Data Recovery Definitions (2023)

Alternate Data Stream (ADS)An Alternate Data Stream (ADS) is a feature of the NTFS file-system. ADS were originally included in Windows NT for compatibility with Macintosh HFS file-systems resource fork and a data fork. The ADS provides a means to allow programmers to add additional metadata to be stored for a file, without adding this data directly to the file. The additional data is attached as a stream which is not normally visible to the user. Recover My Files shows ADSs with a blue file icon with an “A” character.ASCIIThe American Standard Code for Information Interchange (ASCII) is a 7-bit character encoding scheme that allows text to be transmitted between electronic devices in a consistent way. The ASCII character set comprises codes 0–127, within which codes 0–31 and 127 are non-printing control characters. The addition of Codes 128–255 make up the Extended ASCII character set (see http://www.ascii-code.com/ for more information)(8).ClusterA cluster is the smallest logical unit of drive storage space on a hard drive that can be addressed by the computers Operating System. A single computer file can be stored in one or more clusters depending on its size.Cluster Boundaries

A cluster boundary refers to the start or the end position of a cluster (a group of sectors). If a file is fragmented (stored in non-contiguous clusters), the fragmentation happens at the cluster boundary, as there is no smaller unit of storage space that can be addressed by a computer.

Examining data at cluster boundaries can be an important technique to improve the speed of some search routines. For example when file carving for file headers, it is faster to search the cluster boundary (i.e. the beginning of a cluster) rather than a sector by sector search of the drive.

Computer forensicsComputer forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data with a view to presenting evidence in a court of law.Data carveSee file carve.Deleted File

A deleted file is one which has been marked as deleted by the file-system (usually as a result of being sent to and emptied from with Recycle Bin). A deleted file can be recovered by reading the file-system record for the file, then reading and restoring the file data. As long as the data for the file is intact (i.e. the space once occupied by the file has not been used to store new data) the recovered file will be valid.

In some cases the file-system record itself can be overwritten and destroyed. If this is the case the file can only be recovered by “file carving” and it is returned and displayed in Recover My Files as a “carved”. Because file and folder information is only stored with the file-system record, a carved file does not retain its original file or folder name.

DeviceA device refers to the electronic media being examined. It usually refers to a physical device, such as a hard drive, camera card etc., but can also mean the forensic image of a device in DD, E01 or other formats.DirectorySee Root DirectoryDirectory Entry (FAT)A component of the FAT file-system. Each file or folder on a FAT partition has a 32 byte directory entry which contains its name, starting cluster, length and other metadata and attributes.Drive SlackThe area between the end of a partition and the end of the drive. It is usually considered to be blank, but can hold remnants of previous drive configurations or could be used to purposely hide data.Drive view

A graphical representation in Recover My Files of sectors on the examined device. Drive view can be used to:

• Examine the content of the data in a specific sector/s;
• Quickly navigate to a desired sector position on the device;
• Obtain a graphical overview of the file types which make up the drive and where they are position on the examined media;
• Identify the location and fragmentation of individual files.

DSTDaylight Savings TimeE01A forensic file format used to create drive image files. Developed by Guidance Software (http://www.guidancesoftware.com/)Explorer ViewFile display technology written by GetData and used in the Recover My Files Display view to show the contents of more than 300 different file types.FAT

FAT (File Allocation Table) is the file-system that pre-dates NTFS. Once popular on Windows 95, 98 and XP, it is now primarily used on memory cards, USB drives, flash memory etc. due to its simplicity and compatibility between Operating Systems (e.g. Windows and MAC).

For more information see: http://www.forensicswiki.org/wiki/FAT

FAT SlackThe unused space in the last cluster of the FAT where the logical size of the FAT does not fill the complete cluster.File carve

File carving (also known as file carving or carving) is the process of searching for files based on a known content, rather than relying of file-system metadata. This usually involves searching for a known header and footer of a specific file type.

Recover My Files has built in code to data carve for more than 300 file types.

