Both computer forensics experts to try and data recovery technicians to recover deleted data. Data recovery is primarily to bring interest back files, while computer forensics tends to dig deeper look, not just for deleted documents, but also for Metadata (data about data - such as file attributes, descriptions, dates and other information) and useful snippets of files restored. One area of particular interest is E-mail.
If most of the documents are written on the hard drive of a computer, each newly created document has its own directory entered (what the user sees, like a listing in a folder). If a file is deleted, has not been overwritten by another document, the recovery process is a relatively trivial part of e-discovery or recovery of data. But if the data of interest is deleted e-mails, the discovery process, and may vary significantly from the expected> Data Recovery. Individual emails are stored differently than individual files. Different types of e-mail programs store data differently on the user's hard drive and require different rules for the search for useful information. This distinguishes the deletion of e-mails and recovery of deleted e-mails not only from other types of documents, but also between different types of e-mail programs.
There are basically three types of e-mails in general usage - MicrosoftOutlook (often coupled with a Microsoft Exchange server), text-based e-mail client programs and Web-based e-mail or webmail.
In Microsoft Outlook, all e-mails in a large, non-encrypted text file stored - the PST or Personal Folders file. Outlook has additional features and additional content as well. It is an integrated address book, multiple mailboxes, a calendar and a scheduler, which contain all of the PST file. If in a PST file with a text editor orWord processing program, there is little or nothing to understand for the human eye. The file contents looks like almost random letters.
In general, the PST file must be loaded in Outlook to read. If an e-mail will be deleted, or even if it is removed, it can be stored within the body of the single large file, but no longer accessible to the program. Some deleted e-mails can be recovered if a manual process through manipulation of the file, the repair of the resulting file and then loadingback into Outlook.
Text-based e-mail programs include Microsoft Outlook Express, Qualcomm Eudora Pro, Mozilla Thunderbird, Mac Mail and others. In text-based e-mail applications, each has his own mailbox file, and all e-mails from a particular mailbox that is stored in a single file. For example, there are probably only a single file for all emails in the Inbox, one for all in the Outbox, one for each user-generated-mail inbox, and so on. The mailbox files are primarily text files, if asingle e-mail is deleted, the text can be published "orphaned", or from the body of the file, but can still file as the rest of the body of the e-mail and include information such as date, time is worthless, and the dispatcher.
A standard recovery process does not return those deleted e-mail as the mailbox that she can hold was still intact - but not yet in the hands of the deleted e-mail. Part of the electronic discovery would allow users ofallocated (if a file is written, the operating system allocates a certain portion of the disk to the file. is, if the file is deleted, that de-allocated space, and so-called unallocated space) part of the disk for specific words or phrases that are likely to suspect the body of e-mails. A search can also be performed for text-based e-mail headers. The resulting data can then be collected and displayed as text files.
A third form ofE-mail is Web access to e-mail. Many if not most commercial e-mail provider, the user the ability to access e-mail service via a Web browser. America Online is another default e-mail provider, which usually do not save e-mails on the user's computer by. E-mail on a remote computer, stored or distributed over several remote computers that can be anywhere on the Internet. Since this host computer, hundreds or even millions of users and their e-mail is the retention of this e-mail is verydynamic. When emails are deleted in such an environment, but rather the remains of the individual e-mails and files will be overwritten quickly and repeatedly. There may be some remnants found on the computer of the user in a virtual memory or buffer-file, however. The recent U.S. Attorney's scandal highlighted the use of such Web-based e-mail (see Why Email Matters: The Science Behind the U.S. Attorney Scandal, by Steve Burgess).
There is always a chance that should the remaining deleted files or remnants of thembe overwritten. With this option it is best to immediately disable any computer on which the recoverability of the data is in question. The longer the computer remains in use, the greater the likelihood of useful data, which irreparably damaged. If a user the computer is likely to be tested or used in legal matters, or when the document is discovered to be expected, the computer should be turned off to prevent removal of evidence.
If appropriate measures are taken when a fileis deleted, the file is probably recoverable. The same applies to e-mail. While trash or deleted e-mail can not be restored as a full mailbox file, said the contents of the e-mail could be found and their metadata to or recoverable by the various methods are available to computer forensics specialists.
Related : SEA Games 2009 in Vientiane Laos 25th Sea Gmaes 2009
ไม่มีความคิดเห็น:
แสดงความคิดเห็น