1 / 12

BACS 371 Computer Forensics

BACS 371 Computer Forensics. Basic File Recovery Techniques. File Recovery. The easiest type of recovery is to go to the Recycle Bin and recover the file. Once the file is deleted form the Recycle Bin, this option is not available.

varian
Télécharger la présentation

BACS 371 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BACS 371Computer Forensics Basic File Recovery Techniques

  2. File Recovery • The easiest type of recovery is to go to the Recycle Bin and recover the file. • Once the file is deleted form the Recycle Bin, this option is not available. • To recover these files you need to open the disk with a hex editor (like WinHex) • Some files are easily recoverable with this tool, others will need a bit of work to reconstruct the FAT chains.

  3. Simple WinHex Recovery • Directory of disk shows 3 files.

  4. Simple WinHexRecovery • WinHex shows that there are more files present. Notice symbols to the left of files. They indicate status and likelihood of successful recovery.

  5. Simple WinHex Recovery • Select a file and right click. If you select “Recover/Copy”, WinHex will try to recover the file. • Result is a successful recovery!

  6. Simple WinHex Recovery • List Clusters will print out the FAT linked-list chain. Useful for possible chain reconstruction.

  7. WinHex Recovery • Other files are not as likely to be recoverable. Note the red X next to the file. • Recovery appeared to work, but file was corrupt and unreadable.

  8. Advanced Deleted File Recovery In WinHex • Scan Disk for deleted entries • Define cluster chain for deleted entry • Recover cluster chain • Assumptions • File entry still exists • File entry pointer to first cluster is correct • File data clusters are not yet overwritten

  9. Scan Disk for Deleted Entries Deleted entries are marked with 0xE5 in the first character position of the file/folder name

  10. Find the Clusters • Determine the Size of the deleted file • 0x0000D000 (little endian!) = • #Clusters = 53248/4096 = 13 • Determine the Starting Cluster of the deleted file • 0x0004 (little endian!) = cluster #4

  11. Reconstruct the Cluster Chain Mostly 0x00 – is this OK?

  12. Reconstructed Cluster Chain File can now be recovered and read by program.

More Related