SlideShare a Scribd company logo

Forensic3e ppt ch06

S
Skillspire LLC

cybersecurity

Education
1 of 47
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Forensics, Investigation, and Response Lesson 6 Recovering Data
Page 2 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective Understand how data is deleted Understand data recovery techniques
Page 3 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Concepts Undeleting data Recovering information from damaged drives
Page 4 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Undeleting Data Criminals who are not very technically savvy think that deleting a file will keep authorities from discovering it Expect that evidence will frequently be deleted from computers you examine
Page 5 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. File Systems and Hard Drives
Page 6 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Operating Systems Current Windows 10, 8, 7, Vista Windows Server 2016, 2012 Mac OS 10 Linux/Android Legacy Windows XP, 2000 Mac OS 8 or earlier
Page 7 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Windows FAT16 and FAT32 used in pre-Windows 2000 versions NTFS file system in use since Windows 2000 Uses a table to map files to specific clusters where they are stored on the disk
Page 8 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Storing a File in Windows (FAT/FAT32) Record cluster number for next cluster Add EOC if at end of chain Mark bad, reserved, open clusters
Page 9 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Deleting a File in Windows (FAT/FAT32) When a file is deleted, data not removed from disk FAT is updated to reflect clusters no longer in use New data saved to those clusters may overwrite old information
Page 10 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. NTFS Fundamental Files • Master File Table • Describes all files on the volume MFT • A map of all the clusters on the hard drive Cluster bitmap
Page 11 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Storing a File in Windows (NTFS) MFT contains one base file record for each file and directory MFT serves same purpose as FAT Cluster bitmap file maps all clusters on disk
Page 12 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Deleting Files in Windows (NTFS) When a file is deleted, data not removed from disk Clusters are marked as deleted and “moved” to Recycle Bin When Recycle Bin is emptied, clusters marked as fully available Filename in the MFT is marked with a special character that means the file has been deleted
Page 13 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DiskDigger Free and commercial versions Free version recovers files one at a time
Page 14 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DiskDigger: Main Screen
Page 15 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DiskDigger: Starting Data Recovery
Page 16 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DiskDigger: Recovering an Individual File
Page 17 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. WinUndelete Easy to use Wizard-driven
Page 18 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. WinUndelete Courtesy of WinRecovery Software
Page 19 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. WinUndelete Courtesy of WinRecovery Software
Page 20 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. WinUndelete Courtesy of WinRecovery Software
Page 21 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. FreeUndelete Free tool for personal use Commercial version available
Page 22 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. FreeUndelete Courtesy of Recoveronix Ltd.
Page 23 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. OSForensics A robust forensics tool that also provides for undeletion Undelete from a mounted image or from a live system
Page 24 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. OSForensics Deleted Files Search Courtesy of Recoveronix Ltd.
Page 25 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. OSForensics Deleted Files Results Courtesy of Recoveronix Ltd.
Page 26 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux File systems • ext3 • ext4
Page 27 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Storing a File in Linux Stores files in contiguous blocks Blocks sometimes need to be extended Exact size of blocks depends on parameters used with the command that creates the partition Uses inodes and soft links
Page 28 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Deleting a File in Linux Inode hard link is integral Inode links directly to a specific file OS keeps a count of references to each hard link When reference count reaches zero, file is deleted
Page 29 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Recovering a File in Linux Move system to single-user mode with init 1 command Use grep to search for and recover files Example: • # grep -i -a -B10 -A100 'forensics' /dev/sda2 > file.txt
Page 30 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. extundelete Works with both ext3 and ext4 partitions in Linux Uses shell commands Example: To restore all deleted files from sda1 partition: • extundelete /dev/sda4 -- restore-all
Page 31 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Scalpel Works with Linux and Mac OS Possible to compile source code to work in Windows
Page 32 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Scalpel (Cont.) Install Verify output directory is empty Edit config file Run scalpel command
Page 33 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Scalpel (Cont.) 1. Install the tool. 2. In the configuration file /etc/scalpel/scalpel.conf, uncomment the specific file format you want to recover. 3. Run the following command: sudo scalpel [device/directory/file name] -o [output directory]
Page 34 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Macintosh Macintosh OS X and later versions are based on FreeBSD • A UNIX clone, much like Linux Mac OS X uses HFS+, or Hierarchical File System Plus Earlier versions of Macintosh used HFS
Page 35 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. MacKeeper Recovers deleted files on Macintosh computers Free, fully functional trial version available
Page 36 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. MacKeeper Open Files Recovery tool Select volume Select Undelete
Page 37 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Recovering Information from Damaged Media Remove drive/connect to test system Boot test system Copy files from drive to test system
Page 38 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Recovering Information from Damaged Media (Cont.) Remove drive/connect to test system Boot test system Drive not recognized? Perform repair Image drive content
Page 39 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Attempting Local Repair Replace printed circuit board Replace read/write head assembly Transfer disk platters to healthy drive
Page 40 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Recovering After Logical Damage Logical damage • May prevent host operating system from mounting or using the file system • May cause system crashes and data loss • May be caused by power outages, or turning off a machine while it is booting or shutting down
Page 41 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Recovering After Logical Damage (Cont.) Microsoft Windows: chkdsk Linux: fsck Mac OS X: Disk Utility The Sleuth Kit TestDisk
Page 42 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Preventing Logical Damage Journaling file systems Use a consistency checker Use disk controllers with battery backups
Page 43 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Consistency Checking Involves scanning a disk’s logical structure to ensure that it is consistent with its specification Verifies that dot (.) and dot-dot (..) entries point to correct directories Checkers include chkdsk and fsck
Page 44 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Consistency Checking Problems Can fail is file system is highly damaged Chkdsk utility might delete files that are out of place or unexplainable
Page 45 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Zero-Knowledge Analysis Few assumptions made about state of the file system Scan drive Match results to specs
Page 46 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. File Carving  Can use file carving on a file that’s only partially recovered  Works on any file system  Is often used to recover data from a disk where there has been some damage or where the file itself is corrupt  File carving utilities look for file headers and/or footers, and then pull out data s found between the two boundaries  One popular file carving tool is Scalpel
Page 47 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Summary Undeleting data Recovering information from damaged drives

