‘‘If a company is faced with an allegation that someone is doing something wrong, you have to secure that evidence. So we have people who are expert in going through hard drives and retrieving that information,’’ he says.Even when supposedly deleted, a surprising amount of information can be recovered from the average disk drive, says Tony Dearsley, senior consultant for corporate projects at computer forensics consultancy Vogon International. The Windows operating system does not wipe a file from the hard drive when it is dragged to the waste basket. Instead, it alters either the file allocation table (FAT) or the master file table (MFT) to mark the file as deleted, while leaving the content intact. Consequently, old file information can be found in the unused space within disk clusters. It is often possible to recover large parts of old files provided the data are not overwritten.Computer forensics experts plug a hard drive into a specially designed imaging system, copying the whole drive to a new disk.‘‘Everything we do with computer forensics at the moment is done using an image of the original hard drive rather than the live desktop, because with any live system, as soon as you do a search you could change the data on that hard drive,’’ explains Dearsley. Imaging hardware generally copies around 60 GB per hour, although the forensics industry is trying to push that to 100 GB per hour, he adds.Although most of the time, computer forensics are carried out overtly following the seizure of a computer, there are times when it is conducted covertly. In these cases, imaging times can be critical. Dearsley recalls one time when, having been instructed by management to covertly image a drive on a company’s premises overnight, he had to hide under a desk when some employees turned up unexpectedly.Using these techniques, it becomes possible to uncover many secrets about individual documents.
- 1 0 年前最佳解答
如果公司面對某人做□某事錯誤的指控, 您必須獲取那證據。如此我們有是專家在審閱硬碟和檢索那資訊的人, "他says.Even 當假想刪除, 驚奇資訊量可能從平均驅動器恢復, 說托尼・Dearsley, 資深顧問為公司項目在電腦辯論術咨詢學校Vogon 國際。窗口作業系統不抹一個文件從硬碟當它被扯拽對廢籃子。反而,
它依照被刪除修改或文件分配表(肥胖) 或主文件桌(MFT) 標記文件, 當留給內容原封。結果, 老文件資訊可能被發現在未使用的空間在盤群之內。它經常是可能恢復老文件的大部份提供了資料不是overwritten.Computer 辯論術專家插座每硬碟入一個特別地被設計的想像系統, 複製整體驅動對一張新盤。一切我們做以電腦辯論術當時做使用原始的硬碟的圖像而不是活桌面, 因為與任何居住系統, 當您做查尋您能改變關於那個硬碟的資料, "解釋Dearsley 。想像硬體一般複製大約60 GB 每小時, 雖然辯論術產業設法推擠那對100 GB 每小時, 他adds.Although 多半時間, 電腦辯論術是被執行的公開地以下電腦的奪取, 那裡是時期當它隱蔽地被舉辦。在這些情況下, 想像時間可能是重要的。Dearsley 召回一時候當, 由管理隱蔽地被指示對圖像驅動在公司的前提隔夜, 他必須掩藏在書桌下當一些雇員出現unexpectedly.Using 這些技術, 它變得可能揭露許多秘密關於各自的文件。
- 1 0 年前
’'如果一家公司面對一個聲明，某人正在做錯誤的東西，你必須鞏固那一個證據。 因此我們有在經過難的駕車而且取回方面是專家的人以便資料，'' 他說。即使當據稱刪除，令人驚訝量的資料罐子被恢復平均的磁碟機，湯尼 Dearsley 說，資深的顧問對於企業的計畫在電腦法醫顧問 Vogon 國際的。 視窗操作系統人不擦拭檔案 fr