Date Added: Jun 2012
Data stored in the files is the main source of evidence in computer forensics. The file system is used to manage these files present on disk. A suspect can remove evidence present on disk by deleting files containing evidences. It is important for forensic investigator to get back the evidences deleted by suspect. Though there are many tools available in market for recovering deleted files, no published documentation is available for their internal working for recovery procedure. It is important for examiner to know details of file system before using available tools, so the results can be verified.