Digital Forensics

Digital Forensics, Part 3: Recovering Deleted Files

In the first two parts of this series, we captured a forensically sound image of the hard drive or other storage device and an image of the RAM. In this tutorial, we will recover any files deleted by the suspect.

Digital forensics is the practice of collecting, analyzing, and presenting digital evidence in a court of law. One important aspect of digital forensics is the recovery of deleted files.

When a file is deleted from a computer or other digital device, it is not actually erased the contents of the file from the device’s memory. Instead, the operating system simply marks the space that the file occupies as available for use, and the file remains on the device until it is overwritten by new data.

This means that deleted files can often be recovered, at least for a period of time. The chances of successfully recovering a deleted file depend on a number of factors, including the type of device, the operating system being used, and the amount of time that has passed since the file was deleted.

There are a number of tools and techniques that can be used for the recovery of deleted files. These can include specialized software that is designed to search for and recover deleted files, as well as hardware tools that can be used to physically access the device’s memory and recover data from it.

One of the key challenges of recovering deleted files is the risk of overwriting the data that is being sought. Every time new data is added to a device, there is a risk that it will overwrite the space that is occupied by the deleted file, making it impossible to recover. This is why it is important to stop using a device as soon as possible after a file has been deleted, to minimize the risk of overwriting.

Another challenge of recovering deleted files is that the process can be time-consuming and resource-intensive. It may be necessary to search through large amounts of data in order to find the deleted file, and the process of recovering the file itself can also be complex and technical.

Despite these challenges, the recovery of deleted files can be an important part of digital forensics, as it can provide valuable evidence in criminal and civil cases. By using specialized tools and techniques, forensic investigators can often recover deleted files and present them as evidence in court.

Among the most fundamental skills necessary for a forensic investigator, recovering deleted files is probably the most basic. As you know, files that are “deleted” remain on the storage medium until overwritten. Deleting these file simply makes the cluster available to be overwritten. This means that if the suspect deleted evidence files, until they are overwritten by the file system, they remain available to us to recover.

In this lab, we will be using the open-source The Sleuth Kit (TSK) for identifying and recovering deleted files. The Sleuth Kit was first developed for Linux, but has now been ported for Windows, so we will be using it with our Windows examination system. A GUI interface was developed for TSK named Autopsy that we will be using in this tutorial.

Install it on your system.

After installing Autopsy then starting it, you will be greeted with a screen similar to the above.

Click “Create New Case“.

When you do, you will be greeted by a new window asking you to name your new case and what directory you want to place your cases. Enter “New Case 101” and put it in the base directory of C:\Cases.

Now, hit Next.

This will open another window asking you for a case number and the examiner name. Give it a case number of 101 and your name or initials for the examiner.

Click “Finish“.

Next, click on “Add New Data in the upper left corner. When you do, a “Add Data Source” window will open. Since we will be using the image file created in the previous module, select “Image File” and then Browse for the image file you created in Module 1. I saved mine in a directory c:\forensic images. Yours may be different.

Now, add our first.image.dd.001 image from the first tutorial in this series.

After adding the image click next and Autopsy will begin to do its analysis of the image. Eventually, you will greeted by a screen like that below.

Click “Finish“.

Now, you should see an interface like that below. Note that your “firstimage.dd.001” should appear as your data source.

If we expand the “File Types” in the object explorer, Autopsy will display all the file types and the number of files in each category. Below you can see I clicked on the “Images” file type and Autopsy will display all the Image files.

A little further below in the object explorer, we can see a File Type named “Deleted Files”. When we click on it will display all the deleted files.

When we click on a deleted file, we can do some analysis in the lower right window. There you will see tabs labeled, Hex, Strings, File Metadata, Results and Indexed Text. In this case, click on the “File Metadata ” tab and it will display the file’s metadata including the name, type, size, modified, accessed and created (MAC).

Now, to recover the deleted file,right click on the deleted file and select “Export”. This will open a window like that below.

Go ahead and save the deleted file into the Export sub-directory.

To find the exported/deleted file, navigate to;

C:\Cases\New Case 101\Export

You can now double click on that file to open it in the appropriate application.

Conclusion

Suspects will often attempt to cover their tracks by deleting key evidence files. We know as a forensic investigator that until those files are overwritten by the file system they can be recovered. With tools such as Autopsy and nearly every other forensic suite (Encase, ProDiscover, FTK, Oxygen, etc.) recovery of these deleted files is trivial.