Basic File Recovery Techniques BACS 371 Computer Forensics.

Slides:

Advertisements

Similar presentations

Intro to WinHex CSC 414.

Advertisements

1 Week 11 FAT32 Boot Sector, Locating Files and Dirs Classes COP4610 / CGS5765 Florida State University.

Text Searches Slack Space Unallocated Space

CPIT 102 CPIT 102 CHAPTER 1 COLLABORATING on DOCUMENTS.

Computer Forensics BACS 371

The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.

Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.

Guide to Computer Forensics and Investigations Fourth Edition

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

A+ Guide to Software, 4e Chapter 4 Supporting Windows 2000/XP Users and Their Data.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

1 Computing for Todays Lecture 16 Yumei Huo Fall 2006.

Data Recovery/Discovery Files Deleted Files Text Searches Slack Space Free Space Lab.

Creating FrontPage Tasks The task view allows you to add information about what you want to accomplish when creating your Web site.

Mouse Skills. Hold the mouse with your right hand… When you move the mouse, the mouse arrow moves on the screen…. Moving The Mouse.

Accessing Windows 7 Recovery Tutorial 2015 QTutorials 2015 QTutorials Start Close.

From: FileRescure Studio

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Simple Computer Maintenance. Common Computer Clean up Tasks Disk Clean – up Anti-virus scan Deleting Cookies.

COMPREHENSIVE Excel Tutorial 8 Developing an Excel Application.

Course ILT Folder and file management Unit objectives Explore the contents of a hard disk and view file and folder attributes by using Windows Explorer.

FAT Structure. File Allocation Table (FAT) File Systems Used with all flavors of Windows Supported by all Windows and UNIX varieties Used in flash cards.

A+ Guide to Managing and Maintaining your PC, 6e Chapter 13 Supporting Windows 2000/XP Users and Their Data.

Computer System Basics 1 Number Systems & Text Representation Computer Forensics BACS 371.

If you have MS Office 2010, embedding a video only has a few steps, but if you have MS Office 2007 or earlier, it is a little bit more complicated. It.

WindowsXP Explorer The Explorer is a used to organize and control the files and folders of the different storage systems such as the hard drive, floppy.

Learning With Computers II (Level Orange) ©2012 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.

1 2 Lab 2: Organizing Your Work. 2 Competencies 3 After completing this lab, you will know how to: 1. Use Explorer to manage files. 2. Copy files. 3.

Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.

Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.

C HAPTER 7 Managing Disk and File System. I NTRODUCING DISK MANAGEMENT 2 types of hard disk storage supported by Windows XP are: basic hard disk & dynamic.

Productivity Programs Common Features and Commands.

Investigation of a USB Storage Device (FAT16)

1 Comp 104: Operating Systems Concepts Files and Filestore Allocation.

1 / 21 Backing Up and Restoring Returns © 2006, Universal Tax Systems, Inc. All Rights Reserved. Backup and Restore Objectives –In this chapter you will.

RIGHT Mouse Button Formatting Cut Copy Paste Save LEFT Mouse Button MAIN BUTTON Single clicks Double clicks Drag Highlight.

Lesson 12: Using the Recycle Bin deleting files or folders what the Recycle Bin is restoring files from the Recycle Bin emptying the Recycle Bin identifying.

Free Space Management.

DELETING TEMPORARY FILES 1.Click “Start” -> “Search” -> “All Files and Folder”. 2.In “All or Part of the file name” box enter “*.tmp” and click “Search”.

Computer Data Expert The following slides are from a presentation developed to support/explain a Data Forensics expert testimony. Click or hit spacebar.

Lesson 23: Configure File Recovery

Using Window 7’s Disk Clean-Up Utility By Sam Hawes Click On The Windows Icon To Advance!

Unit 2—Using the Computer Lesson 9 Windows and File Management.

Setting up your computer’s microphone Begin by double clicking on the volume icon within the task bar.

I MPLEMENTING FILES. Contiguous Allocation:  The simplest allocation scheme is to store each file as a contiguous run of disk blocks (a 50-KB file would.

Why should I run Disk Cleanup Remove temporary Internet files Remove temporary Internet files Delete downloaded program files, such as Microsoft ActiveX.

Keeping Organized Managing your folders and files on your computer.

Start with loading the picture Locate your camera’s USB cable –it looks something like this:

ClubRunner 101 By Pamela Walther

Computer Forensics Hard Drive Format.

XP New Perspectives on Microsoft Windows XP Tutorial 2 1 Microsoft Windows XP Working with Files Tutorial 2.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.

Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.

XP New Perspectives on Microsoft Office Access 2003 Tutorial 4 1 Microsoft Office Access 2003 Tutorial 4 – Creating Forms and Reports.

Keeping Organized How to set up and use your school work folder.

How to Restore Data from Broken or Dead Samsung Galaxy S/Note? Is it possible to restore data from a damaged Samsung mobile? If your Samsung Galaxy S5's.

PDF Recovery Tool Fix Portable Document File Format.

Day 28 File System.

Excel Tutorial 8 Developing an Excel Application

Efficient Drive forensics – and it’s free!

How to Do CD/DVD Data Recovery

The Desktop RECYCLE BIN

Normal deletion Shift deletion

Optimizing Disks CGS2564.

COEN 252: Computer Forensics

New Perspectives on Windows XP

Disk Structure Analysis

Sector 25 from the Root Directory (in 32 byte chunks)

Causes And Solution To Recover Lost Partition Table.

File I/O, Command Line Parameters, Endian-ness

Presentation transcript:

Basic File Recovery Techniques BACS 371 Computer Forensics

File Recovery  The easiest type of recovery is to go to the Recycle Bin and recover the file.  Once the file is deleted form the Recycle Bin, this option is not available.  To recover these files you need to open the disk with a hex editor (like WinHex)  Some files are easily recoverable with this tool, others will need a bit of work to reconstruct the FAT chains.

Simple WinHex Recovery  Directory of disk shows 3 files.

Simple WinHex Recovery  WinHex shows that there are more files present. Notice symbols to the left of files. They indicate status and likelihood of successful recovery.

Simple WinHex Recovery  Select a file and right click. If you select “Recover/Copy”, WinHex will try to recover the file.  Result is a successful recovery!

Simple WinHex Recovery  List Clusters will print out the FAT linked-list chain. Useful for possible chain reconstruction.

WinHex Recovery  Other files are not as likely to be recoverable. Note the red X next to the file.  Recovery appeared to work, but file was corrupt and unreadable.

Advanced Deleted File Recovery In WinHex 1. Scan Disk for deleted entries 2. Define cluster chain for deleted entry 3. Recover cluster chain  Assumptions  File entry still exists  File entry pointer to first cluster is correct  File data clusters are not yet overwritten

Scan Disk for Deleted Entries  Deleted entries are marked with 0xE5 in the first character position of the file/folder name

Find the Clusters  Determine the Size of the deleted file  0x0000D000 (little endian!) =  #Clusters = 53248/4096 = 13  Determine the Starting Cluster of the deleted file 0x0004 (little endian!) = cluster #40x0004 (little endian!) = cluster #4

Reconstruct the Cluster Chain Mostly 0x00 – is this OK?

Reconstructed Cluster Chain File can now be recovered and read by program.