Recommended

Forensic3e ppt ch08
Forensic3e ppt ch08Forensic3e ppt ch08
Forensic3e ppt ch08Skillspire LLC
 
Forensic3e ppt ch13
Forensic3e ppt ch13Forensic3e ppt ch13
Forensic3e ppt ch13Skillspire LLC
 
Forensic3e ppt ch09
Forensic3e ppt ch09Forensic3e ppt ch09
Forensic3e ppt ch09Skillspire LLC
 
Funsec3e ppt ch07
Funsec3e ppt ch07Funsec3e ppt ch07
Funsec3e ppt ch07Skillspire LLC
 
Forensic3e ppt ch03
Forensic3e ppt ch03Forensic3e ppt ch03
Forensic3e ppt ch03Skillspire LLC
 
Funsec3e ppt ch06
Funsec3e ppt ch06Funsec3e ppt ch06
Funsec3e ppt ch06Skillspire LLC
 
Funsec3e ppt ch13
Funsec3e ppt ch13Funsec3e ppt ch13
Funsec3e ppt ch13Skillspire LLC
 
Funsec3e ppt ch10
Funsec3e ppt ch10Funsec3e ppt ch10
Funsec3e ppt ch10Skillspire LLC
 

Recommended

Forensic3e ppt ch08
Forensic3e ppt ch08Forensic3e ppt ch08
Forensic3e ppt ch08Skillspire LLC
 
Forensic3e ppt ch13
Forensic3e ppt ch13Forensic3e ppt ch13
Forensic3e ppt ch13Skillspire LLC
 
Forensic3e ppt ch09
Forensic3e ppt ch09Forensic3e ppt ch09
Forensic3e ppt ch09Skillspire LLC
 
Funsec3e ppt ch07
Funsec3e ppt ch07Funsec3e ppt ch07
Funsec3e ppt ch07Skillspire LLC
 
Forensic3e ppt ch03
Forensic3e ppt ch03Forensic3e ppt ch03
Forensic3e ppt ch03Skillspire LLC
 
