Computer Forensics – Date recovery plan
1. Assignment: Proper Methods for Recovering Data
Assignment: Create a Data Recovery Plan
Learning Objectives and Outcomes
· Describe data recovery methods on a Linux machine.
Assignment Requirements
You are an employee of Azorian Computer Forensics, a privately owned forensics investigations and data recovery firm in the Denver, Colorado area.
A client has experienced a severe malware attack in which files were deleted from a file and printer server, which had not been backed up. You will assist Pat, one of Azorian’s lead investigators, in recovering the data using Scalpel. First Pat wants you to research Scalpel to understand how the tool works. Your research might be used in the next company newsletter.
For this assignment, write a report based on the following:
1. Research Scalpel on the Internet.
1. Describe the main steps and commands an investigator should take to use Scalpel to recover data.
1. Include a link and brief description of a video or short tutorial you found while conducting research on Scalpel.
1. At a high level, describe file carving in Scalpel. For this part, do not list the commands a person would run, but explain the process Scalpel takes to examine file headers and footers.
Required Resources
. Course textbook
. Internet access
|
Submission Requirements |
|||
|
Format: |
Microsoft Word |
||
|
Font: |
Arial, 12-point, double-space |
||
|
Citation Style: |
Follow your school’s preferred style guide |
||
|
Length: |
1-2 pages |
Self-Assessment Checklist
. I researched Scalpel on the Internet.
. I described the main steps and commands an investigator should take to use Scalpel to recover data.
. I included a link and brief description of a video or short tutorial you found while conducting research on Scalpel.
. At a high level, I described file carving in Scalpel
2. Assignment: Data Recovery Plan
Assignment: Create a Data Recovery Plan
Learning Objectives and Outcomes
. Describe the general process for examining and recovering data from a hard disk.
. Create a data recovery plan for future use.
Assignment Requirements
You are an employee of DigiFirm Investigation Company. You received a call from Bill, an engineer at Skyscraper, Inc., a large commercial construction company. Bill reported that a disgruntled employee reformatted a hard disk that contained valuable blueprints for a current job. The computer is an ordinary laptop that was running Windows 7. No backup is available, and Bill wants the data to be recovered.
You can use a few built-in tools to recover deleted files from a Windows 7 operating system. There are also third-party tools that might be helpful. Before beginning any data recovery endeavor, it’s a good idea to research your options and plan your approach.
For this assignment, write a report that includes a data recovery plan outline, listing the steps to be performed in recovering the data in the order of importance.
Required Resources
. Course textbook
. Internet access
Submission Requirements
Format:
Microsoft Word
Font:
Arial, 12-point, double-space
Citation Style:
Follow your school’s preferred style guide
Length:
1-2 pages
Self-Assessment Checklist
. I researched and identified the appropriate steps for recovering data from a reformatted hard disk.
. I properly outlined each step in the data recovery process in correct order.
System Forensics, Investigation, and Response
Lesson 6
Recovering Data
© 20
1
9 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Explain techniques for hiding and scrambling information as well as how data is recovered.
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Undeleting data
Recovering information from damaged drives
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Undeleting Data
Criminals who are not very technically savvy think that deleting a file will keep authorities from discovering it
Expect that evidence will frequently be deleted from computers you examine
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
File Systems and Hard Drives
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Hard drives store data as a sector.
Modern hard drives use Advanced Format, which has 4096-byte sectors.
A sector is an area of one of the disk platters defined by two radii. This is how the hard drive views data.
File systems look at clusters, not sectors.
A cluster can be from 1 to 128 sectors.
Sectors are contiguous on a disk and are defined by two radii on the platter.
Clusters need not consist of contiguous sectors; for example, a 10-sector cluster may have sectors from many different locations.
The formal definition has been changed from cluster to allocation unit; however, in most technical literature the term cluster is still used.
Operating Systems
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Different operating systems have different file structures.
Linux distributions vary and are generally updated more frequently than Windows or Mac OS.
Current
Windows 10, 8, 7, Vista
Windows Server 2012, 2008
Legacy
Windows XP, 2000
Mac OS 8 or earlier
Mac OS 9 and 10
Windows
FAT16 and FAT32 used in pre-Windows 2000 versions
NTFS file system in use since Windows 2000
Uses a table to map files to specific clusters where they are stored on the disk
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Older versions of Windows use FAT and newer versions (since Windows 2000) use NTFS file systems. In both file systems, a table is used to map files to specific clusters where they are stored on the disk. A number of tools are available to recover deleted files from Windows computers.
