The primary function of the information systems is to store and process data. Data processed and stored by the computer systems can be classified into four categories: active data, archived data, safety saved data, and residual data.
Active data: information available and accessible to users. They are presented in different forms, such as documents created by word processors, electronic calendars, mailing lists, files, graphics, audio files, etc. .
A special feature is that for computer data the copy is absolutely identical with the original (the copy does not change anything). Recording active data can be done with special software called file management, execution of specific commands, or operating systems.
Archived data are information that are no longer commonly used, and are stored separately, to free disk space. Archived data also include duplicate files. Duplicate files are automatically created as computer files in case of technical problems (such as system crashes, power supply interruption , etc.), with data recovery role. They have specific file endings, and are usually stored in different locations of the original files. Their importance lies in creating multiple copies of documents, copies that user can erase, and whose existence most often is not aware. By comparing the original with duplicate copy, can be made observations on the changes between different versions of the document.
Safety saved data security (or backup data) is information copied on removable media with the aim of making their data available to users for a power system intervention. How often backups it depends both on type of systems (network connected computer, or computer network ) and user procedures.
For networks, the typical practice is to create a full backup once a week, usually on Fridays, and daily implementation of additional copies aiming at saving the data modified that day, in these cases, usually copying only the information which is on network server, which is not the computers (terminals ) users. At the end of the month is backed the safety copy, which is stored separately and kept for a period of time ranging from several weeks to several months. In practical environments the support where is made the copy is to be used again after a month period.
For computers that are not connected to the network , without a proper backup system, their owners usually copy the files to which they attach more importance, on a storage media such as hard disks removable, recordable CDs, flash drives , etc.
Using information from the storage media for backup storage is useful due to the information kept for a long time. But, due to the lack of organization of the data on these environments, and that usually safety saved files are compressed for the economy of space, it makes it more difficult for investigation.
Residual data is information that apparently were removed from the system but persist in specific forms and can be recovered. Such residual data are deleted files that are still on the disk, temporary files, file exchange, data in the active space, the data buffer and clipboard.
If normal file deletion, data is not removed from the disk, but the computer marks the portion where file was placed as free and can thus be rewritten. If the override does not take place (where deletion was recent, or if there is enough free disk space, and there were no operation of routine system maintenance, such as defragmenting or optimizing), the file, or portions of it, were still on the disk, and can be recovered. For recovery are using special programs. In fact, data becomes unrecoverable on the disk space only after the data have been overwritten 7 times. Special programs can do this operation (overwriting 7 times) to permanently delete some data.
Temporary files are files created by the operating system or another program to be used during the session. In many cases, temporary files are not deleted from the disk, and so can be recovered information contained in them.
Files exchange (or swap files) are hidden files created by the operating system to be used for the preservation of portions of program and data files that do not fit in memory. Exchange files are a form of virtual memory. The information from exchange files can be analyzed with the help of special programs.
“Inactive” area (slack space) is the space located in a physical unit of data storage on disk (cluster) that is not covered by the portion of the file occupying that unit. Because DOS operating system does not allow to store more than one file in a storage unit, the difference between the current file size and the size of the storage space is considered “inactive”, unused. This space can contain information that can be recovered using specific programs. Also this space, as considered damaged drives, can be used by advanced users of information systems to conceal information.
Program that allows working with ” inactive” space
Buffer is a memory area reserved for use as temporary storage, where there are temporarily stored data waiting to be transferred from one location to another . Data in the buffer can be retrieved with the help of special programs.
Clipboard is a portion of memory, having special character, maintained by the operating systems based on windowed mode (such as Windows). The clipboard is storing data being transferred from one