Funsec3e ppt ch06
Funsec3e ppt ch06Funsec3e ppt ch06
Funsec3e ppt ch06Skillspire LLC
 
Funsec3e ppt ch13
Funsec3e ppt ch13Funsec3e ppt ch13
Funsec3e ppt ch13Skillspire LLC
 
Funsec3e ppt ch10
Funsec3e ppt ch10Funsec3e ppt ch10
Funsec3e ppt ch10Skillspire LLC
 
Hacking3e ppt ch02
Hacking3e ppt ch02Hacking3e ppt ch02
Hacking3e ppt ch02Skillspire LLC
 
Funsec3e ppt ch11
Funsec3e ppt ch11Funsec3e ppt ch11
Funsec3e ppt ch11Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Dr. Ahmed Al Zaidy
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Dr. Ahmed Al Zaidy
 
Funsec3e ppt ch03
Funsec3e ppt ch03Funsec3e ppt ch03
Funsec3e ppt ch03Skillspire LLC
 
Forensic3e ppt ch07
Forensic3e ppt ch07Forensic3e ppt ch07
Forensic3e ppt ch07Skillspire LLC
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Dr. Ahmed Al Zaidy
 
PACE-IT: Operation System Features
PACE-IT: Operation System FeaturesPACE-IT: Operation System Features
PACE-IT: Operation System FeaturesPace IT at Edmonds Community College
 
Cscu module 05 data backup and disaster recovery
Cscu module 05 data backup and disaster recoveryCscu module 05 data backup and disaster recovery
Cscu module 05 data backup and disaster recoverySejahtera Affif
 

More Related Content

What's hot

Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Dr. Ahmed Al Zaidy
 

What's hot (20)

Hacking3e ppt ch02
Hacking3e ppt ch02Hacking3e ppt ch02
Hacking3e ppt ch02
 
Funsec3e ppt ch11
Funsec3e ppt ch11Funsec3e ppt ch11
Funsec3e ppt ch11
 
Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3
 
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13
 
Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14
 
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14
 
Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15
 
Funsec3e ppt ch03
Funsec3e ppt ch03Funsec3e ppt ch03
Funsec3e ppt ch03
 
Forensic3e ppt ch07
Forensic3e ppt ch07Forensic3e ppt ch07
Forensic3e ppt ch07
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10
 
Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8
 
Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10
 
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5
 
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4
 

Similar to Forensic3e ppt ch06

Cscu module 05 data backup and disaster recovery
Cscu module 05 data backup and disaster recoveryCscu module 05 data backup and disaster recovery
Cscu module 05 data backup and disaster recoverySejahtera Affif
 
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Co.docx
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Co.docx© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Co.docx
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Co.docxgerardkortney
 
Report emandatarecovery.com national 9-13-2010
Report emandatarecovery.com national 9-13-2010Report emandatarecovery.com national 9-13-2010
Report emandatarecovery.com national 9-13-2010SplinternetMarketing.com
 
FTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docxFTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docxbudbarber38650
 
How to Recover Deleted Files on Windows 10/11?
How to Recover Deleted Files on Windows 10/11?How to Recover Deleted Files on Windows 10/11?
How to Recover Deleted Files on Windows 10/11?AffanIT1
 
Report emandatarecovery.com national 9-17-2010
Report emandatarecovery.com national 9-17-2010Report emandatarecovery.com national 9-17-2010
Report emandatarecovery.com national 9-17-2010SplinternetMarketing.com
 
Report emandatarecovery.com national 9-25-2010
Report emandatarecovery.com national 9-25-2010Report emandatarecovery.com national 9-25-2010
Report emandatarecovery.com national 9-25-2010SplinternetMarketing.com
 
Report emandatarecovery.com national 9-15-2010
Report emandatarecovery.com national 9-15-2010Report emandatarecovery.com national 9-15-2010
Report emandatarecovery.com national 9-15-2010SplinternetMarketing.com
 