File SignatureThe header component of a file which has unique identifiers that assigns it to a type, e.g. a jpeg. Most common file types have a signature set by the International Organization for Standardization (ISO).Identifying a file by its signature is a more accurate method of assessment that using the file extension, which can easily be altered.File SlackThe unused space in the last cluster of a file where the logical size of the file does not fill the complete cluster. The file slack can contain fragments of old data previously stored in that cluster.File-systemThe organization of files into a structure accessible by the Operating System. The most common types of file-systems used by Widows are FAT and NTFS. Others include EXT (Linux) and HFS (MAC).FlagIn Recover My Files a flag is used to mark a file as relevant. It is a colored box (flag) that is applied to a List view when the “Flag” column is displayed. Eight colored flags are available for use. Flags are applied by highlighting and artifact and double clicking the opaque flag color in the flag column, or by using the right click “Add Flag” menu.FolderSee Root DirectoryForensic IntegrityIn computer forensic the term “forensic integrity” commonly refers to the ability to preserve the evidence being examined so that it is not altered by the investigator or the investigative process. This enables a third party to conduct an independent examination of the evidence on an identical data set. Forensic integrity is usually achieved through the use of write blocking devices (to protect original media from being changed) and the forensic image process (the acquisition of an identical copy which can be re-verified at a later date.)Fragmented FileThe distribution of a file on a drive so that it's written in non-contiguous clusters.Free SpaceFree space is often used to describe unallocated clusters, the available drive storage space that is not allocated to file storage by a volume. Free space can however also refer to the unused area of a drive not taken up byHash

A Hash is a mathematical calculation to generate a unique value for specific data. The chances of two files that contain different data having the same hash value are exceedingly small.

The most common hash algorithm in use is 128-bit MD5.

HexHexadecimal is a base 16 numbering system. It contains the sixteen sequential numbers 0-9 and then uses the letters A-F. In computing, a single hexadecimal number represents the content of 4 bits. It is usually expressed as sets of two hexadecimal numbers, such as “4B”, which gives the content of 8 bits, i.e. 1 byte.INFO2

Windows automatically keeps an index of what files were deleted including the date and time of the deletion. The index is held in a hidden file in the Recycle Bin called INFO2.

When the Recycle Bin is emptied, the INFO2 file is deleted.
Recovery and analysis of deleted INFO2 files can provide important information about files that were once located on the computer.

LFN (also see SFN)Long File Name refers to file or folder on a FAT file-system which has a name greater than 8 characters and 3 for the file extension (or one which contains special characters). The storage of the additional file name information makes it necessary for Windows to create an additional LFN directory entry (or entries) to hold the extra information.Link Files (LNK)Link files (.lnk) are Microsoft Windows shortcut files. Link files have their own metadata and can provide valuable information about files stored on the computer.Logical Evidence File

Logical Evidence Files (or Logical images Files) are images of selected files, rather than the traditional image of a volume or physical drive. They are usually created during a preview where an investigator identifies file based evidence worthy of preservation, when an image of the entire volume or device is not warranted.

Common Logical Evidence File formats are L01, created by EnCase ® forensic software (www.guidancesoftware.com) or AD1 by Access Data’s Forensic Tool Kit ® (www.accessdata.com).