Storing a File in Windows (FAT/FAT32)
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1. The cluster number of the next cluster for this file is recorded.
2. If this cluster is the end of a chain, then it has a special end of cluster chain (EOC) entry.
3. Bad clusters have a special entry in the file allocation table.
4. Reserved clusters have a special entry in the file allocation table.
5. Open, or available, clusters are also marked in the file allocation table.
Record cluster number for next cluster
Add EOC if at end of chain
Mark bad, reserved, open clusters
Deleting a File in Windows (FAT/FAT32)
When a file is deleted, data not removed from disk
FAT is updated to reflect clusters no longer in use
New data saved to those clusters may overwrite old information
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The more recently a file was deleted, the more likely you will be able to recover the file.
Over time, it becomes more likely that clusters marked as unused have had other information saved in them.
A cluster may have been deleted and saved over several times.
Recovering a deleted file is not always an all-or-nothing procedure. It is possible to recover just a portion of a file.
NTFS Fundamental Files
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
MFT
Master File Table
Cluster bitmap
A map of all the clusters on the hard drive
Describes all files on the volume
Storing a File in Windows (NTFS)
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The cluster bitmap file map is an array of bit entries where each bit indicates whether its corresponding cluster is allocated/used or free/unused.
MFT contains one base file record for each file and directory
MFT serves same purpose as FAT
Cluster bitmap file maps all clusters on disk
Deleting Files in Windows (NTFS)
When a file is deleted, data not removed from disk
Clusters are marked as deleted and “moved” to Recycle Bin
When Recycle Bin is emptied, clusters marked as fully available
Filename in the MFT is marked with a special character that means the file has been deleted
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
When files are deleted from an NTFS system, the process is similar to what occurs in FAT. The main difference is that clusters are first marked as deleted, thus “moved” to the Recycle Bin. In NTFS prior to Vista, the Recycle Bin resides in a hidden directory called RECYCLER. In Vista and Windows 7, the name of the directory was changed to $recycle.bin.
Only when you empty the Recycle Bin is the cluster marked as fully available. More specifically, when a file is deleted, the filename in the MFT is marked with a special character that signifies to the computer that the file has been deleted. Just as with FAT systems, clusters in an NTFS system are more likely to be overwritten as more time elapses after deletion.
DiskDigger
Free and commercial versions
Free version recovers files one at a time
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DiskDigger is an easy-to-use tool for Windows. It can be downloaded free of charge and is fully functional. But when recovering files, you have to recover them one at a time. If you pay for the commercial version, you can recover as many files at one time as you want.
DiskDigger: Main Screen
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
After launching the program, select the drive you want to examine.
You can select any file and recover it. On your screen the files will be in color. Green indicates that you should get the entire file back. Gray indicates a partial file. Red indicates very little of the file is left.
DiskDigger: Starting Data Recovery
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Choose Dig Deep or Dig Deeper. The difference is the level of recovery.
DiskDigger: Recovering an Individual File
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
You can select any file and recover it. On your screen the files will be in color. Green indicates that you should get the entire file back. Gray indicates a partial file. Red indicates very little of the file is left.
WinUndelete
Easy to use
Wizard-driven
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
WinUndelete
Courtesy of WinRecovery Software
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Select the drive you want to recover.
WinUndelete
Courtesy of WinRecovery Software
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Select the file types you want to recover.
WinUndelete
Courtesy of WinRecovery Software
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Select a folder to place recovered files in. When WinUndelete has completed running the recovery process, you can go to that folder to see the files.
FreeUndelete
Free tool for personal use
Commercial version available
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FreeUndelete is a free Windows tool for personal use. There is a fee for commercial use.
FreeUndelete
Courtesy of Recoveronix Ltd.
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
When you launch this program, the first screen requires you to select the drive from which you want to recover files. Then you simply click the Scan button, and any files that can be fully or partially recovered will be listed.
OSForensics
A robust forensics tool that also provides for undeletion
Undelete from a mounted image or from a live system
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
OSForensics Deleted Files Search
Courtesy of Recoveronix Ltd.
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Deleted Files search is on the menu on the left side of the main OSForensics screen.
OSForensics Deleted Files Results
Courtesy of Recoveronix Ltd.
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The search result will be color-coded, indicating how likely it is that you can recover a given file. Some files will be so fragmented that recovery is unlikely.
Linux
File systems
ext3
ext4
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Linux stores files in contiguous blocks which are normally large enough to accommodate the content, so defragmentation is not required. In rare cases, the blocks need to be extended. The exact size of these blocks depends on the parameters used with the command to create that partition. There are prepackaged tools and some built-in commands for recovering deleted files from Linux operating systems.
