Scribd
Upload
173 views7 pages

File Recovery Digital Forensics

Uploaded by

aakash25mahajan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
173 views7 pages

File Recovery Digital Forensics

Uploaded by

aakash25mahajan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 7

File Recovery

Analysis of deleted files is a key task in any type of digital


forensic investigation.

To become a successful digital forensic examiner, you must


know how Windows deletes files;

where such files can be located, after they are deleted;

Methods / techniques to investigate these files


(e.g., retrieving deleted files’ metadata to support a criminal
investigation).

List of some tools and techniques to recover critically


important documents and file fragments that can help to solve
the case at hand.
File Recovery

Undeleting Files Using Autopsy

Autopsy can be used to recover deleted files from supplied


forensic image files’ slack space.

Recovering deleted files using Autopsy does not require any


interference by the forensic examiner.

Create the case and select the “PhotoRec Carver module” from
the ingest modules
(make sure that “Process Unallocated Space” is selected);

Autopsy will automatically retrieve data from unallocated


space of the supplied data source and show them in the

Data Explorer pane under Views ➤ Deleted Files.


File Recovery
File Recovery

Undeleting Files Using Autopsy

Autopsy can be used to recover deleted files from supplied


forensic image files’ slack space.

Recovering deleted files using Autopsy does not require any


interference by the forensic examiner.

Create the case and select the “PhotoRec Carver module” from
the ingest modules
(make sure that “Process Unallocated Space” is selected);

Autopsy will automatically retrieve data from unallocated


space of the supplied data source and show them in the

Data Explorer pane under Views ➤ Deleted Files.


File Recovery
File Recovery

Undeleting Files Using Autopsy

The PhotoRec tool (www.cgsecurity.org/wiki/PhotoRec) is a


free, open source application.

It can be used as a standalone application to recover files from


different digital media devices like

HDDs,
USB drives,
SD cards (e.g., those in smartphones and digital cameras),
CD-ROMs
File Recovery

Undeleting Files Using Autopsy

PhotoRec can be used with TestDisk


(www.cgsecurity.org/wiki/TestDisk, from the same developer);

This is open source program that is specialized in recovering


lost partitions.

Also used for fixing the problem of nonbooting disks, making


them bootable again.

Another tutorial for using PhotoRec can be found at


www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

You might also like