Slide 1

BACS 371
Computer Forensics
Basic File Recovery Techniques
File Recovery
The easiest type of recovery is to go to the Recycle
Bin and recover the file.
Once the file is deleted form the Recycle Bin, this
option is not available.
To recover these files you need to open the disk with
a hex editor (like WinHex)
Some files are easily recoverable with this tool,
others will need a bit of work to reconstruct the FAT
Simple WinHex Recovery
Directory of disk shows 3 files.
Simple WinHex Recovery
WinHex shows that there are more files present.
Notice symbols to the left of files. They indicate
status and likelihood of successful recovery.
Simple WinHex Recovery
Select a file and right click. If you select
“Recover/Copy”, WinHex will try to recover the file.
Result is a successful recovery!
Simple WinHex Recovery
List Clusters will print out the FAT linked-list chain.
Useful for possible chain reconstruction.
WinHex Recovery
Other files are not as likely to be recoverable. Note the
red X next to the file.
Recovery appeared to work, but file was corrupt and
Advanced Deleted File Recovery
In WinHex
Scan Disk for deleted entries
Define cluster chain for deleted entry
Recover cluster chain
File entry still exists
File entry pointer to first cluster is correct
File data clusters are not yet overwritten
Scan Disk for Deleted Entries
Deleted entries are marked with 0xE5 in the first
character position of the file/folder name
Find the Clusters
Determine the Size of the deleted file
0x0000D000 (little endian!) =
#Clusters = 53248/4096 = 13
Determine the Starting Cluster of the
deleted file
• 0x0004 (little endian!) = cluster #4
Reconstruct the Cluster Chain
Mostly 0x00 – is this OK?
Reconstructed Cluster Chain
File can now be recovered and read by program.

similar documents