Hi Fabio and List,
I don't quite know what you really wanna do. But if I got the point, you
(or s.o. else?) have deleted some files on windows and linux filesystems.
If we do a small exercise on how filesystems work, you might get the
solution on your own.
filesystems (in general) arrange their files at the harddrive by having
linked lists (in linux FS called Inodes).
Each Filesystem has a table at the start of the partition, where
references (links) link to the file location.
Following this the file-data and file-attributes are separated from each
other.
If a file is being deleted your filesystem (under linux) simply deletes
the Inode referencing to the file-data.
So the data is still at its place. But as you should remembre, a harddrive
is not being synced "in-time", there is a buffer at your RAM.
When the Inode is deleted it is being deleted at the copy of your inode
table at your ram or harddrive ram.
Lets stick to windows. The windows filesystems don't know inodes but
something similar.
Windows either has file-allocation-table or the pendant NTFS.
Both filesystems do have linked lists which referre to the file-data.
When you delete s.t. under windows the file-attribute (inode) is not being
Deleted but therefore "marked" as deleted.
Windows has a special file-attribute for deleted files. So you simply need
to download a file-recovery tool and you may be able to recover very old
data.
So far, .. have fun!
Cheers,
Floschi
Hi All,
I am evaluating some tools for gathering evidence in Linux and Windows
distros.
In particular I am interested in recovering files/folders which have
been deleted "accidentally" from the PC.
I am aware there are some Live CD's with Linux installed that could
mount a drive and try to recover those files but don't know anyone in
particular.
Any help will be really appreciated.
Thank you very much.
Greetings,
Fabio
