The Windows operating system tracks files (user data) using either a File Allocation Table or a Master File Table.  In simple terms, the FAT or MFT tells the computer where the file begins and ends.    Macintosh uses a similar system known as Nodes.

When a file is deleted, the operating system deletes the pointers to the file and in the FAT or MFT the space occupied by the file is mark as available.  The computer does not delete the actual data that was contained in the file. 

Analogy:  In days gone by, our library system used a card catalog that told the user what section and what shelf the book was on.  If the card was removed from the catalog even though the book was still on the shelf, the user would not know the book existed, but the book would still be on the shelf.  When the computer removes the pointers to computer files, the data remains on the hard drive until the computer over-write the file with different data.

The Center for Computer Forensics uses many different  procedures and forensic tools to search and recover deleted files and data from unallocated space.   The procedures range from keyword searching to data carving to folder recovery.  Total recovery, partial recovery and corrupt files are carved.  Once the data is recovered it is reviewed for relevant content.

- Return to FAQ -