recovered files - Digital forensics
Chapter 8
Finding Lost Files
1
Old Files Never Die
Deleting a file doesn’t erase data
Even a wiped file may leave behind artifacts
Remnants of old files may remain in slack space or unallocated space
Temporary files may still exist or be recoverable
Some files aren’t deleted, but rather intentionally hidden
OS File Recovery
Deleting a file sends it to the “Trash” or “Recycle Bin”
File is simply renamed and moved to a hidden folder
Deleting the file from Recycle marks the space used by the file as available (but does not erase data)
Using a WIPE utility overwrites the data on the medium with random characters
What is Slack Space?
Hard disks are divided into clusters of 4 to 32KB
If a file does not fill a cluster, the remainder of the cluster is not overwritten, nor is it available
Slack space also exists between partitions on a physical disk
Utilities such as Slacker can harness all this space into a usable file system
What is Unallocated Space?
When a disk is formatted, each cluster is identified and mapped
When a file is created or copied to the system, the file system marks the clusters it occupies as “allocated”
When a file is removed from Recycle, the clusters aren’t erased, but merely marked as “unallocated”
Unallocated space can hold a lot of data
Recovering Deleted Files
Specialized utilities read the file system metadata and identify clusters where files once lived
If the space has not been overwritten, the files can be recovered intact
Mark space as allocated
Give the file a new name
Disk editing utilities allow the residual data from partially overwritten files to be copied to a new file
Data Carving
Files in unallocated space can be retrieved by “data carving”
All bits stored on the medium beginning with a file header and going through to an end of file marker are copied to a new file
Few utilities can salvage files stored on noncontiguous clusters
Data Carving Tools
Carver
Foremost
Scalpel