Undelete Compat Flash?

[Jacques B.]

> I would highly recommend that you grab a dd image of the compact
> flash, and then run any tools against the copy (mounted read only).
> That way the tool won't alter the contents of the dd image (or more
> importantly of your original compact flash) thereby allowing you to
> run other tools against it if necessary.  I am a forensic examiner by
> trade and the first rule is to never work on the original.

Slight correction to my last posting (banged it off and sat down for
breakfast and realized my advice was a bit misleading).  You don't
need to mount the image.  You run the tool against the dd image file. 
I'm used to sometimes viewing a read only mounted version of the image
as part of the forensic process but in actual fact your recovery tools
such as scalpel would run agains the entire device (or more accurately
against the image of the entire device).  You can get scalpel (an open
source tool) at http://www.digitalforensicssolutions.com/Scalpel/.  I
read the site on the other tool that was suggested and that may very
well do the trick as well.  However I'd recommend scalpel as it's been
tested quite a bit by the computer forensic community so you know it
will work as it should.  Plus scalpel is a nice tool to have for other
file types as well, and to run against a variety of filesystems
(including ntfs) as it runs independant of the file system, looking
for file headers & file footers on a device or partition (hda, hda1,
sda, sda1, whatever, or an image file of same).