adam's notes

Recovering Data

Undeleting Data

File Systems and Hard Drives

  • Hard drives
    • use platters to magnetically store data
    • store data as a sector
      • legacy sectors have 512 bytes
      • modern drives use Advanced Format 4,096-byte sectors
      • sector is an area of one of the disk platters defined by two radii
      • are contiguous on a disk
    • drive views data as sectors
  • file systems view data as clusters
    • can be from 1-128 sectors
    • don’t have to be contiguous sectors

Windows

FAT

  • cluster/file information is stored in a File Allocation Table (FAT)
    • is a list of entries that map to each cluster on the disk partition
    • each entry records one of five things:
      1. cluster number of the next cluster for this file
      2. if cluster is the end of a chain, then it has a special end of cluster chain (EOC) entry
      3. bad clusters have a special entry
      4. reserved clusters have a special entry
      5. open or available clusters are also marked
  • when a file is deleted, data is not removed from the drive
    • FAT is updated to reflect that those clusters are no longer in use
    • new info can overwrite the old info
    • so, the more recently a file was deleted, the more likely it is recoverable

NTFS

  • two fundamental files for forensics:
    • Master File Table (MFT)
      • describes all files on the volume
        • includes file names, time stamps, security identifiers, and file attributes
      • contains one base file record for each file and directory on an NTFS volume
      • serves same purpose as the FAT
    • cluster bitmap
      • is a map of all the clusters on the hard drive
      • is an array of bit entries where each bit indicates whether its corresponding cluster is:
        • allocated/used
        • or free/unused
  • when a file is deleted
    • cluster is first marked as deleted, before it is marked as available
      • effectively moves it to the recycle bin
    • only when recycle bin is emptied is the cluster marked as available
  • in Windows 7-10, Recycle Bin is located in a hidden directory named \$Recycle.Bin\%SID%
    • %SID% is the SID of the user who performed the deletion
    • when files are moved into the Recycle Bin,
      • original file is renamed to $R followed by a set of random characters
      • maintains file extension
      • a new file beginning with $I followed by same set of random characters is given to the $R file with same extension
        • contains
          • original filename/path
          • original file size
          • date and time the file was moved to Recycle Bin
        • all $I files are exactly 544 bytes long
          • bytes 0-7:
            • $I file header, always set to 01 followed by seven sets of 00
          • bytes 8-15:
            • original file size: stored in hex, in little endian format
          • bytes 16-23: deleted date/time stamp
          • bytes 24-543: original file path/name
  • file systems view clusters as entirely utilized even if one bit is used

Windows Tools

  • DiskDigger
  • WinUndelete
  • FreeUndelete
  • OSForensics
  • Autopsy

Linux

  • Ext is most common Linux file system
  • how Linux stores files
    • content of file is stored in contiguous blocks
      • exact size of blocks depends on the parameters used with the command to create the partition
        • 1024, 2048, 4096 bytes
        • similar to clusters in NTFS
    • specific block size is stored in the superblock
    • entire partition is divided into an integral number of blocks, starting at 0
    • blocks are divided into groups
    • each group uses one block as a bitmap to keep track of which block inside that group is allocated
      • there can be at most 32,768 (4096 x 3) normal blocks per group
    • another block is used as a bitmap for the number of allocated inodes
      • an inode is a data structure in the file system that stores all the info about a file except its name and data
      • 128 bytes
      • stored in a table in each group
      • can refer to a file or directory
        • in both cases, it is a link to the file
    • 2 types of links
      • hard link
        • is an inode that links directly to a specific file
        • OS keeps count of references to this link
        • when references count = 0, then file is deleted
      • soft link or symbolic link
        • link is not an actual file, but a pointer to another file or directory
        • similar to shortcut in Windows
    • max of 32,768 inodes per group
      • max 1024 blocks (32768/32) in inode table of each group
    • inodes in the inode table of each group contain metadate for each type of data that the file system can store