Storing a File in Linux
Stores files in contiguous blocks
Blocks sometimes need to be extended
Exact size of blocks depends on parameters used with the command that creates the partition
Uses inodes and soft links
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Stores files in contiguous blocks which are normally large enough to accommodate the content, so defragmentation is not required.
In rare cases, the blocks need to be extended.
The exact size of these blocks depends on the parameters used with the command to create that partition. There are prepackaged tools and some built-in commands for recovering deleted files from Linux operating systems.
Hard drives that run Linux address blocks, or integer multiples of blocks, at a time. The specific block size is stored in the superblock. The entire partition is divided into an integral number of blocks, starting at 0.
Blocks are divided into groups. Each group uses one block as a bitmap to keep track of which block inside that group is allocated (used); thus, there can be at most 4,096 * 8 = 32,768 normal blocks per group. Another block is used as a bitmap for the number of allocated inodes. Inodes are data structures of 128 bytes that are stored in a table, (4,096 / 128 = 32 inodes per block) in each group.
Deleting a File in Linux
Inode hard link is integral
Inode links directly to a specific file
OS keeps a count of references to each hard link
When reference count reaches zero, file is deleted
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
An inode can refer to a file or a folder/directory. In either case, the inode is really a link to the file. There are two basic types of links”
Hard link: An inode that links directly to a specific file. The operating system keeps a count of references to this link. When the reference count reaches zero, the file is deleted. In other words, you can have any number of names referencing a file, but if that number of references reaches zero (i.e., there is no name that references that file), then the file is deleted.
Soft link or symbolic link: Is not actually a file itself, but rather a pointer to another file or directory.
Recovering a File in Linux
Move system to single-user mode with init 1 command
Use grep to search for and recover files
Example:
# grep -i -a -B10 -A100 ‘forensics’ /dev/sda2 > file.txt
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Manual Recovery: Deleted files can be manually recovered using Linux commands without external tools. Unfortunately, there are variations between the Linux distributions, so there is no guarantee that this process will work on your specific Linux installation.
The first step is to move the system to single-user mode. If this is a network system, notify network users first with the wall command, which sends messages to all logged-in users. Then, you can move to single-user mode, using the init command: init 1.
The Linux/UNIX command grep can be used to search for files, contents of files, and just about anything you may want to search for. Grep is very flexible and quite popular with Linux users. For example: grep -b ‘search-text’ /dev/partition > file.txt will search for ‘search-text’ in a given partition and output the results to file.txt. You can also use this syntax: grep -a -B[size before] -A[size after] ‘text’ /dev/[your_partition] > file.txt.
To recover a text file starting with the word forensics on /dev/sda2, you can try the following command:
# grep -i -a -B10 -A100 ‘forensics’ /dev/sda2 > file.txt.
In this case, grep is searching for this phrase, ignoring case, looking through binary files, and essentially looking to find the text, even if the file has been deleted.
extundelete
Works with both ext3 and ext4 partitions in Linux
Uses shell commands
Example: To restore all deleted files from sda1 partition:
extundelete /dev/sda4 –restore-all
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Scalpel
Works with Linux and Mac OS
Possible to compile source code to work in Windows
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Scalpel (Cont.)
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Install
Verify output directory is empty
Edit config file
Run scalpel command
Scalpel (Cont.)
Install the tool.
In the configuration file /etc/scalpel/scalpel.conf, uncomment the specific file format you want to recover.
Run the following command:
sudo scalpel [device/directory/file name] -o [output directory]
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Before running Scalpel, make sure the output directory in which you want to store recovered files is empty to avoid errors.
The configuration file is /etc/scalpel/scalpel.conf. You will find that everything has been commented out—uncomment the specific file format that you want to recover. For example, if you want to recover deleted Zip files, then you need to uncomment the .zip file section in scalpel.conf.
Macintosh
Macintosh OS X and later versions are based on FreeBSD
A UNIX clone, much like Linux
Mac OS X uses HFS+, or Hierarchical File System Plus
Earlier versions of Macintosh used HFS
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Macintosh OS X and later versions are based on FreeBSD, which is a UNIX clone, much like Linux. Therefore, some of the techniques that work for Linux also work with Macintosh. However, there are also some tools you can use that are made specifically for Macintosh.
MacKeeper
Recovers deleted files on Macintosh computers
Free, fully functional trial version available
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
MacKeeper
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Once you download and install this tool, you can recover files in a few easy steps:
Open the Files Recovery tool.
Select the volume where your lost files were and start the scan.
