{"id":359,"date":"2015-10-19T20:48:00","date_gmt":"2015-10-19T12:48:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=359"},"modified":"2023-10-30T20:50:17","modified_gmt":"2023-10-30T12:50:17","slug":"file-recovery","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/359","title":{"rendered":"File Recovery"},"content":{"rendered":"\n

Recovering the Deleted Files<\/strong><\/h2>\n\n\n\n

Recovery principle<\/strong>
Data usually exist in disk until the original disk location of the data is used,
if the space is not allocated to other file, the deleted file can be recovered
ps:
the machine may create temporary files that can delete evidence while booting<\/p>\n\n\n\n


Recovery timing<\/strong>
someone cleared some data(ex: the search history,cookie cache,…etc), and investigator wants find something<\/p>\n\n\n\n

Data recovery challenge<\/strong>
\u78c1\u789f\u7528\u5f88\u6eff\u5e38\u522a\u6e1b,\u5fa9\u539f\u96e3
\u78c1\u789f\u9084\u6709\u5f88\u591a\u7a7a\u9593,\u5fa9\u539f\u6613.<\/p>\n\n\n\n

Recovery\u5efa\u8b70step<\/strong>
\u5148\u4f7f\u7528auto data recovery tool\u5c07\u5927\u90e8\u4efd\u6a94\u6848\u6488\u51fa\u4f86\uff0c
\u7136\u5f8c\u91dd\u5c0d\u6bd4\u8f03\u7279\u6b8a\u7684\u6a94\u6848\u5728\u4f7f\u7528manually data tool\u5206\u6790<\/p>\n\n\n\n

………………………………………………………………………………………………………………………….<\/p>\n\n\n\n

File Recovery in Windows<\/strong><\/h2>\n\n\n\n

File is deleted:<\/strong>
first letter of a file name is replace by a hex byte code for delete
NTFS: the file is marked in the MFT with a special character
FAT: corresponding clusters in FAT are mared as unused\uff0e
\u3000the reference to the file is removed from the FAT\uff0e
ps:
so It is possible to recover files that have been emptied from the recycle bin on a windows<\/p>\n\n\n\n

a hex byte code for delete<\/strong>
the code called e5h or HEX E5 or 0xE5
the code is usually reflected as the lowercase greek letter sigma<\/p>\n\n\n\n


…<\/p>\n\n\n\n

Recycle bin name<\/strong>
$Recycle.Bin: windows vista and later
RECYCLED: windows2000,XP,NT
RECYCLER: win98 and prior
ps:
file of recycle bin is based on the user’s SID
ps:
No size limit for Recycle Bin
…<\/p>\n\n\n\n

Filename in recycle bin<\/strong>
prior to windows vista<\/strong>
name format: D< drive of file>< ..th deleted file>.< extension>
info file path: < drive of file>< real path>.< extension>
ex:
\u522a\u9664C:windowsreadme.doc,\u4e14\u525b\u597d\u662f\u7b2c8\u500b\u6a94\u6848\u88ab\u6bba\u6389
name format: Dc7.doc
info file path: C:windowsreadme.doc
in windows vista and later<\/strong>
name format: $R< ..th deleted file>.< extension>
info file path: $I< ..th deleted file>.< extension>
ex:
\u522a\u9664C:windowsreadme.doc,\u4e14\u525b\u597d\u662f\u7b2c8\u500b\u6a94\u6848\u88ab\u6bba\u6389
name format: $R7.doc
info file path: $I7.doc<\/p>\n\n\n\n

INFO2<\/strong>
A hidden file for recycle bin
\u4ee5\u4e8c\u9032\u5236\u7de8\u78bc\u5132\u5b58\u539f\u59cb\u6a94\u6848\u7684\u8def\u5f91\u548c\u6a94\u540d
the file is recreated when windows restart<\/p>\n\n\n\n


Common analysis tool for recycle:<\/strong>
Windows File Analyzer (WFA.exe)
Free Software of RedWolf Computer Forensics
Recycle-Bin

refer
http:\/\/www.mitec.cz\/wfa.html
http:\/\/redwolfcomputerforensics.com\/index.php?option=com_content&task=view&id=42&Itemid=55
http:\/\/redwolfcomputerforensics.com\/downloads\/Recycle_bin.zip
https:\/\/en.wikipedia.org\/wiki\/Trash_(computing)#Microsoft_Windows<\/p>\n\n\n\n

…………………………………………………………………………………………….<\/p>\n\n\n\n

File Recovery in Linux<\/strong><\/h2>\n\n\n\n

File is deleted:<\/strong>
in Ext2fs(Linux second extended file system)
inode internal link count reaches 0
refer
http:\/\/www.slashroot.in\/how-does-file-deletion-work-linux<\/p>\n\n\n\n


Linux\u4e0a\u7684\u8cc7\u6599\u9084\u539f<\/strong>
1.\u7576\u4e00\u500b\u7a0b\u5f0f\u9084\u5728\u57f7\u884c\u4f46\u662f\u6a94\u6848\u5df2\u7d93\u88ab\u780d\u6389\u7684\u72c0\u6cc1\u4e0b
\u53ef\u5728\/PROC\/$PID\/exe\u627e\u5230\u7a0b\u5f0f
\u53ef\u7528cp \/proc\/$PID\/exe \/tmp\/file \u5c07\u7a0b\u5f0f\u8907\u88fd\u51fa
2.\u4f7f\u7528E2undel\u5de5\u5177
refer
http:\/\/wenku.baidu.com\/view\/da7fbcd0360cba1aa811da11.html?re=view<\/p>\n\n\n\n

……………………………………………………………………………………………..<\/p>\n\n\n\n

File Recovery Tools<\/strong><\/h2>\n\n\n\n

Recovery tool for linux<\/strong>
testdisk:<\/p>\n\n\n\n

Recovery tool for win<\/strong>
recuva
recovery my files
easeus data recovery wizard
digital rescure premium
photorec:auto data recovery tool,\u4f46\u6709\u6642\u6703\u6709\u8aa4\u5224
ex:photorec_win.exe image.dd
testdisk:auto data recovery tool,
accessdata FTK imager:manually data recovery tool:
disk editor:manually data recovery tool:<\/p>\n\n\n\n

tool:Recuva<\/strong>
function inlucde:
\u3000basic scan
\u3000options\/action\/deep scan
ps
recuva don’t support recovery from image of DD
but you can using ACCESSDATA FTK function: mount image of DD as a pyshical disk<\/p>\n","protected":false},"excerpt":{"rendered":"

Recovering the Deleted Files R …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[],"class_list":["post-359","post","type-post","status-publish","format-standard","hentry","category-forensics"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=359"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/359\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}