Documentation Artifact 5Long Term Care Plan-Continuing to .docx
Documentation Artifact 5Long Term Care Plan-Continuing to .docxDocumentation Artifact 5Long Term Care Plan-Continuing to .docx
Documentation Artifact 5Long Term Care Plan-Continuing to .docxpetehbailey729071
 
Report emandatarecovery.com national 9-11-2010
Report emandatarecovery.com national 9-11-2010Report emandatarecovery.com national 9-11-2010
Report emandatarecovery.com national 9-11-2010SplinternetMarketing.com
 
Linux data recovery
Linux data recoveryLinux data recovery
Linux data recoverylissy taylor
 
How to perform san disk photo recovery
How to perform san disk photo recoveryHow to perform san disk photo recovery
How to perform san disk photo recoveryLisa Liao
 
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies MorganLudwig40
 
Data recovery
Data recoveryData recovery
Data recoverybhaumik_c
 

Similar to Forensic3e ppt ch06 (20)

PACE-IT: Operation System Features
PACE-IT: Operation System FeaturesPACE-IT: Operation System Features
PACE-IT: Operation System Features
 
Cscu module 05 data backup and disaster recovery
Cscu module 05 data backup and disaster recoveryCscu module 05 data backup and disaster recovery
Cscu module 05 data backup and disaster recovery
 
Linux Recovery
Linux RecoveryLinux Recovery
Linux Recovery
 
File System Modules
File System ModulesFile System Modules
File System Modules
 
Window xp slides
Window xp slidesWindow xp slides
Window xp slides
 
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Co.docx
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Co.docx© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Co.docx
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Co.docx
 
Report emandatarecovery.com national 9-13-2010
Report emandatarecovery.com national 9-13-2010Report emandatarecovery.com national 9-13-2010
Report emandatarecovery.com national 9-13-2010
 
FTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docxFTK report PART I Familiar with FTK ImagerBonus Exerc.docx
FTK report PART I Familiar with FTK ImagerBonus Exerc.docx
 
How to Recover Deleted Files on Windows 10/11?
How to Recover Deleted Files on Windows 10/11?How to Recover Deleted Files on Windows 10/11?
How to Recover Deleted Files on Windows 10/11?
 
Report emandatarecovery.com national 9-17-2010
Report emandatarecovery.com national 9-17-2010Report emandatarecovery.com national 9-17-2010
Report emandatarecovery.com national 9-17-2010
 
Report emandatarecovery.com national 9-25-2010
Report emandatarecovery.com national 9-25-2010Report emandatarecovery.com national 9-25-2010
Report emandatarecovery.com national 9-25-2010
 
3170725_Unit-4.pptx
3170725_Unit-4.pptx3170725_Unit-4.pptx
3170725_Unit-4.pptx
 
Report emandatarecovery.com national 9-15-2010
Report emandatarecovery.com national 9-15-2010Report emandatarecovery.com national 9-15-2010
Report emandatarecovery.com national 9-15-2010
 
Documentation Artifact 5Long Term Care Plan-Continuing to .docx
Documentation Artifact 5Long Term Care Plan-Continuing to .docxDocumentation Artifact 5Long Term Care Plan-Continuing to .docx
Documentation Artifact 5Long Term Care Plan-Continuing to .docx
 
Report emandatarecovery.com national 9-11-2010
Report emandatarecovery.com national 9-11-2010Report emandatarecovery.com national 9-11-2010
Report emandatarecovery.com national 9-11-2010
 
Linux data recovery
Linux data recoveryLinux data recovery
Linux data recovery
 
How to perform san disk photo recovery
How to perform san disk photo recoveryHow to perform san disk photo recovery
How to perform san disk photo recovery
 
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies
CHap 13 and 12winsec3e_ppt_ch12(1).pptxSecurity Strategies
 
Data recovery
Data recoveryData recovery
Data recovery
 
INT 1010 04-5.pdf
INT 1010 04-5.pdfINT 1010 04-5.pdf
INT 1010 04-5.pdf
 

More from Skillspire LLC

Introduction to analytics
Introduction to analyticsIntroduction to analytics
Introduction to analyticsSkillspire LLC
 

More from Skillspire LLC (20)