Select Undelete.
Open Files Recovery tool
Select volume
Select Undelete
Recovering Information from Damaged Media
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Step 1: Remove the drive from the system on which it is installed and connect it to a test system. Make the connection without installing the drive but only connecting the data and power cables.
Step 2: Boot the test system from its own internal drive. Listen to the failed drive to determine whether the internal disks are spinning. A spinning disk generally means the disk has not experienced a catastrophic failure and the data can usually be recovered.
Step 3: Determine whether the failed drive is recognized and can be installed as an additional disk on the test system. If the drive installs, copy all directories and files to a hard drive on the test system. If a drive fails on one system but installs on another, the drive may be usable. The drive may have failed because of a power supply failure, corruption of the operating system, malicious software, or some other reason. If you can operate the drive, run a virus check on the recovered data and test for directory and file integrity.
Remove drive/connect to test system
Boot test system
Copy files from drive to test system
Recovering Information from Damaged Media (Cont.)
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Step 4: If the hard drive is not spinning or the test system does not recognize it, perform limited repair. You may be able to get the hard drive to start and it may be recognized by the test system. If you can repair the drive, use specialized software to image all data bits from the failed drive to a recovery drive. Use the extracted raw image to reconstruct usable data. Try open source tools such as DCFLdd to recover all data except for data in physically damaged sectors.
Step 5: If necessary, send the device to data recovery specialists who may be able to apply extraordinary recovery techniques.
Remove drive/connect to test system
Boot test system
Drive not recognized?
Perform repair
Image drive content
Attempting Local Repair
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
It is possible that the data is deemed “lost,” and there will be no increased loss if you attempt local repair and fail. If so, you can try the following:
a. Remove the printed circuit board and replace it with a matching circuit board from a known healthy drive.
b. Change the read/write head assembly with matching parts from a known healthy drive.
c. Remove the hard disk platters from the original drive and install them into a known healthy drive.
Replace printed circuit board
Replace read/write head assembly
Transfer disk platters to healthy drive
Recovering After Logical Damage
Logical damage
May prevent host operating system from mounting or using the file system
May cause system crashes and data loss
May be caused by power outages, or turning off a machine while it is booting or shutting down
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Recovering After Logical Damage (Cont.)
Microsoft Windows: chkdsk
Linux: fsck
Mac OS X: Disk Utility
The Sleuth Kit
TestDisk
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Preventing Logical Damage
Journaling file systems
Use a consistency checker
Use disk controllers with battery backups
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Consistency Checking
Involves scanning a disk’s logical structure to ensure that it is consistent with its specification
Verifies that dot (.) and dot-dot (..) entries point to correct directories
Checkers include chkdsk and fsck
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Consistency checking involves scanning a disk’s logical structure to ensure that it is consistent with its specification.
In most file systems, a directory must have at least two entries: a dot (.) entry that points to itself and a dot-dot (..) entry that points to its parent. A file system repair program reads each directory to ensure that these entries exist and point to the correct directories. If they do not, the program displays an error message, and you can correct the problem.
Both chkdsk and fsck work in this fashion.
Consistency Checking Problems
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Consistency checking problems:
A consistency check can fail if the file system is highly damaged. The repair program may crash, or it may believe the drive has an invalid file system.
The chkdsk utility might automatically delete data files if the files are out of place or unexplainable. The utility does this to ensure that the operating system can run properly. However, the deleted files may be important and irreplaceable user files.
The same type of problem occurs with system restore disks that restore the operating system by removing the previous installation. Avoid this problem by installing the operating system on a separate partition from the user data.
Can fail is file system is highly damaged
Chkdsk utility might delete files that are out of place or unexplainable
Zero-Knowledge Analysis
Few assumptions made about state of the file system
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
With zero-knowledge analysis, few assumptions are made about the state of the file system. The file system is rebuilt from scratch using knowledge of an undamaged file system structure. In this process, scan the drive of the affected computer noting all file system structures and possible file boundaries. Then match the results to the specifications of a working file system.
Zero-knowledge analysis is usually much slower than consistency checking. You can use it, however, to recover data even when the logical structures are almost completely destroyed. This technique generally does not repair the damaged file system but allows you to extract the data to another storage device.
Scan drive
Match results to specs
File Carving
Can use file carving on a file that’s only partially recovered
Works on any file system
Is often used to recover data from a disk where there has been some damage or where the file itself is corrupt
File carving utilities look for file headers and/or footers, and then pull out data s found between the two boundaries
One popular file carving tool is Scalpel
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Undeleting data
Recovering information from damaged drives
Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.