recovered files - Digital forensics

Chapter08.pptx

Chapter 8

Finding Lost Files

Old Files Never Die

Deleting a file doesn’t erase data

Even a wiped file may leave behind artifacts

Remnants of old files may remain in slack space or unallocated space

Temporary files may still exist or be recoverable

Some files aren’t deleted, but rather intentionally hidden

OS File Recovery

Deleting a file sends it to the “Trash” or “Recycle Bin”

File is simply renamed and moved to a hidden folder

Deleting the file from Recycle marks the space used by the file as available (but does not erase data)

Using a WIPE utility overwrites the data on the medium with random characters

What is Slack Space?

Hard disks are divided into clusters of 4 to 32KB

If a file does not fill a cluster, the remainder of the cluster is not overwritten, nor is it available

Slack space also exists between partitions on a physical disk

Utilities such as Slacker can harness all this space into a usable file system

What is Unallocated Space?

When a disk is formatted, each cluster is identified and mapped

When a file is created or copied to the system, the file system marks the clusters it occupies as “allocated”

When a file is removed from Recycle, the clusters aren’t erased, but merely marked as “unallocated”

Unallocated space can hold a lot of data

Recovering Deleted Files

Specialized utilities read the file system metadata and identify clusters where files once lived

If the space has not been overwritten, the files can be recovered intact

Mark space as allocated

Give the file a new name

Disk editing utilities allow the residual data from partially overwritten files to be copied to a new file

Data Carving

Files in unallocated space can be retrieved by “data carving”

All bits stored on the medium beginning with a file header and going through to an end of file marker are copied to a new file

Few utilities can salvage files stored on noncontiguous clusters

Data Carving Tools

Carver

Foremost

Scalpel