The field of computer forensics requires an understanding of what happens when files are created and deleted.  For example, on a FAT partition, creating a file involves three events:  1) An entry is made into the File Allocation Table (FAT) to indicate the space where the file is stored in the data region. 2) The file is assigned clutter space on the hard drive.  3) A directory entry is made indicating the file name, size, link to the FAT, etc. 4) The file is written to the data region.

When the file is deleted: 1) The FAT entry for the file is zeroed out.  2) The first character of the directory entry filename is changed to a special character that is ignored by the OS.  3) The file remains intact and can be recovered so long as another file has not been written into the clusters.

This computer forensics information is presented by AVM Technology, LLC, a Computer Forensics, E-Discovery, and Computer Security consulting company located in Richmond, VA and serving clients throughout the United States.