Erased Graphic Image File Identification

NTI's Graphics File Extractor software can be used with NTI's GetFree software to quickly identify and reconstruct previously erased graphic image files. However, it is not enough to have an exact replica of the original file. The computer forensics specialist must then identify the exact location of the original "deleted" file on the source hard disk drive. Because the data associated with the subject file is no longer associated with a file name, searches to identify the location of the file content in unallocated file space must be done in hexadecimal.

Once a relevant file has been identified, e.g., in a child pornography case, using Graphics File Extractor software, then the first 40 bytes of the file should be used to search for the source data in the unallocated storage space of the subject computer storage device. This search can easily be done with NTI's HexSearch software. Once the relevant clusters have been identified, then they can manually be restored by the computer forensics specialist. We recommend the manual restoration of such files so the computer forensics specialist will have detailed knowledge of the process used and that the restoration will be exact. Automatic processes are not recommended because of the potentials of error in the reconstruction of the previously deleted graphics image file. When this is done, it makes for stronger expert witness testimony and it allows the jury to see how the process was done.

Back To NTI's Home Page

Please Direct E-Mail to info@forensics-intl.com



Copyright © 2004 by New Technologies Armor, Inc. January 22, 2004