In this chapter, we will cover the following recipes:
- NTFS analysis with The Sleuth Kit
- Undeleting files from NTFS with Autopsy
- Undeleting files from ReFS with ReclaiMe File Recovery
- File carving with PhotoRec
In this chapter, we will cover the following recipes:
As mentioned in the introductory section, Windows machines run on NTFS (New Technology File System).
Using the tools that we will discuss in this chapter, you will be able to uncover information not only about the files, but also about the layout of the disk itself, including deleted files and unallocated space. This can be of the utmost importance in a forensic investigation, particularly in cases where a user may have tried to cover up their actions using anti-forensic methods.
Some tools allow you to undelete files as well, thus restoring them, in whole or in part, to how they looked before they were deleted. This does, of course, depend on the extent to which a file has been overwritten, however it can be a useful way to find out about things a suspect doesn't want you to see.
In cases where the metadata about the files has been deleted, file carving is employed...
The Sleuth Kit is a collection of command-line tools (and also a library) for the forensic analysis of drive images. These tools can help you with analysis of both volume and file system data (in a non-intrusive fashion, of course). It's cross-platform, so you can use any operating system you like to work with this toolkit. It supports both RAW and E01 images, so you can use any image that you acquired while following the previous recipes. This collection of tools will be very useful in your future digital forensic examinations: it supports a wide range of file systems, including NTFS, FAT, ExFAT, EXT2, EXT3, EXT4, HFS, and so on.
You can download Windows binaries from The...
Originally,Autopsy was just a graphical interface for The Sleuth Kit. You have already learnt about the collection of command-line tools for file system forensic analysis in the previous recipe. Since the third version however, it has been totally rewritten and is now available as a standalone digital forensics platform. It is very widely used and forms part of the digital forensic toolkit of both law enforcement and corporate examiners. Why? It's easy to use, fast, and free. Also, if you enjoy programming, you can write your own modules for Autopsy - all the documentation you will need is freely available online, on The Sleuth Kit's website. Basis Technology even holds Autopsy module writing contests, so feel free to participate.
ReclaiMe File Recovery is a piece of data recovery software capable of undeleting files from a wide range of devices including hard drives, memory cards, RAID arrays, and multi-disk NAS devices. Also, it supports data recovery from most file systems, including the latest Windows file systems - ReFS or the Resilient File System.
Go to ReClaiMe's website and click on the green DOWNLOAD button on the left. It brings you to the ReclaiMe File Recovery download page and the downloading process starts automatically. After this, just run the setup file and follow the installation instructions. You are ready to go!
PhotoRec is a file carving tool that is widely used by digital forensic examiners. This tool is even built into the previously mentioned digital forensic platform, Autopsy, as a module. PhotoRec can recover a diverse range of file types (more than 480 file formats), but if you think this will not be enough, you can add your own custom signatures, which will help the tool to recover even more data.
Go to CGSecurity's website and click the download hyperlink on the left. You will be redirected to the Download page. Now click on the big green button on the right, and the downloading process will be initiated. At the time of writing, the most recent version of PhotoRec is 7.0, so the...