Recovering the Deleted Files
Recovery principle
Data usually exist in disk until the original disk location of the data is used,
if the space is not allocated to other file, the deleted file can be recovered
ps:
the machine may create temporary files that can delete evidence while booting
Recovery timing
someone cleared some data(ex: the search history,cookie cache,…etc), and investigator wants find something
Data recovery challenge
磁碟用很滿常刪減,復原難
磁碟還有很多空間,復原易.
Recovery建議step
先使用auto data recovery tool將大部份檔案撈出來,
然後針對比較特殊的檔案在使用manually data tool分析
………………………………………………………………………………………………………………………….
File Recovery in Windows
File is deleted:
first letter of a file name is replace by a hex byte code for delete
NTFS: the file is marked in the MFT with a special character
FAT: corresponding clusters in FAT are mared as unused.
the reference to the file is removed from the FAT.
ps:
so It is possible to recover files that have been emptied from the recycle bin on a windows
a hex byte code for delete
the code called e5h or HEX E5 or 0xE5
the code is usually reflected as the lowercase greek letter sigma
…
Recycle bin name
$Recycle.Bin: windows vista and later
RECYCLED: windows2000,XP,NT
RECYCLER: win98 and prior
ps:
file of recycle bin is based on the user’s SID
ps:
No size limit for Recycle Bin
…
Filename in recycle bin
prior to windows vista
name format: D< drive of file>< ..th deleted file>.< extension>
info file path: < drive of file>< real path>.< extension>
ex:
刪除C:windowsreadme.doc,且剛好是第8個檔案被殺掉
name format: Dc7.doc
info file path: C:windowsreadme.doc
in windows vista and later
name format: $R< ..th deleted file>.< extension>
info file path: $I< ..th deleted file>.< extension>
ex:
刪除C:windowsreadme.doc,且剛好是第8個檔案被殺掉
name format: $R7.doc
info file path: $I7.doc
INFO2
A hidden file for recycle bin
以二進制編碼儲存原始檔案的路徑和檔名
the file is recreated when windows restart
Common analysis tool for recycle:
Windows File Analyzer (WFA.exe)
Free Software of RedWolf Computer Forensics
Recycle-Bin
refer
http://www.mitec.cz/wfa.html
http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55
http://redwolfcomputerforensics.com/downloads/Recycle_bin.zip
https://en.wikipedia.org/wiki/Trash_(computing)#Microsoft_Windows
…………………………………………………………………………………………….
File Recovery in Linux
File is deleted:
in Ext2fs(Linux second extended file system)
inode internal link count reaches 0
refer
http://www.slashroot.in/how-does-file-deletion-work-linux
Linux上的資料還原
1.當一個程式還在執行但是檔案已經被砍掉的狀況下
可在/PROC/$PID/exe找到程式
可用cp /proc/$PID/exe /tmp/file 將程式複製出
2.使用E2undel工具
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view
……………………………………………………………………………………………..
File Recovery Tools
Recovery tool for linux
testdisk:
Recovery tool for win
recuva
recovery my files
easeus data recovery wizard
digital rescure premium
photorec:auto data recovery tool,但有時會有誤判
ex:photorec_win.exe image.dd
testdisk:auto data recovery tool,
accessdata FTK imager:manually data recovery tool:
disk editor:manually data recovery tool:
tool:Recuva
function inlucde:
basic scan
options/action/deep scan
ps
recuva don’t support recovery from image of DD
but you can using ACCESSDATA FTK function: mount image of DD as a pyshical disk