Embed Size (px)
Citation preview
Basic File Recovery Techniques
BACS 371Computer Forensics
File Recovery
The easiest type of recovery is to go to the Recycle Bin and recover the file.
Once the file is deleted form the Recycle Bin, this option is not available.
To recover these files you need to open the disk with a hex editor (like WinHex)
Some files are easily recoverable with this tool, others will need a bit of work to reconstruct the FAT chains.
Simple WinHex Recovery
Directory of disk shows 3 files.
Simple WinHex Recovery
WinHex shows that there are more files present. Notice symbols to the left of files. They indicate status and likelihood of successful recovery.
Simple WinHex Recovery
Select a file and right click. If you select “Recover/Copy”, WinHex will try to recover the file.
Result is a successful recovery!
Simple WinHex Recovery
List Clusters will print out the FAT linked-list chain. Useful for possible chain reconstruction.
WinHex Recovery
Other files are not as likely to be recoverable. Note the red X next to the file.
Recovery appeared to work, but file was corrupt and unreadable.
Advanced Deleted File Recovery
In WinHex1. Scan Disk for deleted entries2. Define cluster chain for deleted entry3. Recover cluster chain Assumptions
File entry still exists File entry pointer to first cluster is correct File data clusters are not yet overwritten
Scan Disk for Deleted Entries Deleted entries are marked with 0xE5 in the
first character position of the file/folder name
Find the Clusters Determine the Size of the deleted file
0x0000D000 (little endian!) = #Clusters = 53248/4096 = 13
Determine the Starting Cluster of the deleted file• 0x0004 (little endian!) = cluster #4
Reconstruct the Cluster Chain
Mostly 0x00 – is this OK?
Reconstructed Cluster Chain
File can now be recovered and read by program.