Logical file spaceThe actual amount of space occupied by a file on a hard drive. It may differ from the physical file size, because the file may not completely fill the total number of clusters allocated for its storage. The part of the last cluster which is not completely filled is called the file slack.Logical Sector (LS)Lost (file)Files located by “file carving” with Recover My Files are displayed as “Lost_[fileytpe].xxx.Master boot record (MBR, Boot Sector)The very first sector on a hard drive. It contains the startup information for the computer and the partition table, detailing how the computer is organized.Master File Table (MFT)“On an NTFS volume, the MFT is a relational database that consists of rows of file records and columns of file attributes. It contains at least one entry for every file on an NTFS volume, including the MFT itself. The MFT stores the information required to retrieve files from the NTFS partition”. (9))MetadataMetadata is often referred to as “data about data”. Windows metadata includes a files create, last accessed and modified dates, as shown in File List view of Recover My Files. File metadata includes information such as camera make and model in a JPEG, or author name in Microsoft Word.Mount Image Pro (MIP)A computer forensics software tool written and sold by GetData (www.mountimage.com) which enable the mounting of forensic image files as a drive letter on a Windows computer system.MRUMost Recently Used (MRU) is a term used to describe a list of the most recently opened files by an application. Many Windows applications store MRU lists as a way of allowing fast and consistent access to most recently used files. Most MRU lists are stored in the Windows registry.NTFSThe Windows New Technology File-system (NTFS) superseded FAT.It was released with Windows NT and subsequently Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7. It uses a Maser File Table (MFT) to store the information required to retrieve files from the NTFS partition.PaneAn area of the Recover My Files module. The Recover My Files module is broken down into three panes, Folder Tree, File List view and File Display. A pane can contain multiple different windows, such a Hex view, Text view, Drive view, Console etc.PartitionA part of a hard drive that can have an independent file-system.Physical sector (PS)RAIDRedundant Array of Independent Drives.RAMRandom Access Memory, where programs are loaded and computer code is executed. The content of RAM is lost when the computer is turned off.RAM SlackRAM slack is the data between the end of the logical file and the rest of that sector. For example, a sector is written as a block of 512 bytes, so if the last sector contains only 100 bytes, the remaining 412 bytes is padded with RAM slack. In older Operating Systems, e.g. Windows 95, RAM slack could contain data from RAM unrelated to the content of the file. In more recent Operating Systems, RAM slack is filled with zeros.Recover My FilesData Recovery Software authored and sold by GetData at www.recovermyfiles.comRegistryThe Windows Registry is a hierarchical database that stores configuration settings and options for the Microsoft Windows operating systems. For the computer forensics examiner it can be a wealth of information on all aspects of the computer and its use, including hardware, applications, and user configuration.Root Directory/Folder

A directory is a container used to organize folders and files into a hierarchical structure. The root (also referred as the root folder or root directory) is the first level folder of the hierarchy (It is analogous to the root of a tree, from which the trunk and branches arise). The root folder is the same as click on the drive letter in Windows Explorer, e.g. being located in folder “C:\”.

A directory that is below the root is called a subdirectory. A directory above a subdirectory is called its parent directory. The root is the parent of all directories.

“Directory” was a more common term when DOS use was prolific (The “DIR” command is used in DOS to list the contents of a directory). Directories are now more commonly referred to as “Folders”.

SectorA sector is a specifically sized unit or storage on a hard drive. A sector on a hard drive usually contains 512 bytes. A group of sectors forms a cluster, which is the lowest level of storage space which can be addressed by an Operating System (e.g. Windows).SFN (see also LFN)Short File Name refers to a file or a folder on a FAT file-system that has a file name that can be stored in the 8.3 file name format (8 name characters with 3 characters for the extension). The name and metadata for a SFN file can be stored within a standard FAT directory entry.SlackSee File Slack, Drive Slack, FAT SlackSteganographySteganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity (Definition from: http://en.wikipedia.org/wiki/Steganography)Unallocated ClustersUnallocated clusters (also referred to as unallocated space or free space) are the available drive storage space that is not allocated to file storage by a volume. Unallocated clusters can be a valuable source of evidence in a computer forensics examination because they can contain deleted files or remnants of deleted files created by the Operating System and / or computer users.UnicodeUnicode is an international standard for processing and displaying all types of text. Unicode provides a unique number for every character for all languages on all platforms.VolumeA collection of addressable sectors that are used to store data.The sectors give the appearance of being consecutive, but a volume may span more than one partition or drive.Write BlockA hardware device or software program that prevents writing to an examined device. A write block is designed to maintain the ‘forensic integrity’ of an examined device by demonstrating that changes to the content of the device were not possible.