Logistics
LogisticsLogistics
Logistics
 
Introduction to analytics
Introduction to analyticsIntroduction to analytics
Introduction to analytics
 
Lecture 31
Lecture 31Lecture 31
Lecture 31
 
Lecture 30
Lecture 30Lecture 30
Lecture 30
 
Lecture 29
Lecture 29Lecture 29
Lecture 29
 
Review
ReviewReview
Review
 
Review version 4
Review version 4Review version 4
Review version 4
 
Review version 3
Review version 3Review version 3
Review version 3
 
Review version 2
Review version 2Review version 2
Review version 2
 
Lecture 25
Lecture 25Lecture 25
Lecture 25
 
Lecture 24
Lecture 24Lecture 24
Lecture 24
 
Lecture 23 p1
Lecture 23 p1Lecture 23 p1
Lecture 23 p1
 
Lecture 21
Lecture 21Lecture 21
Lecture 21
 
Lecture 17
Lecture 17Lecture 17
Lecture 17
 
Lecture 16
Lecture 16Lecture 16
Lecture 16
 
Lecture 15
Lecture 15Lecture 15
Lecture 15
 
Lecture 14
Lecture 14Lecture 14
Lecture 14
 
Lecture 14
Lecture 14Lecture 14
Lecture 14
 
Lecture 13
Lecture 13Lecture 13
Lecture 13
 
Lecture 12
Lecture 12Lecture 12
Lecture 12
 

Recently uploaded

A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 

Recently uploaded (20)