Manual Recovery

  • uses Linux commands
    • are variations between distributions
  1. enter single-user mode
    • using wall command
    • init l
    • run levels determine at which level the OS is running
      • init command allows you to change the run level
  2. use grep to search for file text

The extundelete Utility

  • extundelete works with both Ext3 and Ext4 partitions
  • works via shell commands
  • to restore all deleted file from sda4 partition:
    • extundelete /dev/sda4 --restore-all

Scalpel

  • works on both Linux and macOS
  1. first edit configuration file
    • located in /etc/scalpel/scalpel.conf
    • uncomment specific file format you want to recover
  2. run sudo scalpel [device/directory/filename] -o [output directory]
    • output directory must be empty

Mac OS

  • Mac OS is based on FreeBSD
    • UNIX clone
    • similar to Linux
  • Mac OS has its own file system
  • tools
    • MacKeeper

Recovering Information From Damaged Media

Physical Damage Recovery Techniques

  • assume that unless the case is visibly damaged, the drive itself is still operable
  • when presented with “failed hard drive” use the following techniques to retrieve data:
    1. remove the drive from the system
      • connect to a test system
      • don’t install the drive, only connect data and power cables
    2. boot test system from own internal drive
      • listen to the failed drive to determine whether the internal disks are spinning
      • if yes, then can likely recover data
    3. determine whether failed drive is recognized and can be installed on the test system
      • if drive installs, copy all directories and files to a hard drive on the test system
      • if drive fails on one system but installs on another, the drive may be usable
      • may have failed due to
        • power supply failure
        • OS corruption
        • malware
        • etc
      • run a virus check on recovered data and test for integrity
    4. if hard drive is not spinning or test system does not recognize it, perform limited repair
      • use specialized software to image all data bits to a recovery drive
      • use extracted raw image to reconstruct usable data
      • use DCFLdd for this
    5. if necessary, send device to data recovery specialists
  • if data is deemed lost, you can try:
    1. remove the printed circuit board and replace it with a matching circuit board from a known healthy drive
    2. change the read/write head assembly with known good part
    3. remove hard disk platters from original drive and install them into a known healthy drive

Recovering Data After a Logical Damage

Logical damage to a file system may prevent the host OS from mounting or using the file system.

  • can use native OS tools to repair
    • Windows chkdsk
    • Linux fsck
    • Mac Disk Utility
  • third party tools
    • Sleuth Kit
    • TestDisk

Logical Damage Recover Techniques

Consistency Checking

Consistency checking involves scanning a disk’s logical structure and ensuring that it is consistent with its specifications.

  • E.g., most file systems, a directory must have at least two entries, a dot entry that points to itself and a dot-dot entry that points to its parent
    • file system repair program reads each directory to ensure these exist and point to correct directories
    • if not, error is displayed and you can correct the problem
  • chkdsk and fsck work this way
  • 2 major problems
    1. consistency check can fail if the file system is highly damaged
    2. chkdsk utility might automatically delete data files if the files are out of place or unexplainable
      • does this to ensure the OS can run properly
  • same problem occurs on system restore disks that restore OS by removing the previous OS
    • avoid by installing the OS on a separate partition from the user data

Zero-Knowledge Analysis

  • file system is rebuilt from scratch using knowledge of an undamaged file system structure
    • scan the drive, noting all file system structures and possible file boundaries
    • then match the results to the specifications of a working file system
  • slower than consistency checking
  • but can be used to recover logical structures that are almost completely destroyed
  • does not repair the damaged file system
    • but allows you to extract the data to another storage device

File Carving

  • use file carving to attempt to recover files that are only partially recoverable
  • aka carving
  • often used to recover data from a disk where there has been some damage or the file itself is corrupt
  • usually works by
    • looking for file headers and/or footers
    • then pulling out the data that is found between those two boundaries
  • tools
    • Scalpel
    • carver-recovery

Graph View

Backlinks