carving is when a disk is searched and sector starts are tested against known file signatures, eg 0xff 0xd8 0xff is probably the start of a JPEG file.
Carving is normally used to find files in unallocated space, or on very corrupted file systems / damaged disks. Files can be in unallocated space for several reasons, and deletion is one such reason. (Others can include disk corruption, reformatting a disk, defrag program, left over from a previous disk use, and probably a few more reasons).
The names that a data recovery program gives normally includes an incrementing number. I actually try on certain files to add a bit more information such as date and camera used for photos.
Robbo,
I don't know if you've looked at other postings on this forum but one thing shines through - there is no straightforward answer to any one question.
A comprehensive answer to your question depends heavily on the type of filesystem involved. There are some general points I can help with though…
All file systems have some kind of metadata or indexing system that keeps track of the data on disk and provides contextual information like name, date, location on disk, etc. In many cases deleting a file leaves the metadata intact, it is just marked as ready for reuse.
If (knowing the filesystem) I can look for these metadata structures then I might be able to recover information about files that used to be on the system but have long-since been deleted.
On the other hand I could search all the area of the partition for file signatures that aren't allocated to current (or known deleted) files and recover the file data alone. I think this is what you refer to as data mining but I would call 'carving'. This process is highly unlikely to recover any metadata about the file so you won't get to know it's name, modified date, etc.
Forensic and software recovery programs all do this stuff in slightly different ways and I've never known two programs to show me the same deleted file structure for example, They also tend to recover different numbers of the same kind of file when carving. How recovery programs name carved files is usually dependant on the program itself, some of them are configurable but not many. If you are carving data and the program assigns a name then this probably bears no relation to the name the file had when it was an active file on disk.
HTH
Paul
Thanks Michael and binarybod.
Yes, I must mean data carving.
I'm especially interested in the ordinary, average computer user (like me!) and how we regard simple things like file deletion. In my first post on here, I mentioned Microsoft and their 'permanent deletion' method (Shift-Del) which isn't really permanent. With 600 million copies sold of Windows 7 there must be a heck of a lot of data hanging around on users' hard drives that they really don't want to be found - the stuff having got there quite innocently as in my case (bad download from Rapidshare). If the authorities could get round them all they'd have a field day - well, of course they wouldn't be able to cope!
Anyway, thanks for your help…