A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 

Forensic3e ppt ch06

  • 1. © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Forensics, Investigation, and Response Lesson 6 Recovering Data
  • 2. Page 2 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective Understand how data is deleted Understand data recovery techniques
  • 3. Page 3 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Concepts Undeleting data Recovering information from damaged drives
  • 4. Page 4 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Undeleting Data Criminals who are not very technically savvy think that deleting a file will keep authorities from discovering it Expect that evidence will frequently be deleted from computers you examine
  • 5. Page 5 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. File Systems and Hard Drives
  • 6. Page 6 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Operating Systems Current Windows 10, 8, 7, Vista Windows Server 2016, 2012 Mac OS 10 Linux/Android Legacy Windows XP, 2000 Mac OS 8 or earlier
  • 7. Page 7 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Windows FAT16 and FAT32 used in pre-Windows 2000 versions NTFS file system in use since Windows 2000 Uses a table to map files to specific clusters where they are stored on the disk
  • 8. Page 8 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Storing a File in Windows (FAT/FAT32) Record cluster number for next cluster Add EOC if at end of chain Mark bad, reserved, open clusters
  • 9. Page 9 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Deleting a File in Windows (FAT/FAT32) When a file is deleted, data not removed from disk FAT is updated to reflect clusters no longer in use New data saved to those clusters may overwrite old information
  • 10. Page 10 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. NTFS Fundamental Files • Master File Table • Describes all files on the volume MFT • A map of all the clusters on the hard drive Cluster bitmap
  • 11. Page 11 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Storing a File in Windows (NTFS) MFT contains one base file record for each file and directory MFT serves same purpose as FAT Cluster bitmap file maps all clusters on disk
  • 12. Page 12 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Deleting Files in Windows (NTFS) When a file is deleted, data not removed from disk Clusters are marked as deleted and “moved” to Recycle Bin When Recycle Bin is emptied, clusters marked as fully available Filename in the MFT is marked with a special character that means the file has been deleted
  • 13. Page 13 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DiskDigger Free and commercial versions Free version recovers files one at a time
  • 14. Page 14 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DiskDigger: Main Screen
  • 15. Page 15 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DiskDigger: Starting Data Recovery
  • 16. Page 16 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DiskDigger: Recovering an Individual File
  • 17. Page 17 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. WinUndelete Easy to use Wizard-driven
  • 18. Page 18 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. WinUndelete Courtesy of WinRecovery Software
  • 19. Page 19 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. WinUndelete Courtesy of WinRecovery Software
  • 20. Page 20 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. WinUndelete Courtesy of WinRecovery Software
  • 21. Page 21 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. FreeUndelete Free tool for personal use Commercial version available
  • 22. Page 22 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. FreeUndelete Courtesy of Recoveronix Ltd.
  • 23. Page 23 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. OSForensics A robust forensics tool that also provides for undeletion Undelete from a mounted image or from a live system
  • 24. Page 24 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. OSForensics Deleted Files Search Courtesy of Recoveronix Ltd.
  • 25. Page 25 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. OSForensics Deleted Files Results Courtesy of Recoveronix Ltd.
  • 26. Page 26 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux File systems • ext3 • ext4
  • 27. Page 27 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Storing a File in Linux Stores files in contiguous blocks Blocks sometimes need to be extended Exact size of blocks depends on parameters used with the command that creates the partition Uses inodes and soft links
  • 28. Page 28 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Deleting a File in Linux Inode hard link is integral Inode links directly to a specific file OS keeps a count of references to each hard link When reference count reaches zero, file is deleted
  • 29. Page 29 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Recovering a File in Linux Move system to single-user mode with init 1 command Use grep to search for and recover files Example: • # grep -i -a -B10 -A100 'forensics' /dev/sda2 > file.txt
  • 30. Page 30 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. extundelete Works with both ext3 and ext4 partitions in Linux Uses shell commands Example: To restore all deleted files from sda1 partition: • extundelete /dev/sda4 -- restore-all
  • 31. Page 31 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Scalpel Works with Linux and Mac OS Possible to compile source code to work in Windows
  • 32. Page 32 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Scalpel (Cont.) Install Verify output directory is empty Edit config file Run scalpel command
  • 33. Page 33 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Scalpel (Cont.) 1. Install the tool. 2. In the configuration file /etc/scalpel/scalpel.conf, uncomment the specific file format you want to recover. 3. Run the following command: sudo scalpel [device/directory/file name] -o [output directory]
  • 34. Page 34 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Macintosh Macintosh OS X and later versions are based on FreeBSD • A UNIX clone, much like Linux Mac OS X uses HFS+, or Hierarchical File System Plus Earlier versions of Macintosh used HFS
  • 35. Page 35 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. MacKeeper Recovers deleted files on Macintosh computers Free, fully functional trial version available
  • 36. Page 36 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. MacKeeper Open Files Recovery tool Select volume Select Undelete
  • 37. Page 37 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Recovering Information from Damaged Media Remove drive/connect to test system Boot test system Copy files from drive to test system
  • 38. Page 38 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Recovering Information from Damaged Media (Cont.) Remove drive/connect to test system Boot test system Drive not recognized? Perform repair Image drive content
  • 39. Page 39 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Attempting Local Repair Replace printed circuit board Replace read/write head assembly Transfer disk platters to healthy drive
  • 40. Page 40 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Recovering After Logical Damage Logical damage • May prevent host operating system from mounting or using the file system • May cause system crashes and data loss • May be caused by power outages, or turning off a machine while it is booting or shutting down
  • 41. Page 41 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Recovering After Logical Damage (Cont.) Microsoft Windows: chkdsk Linux: fsck Mac OS X: Disk Utility The Sleuth Kit TestDisk
  • 42. Page 42 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Preventing Logical Damage Journaling file systems Use a consistency checker Use disk controllers with battery backups
  • 43. Page 43 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Consistency Checking Involves scanning a disk’s logical structure to ensure that it is consistent with its specification Verifies that dot (.) and dot-dot (..) entries point to correct directories Checkers include chkdsk and fsck
  • 44. Page 44 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Consistency Checking Problems Can fail is file system is highly damaged Chkdsk utility might delete files that are out of place or unexplainable
  • 45. Page 45 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Zero-Knowledge Analysis Few assumptions made about state of the file system Scan drive Match results to specs
  • 46. Page 46 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. File Carving  Can use file carving on a file that’s only partially recovered  Works on any file system  Is often used to recover data from a disk where there has been some damage or where the file itself is corrupt  File carving utilities look for file headers and/or footers, and then pull out data s found between the two boundaries  One popular file carving tool is Scalpel
  • 47. Page 47 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Summary Undeleting data Recovering information from damaged drives