Part 3: Digital Forensics for the Aspiring Hacker: Recovering Deleted Files

 My tenderfoot hackers, welcome back!


I recently began a new series on digital forensics to help tenderfoot hackers from being detected and ultimately, incarcerated. In this installment of that series, we will look at recovering deleted files. This is important to hackers because you need to know that even when you delete files on your computer or on the victim's computer, a forensic investigator can usually recover them.


Windows File System's

As the majority of the victims' systems are probably Windows-based, let's concentrate on Windows systems and their file systems. Older Windows systems may still use the FAT filesystem, while the majority of modern Windows systems use the NTFS filesystem. Actually, if you are using a flash thumb drive, it is most likely formatted using the outdated FAT file system, which enables you to use it with ANY operating system, including Mac OS X and Linux.


NTFS

The "new" Windows, Windows NT (thus, NT File System), was being developed in the late 1980s and early 1990s, and the NTFS file system was created for it. To create Windows NT and a new, dependable, secure file system, Microsoft looked to a team of operating system developers who had previously worked for Digital Equipment Company, which is now a part of HP. With the release of Windows 2000, this file system gradually surpassed previous file systems in the Windows family, and you can now only find NTFS on Windows computers.


Every file's position on a hard disk is tracked by NTSF's Master File Table (MFT). The MFT merely designates that region of the hard drive as open to overwriting when a file is removed. The file stays on the hard drive and can be readily recovered up until that point in time when it is truly overwritten. If the new file is smaller than the old one, "slack space" could still exist even after it has been rewritten. Therefore, in the event that a 4096 KB file was erased and replaced with a 3000 KB file, more than 1000 KB would be considered slack space and may still be recovered by a forensic investigator.


FAT Filesystem

The Master File Table (MFT) of NTSF keeps track of each file's location on a hard drive. When a file is deleted, the MFT simply marks that area of the hard disk as susceptible to overwriting. Until such time as it is actually overwritten, the file remains on the hard drive and is easily recoverable. "Slack space" may remain after the file has been overwritten if the new one is smaller than the old one. Therefore, more than 1000 KB would be regarded as slack space and might still be recovered by a forensic investigator in the case that a 4096 KB file was deleted and replaced with a 3000 KB file.


Step1: Create a File

Let's develop a malicious document to show how to retrieve deleted files. This will be our "Malicious" document, which we will produce in Windows Notepad.



This sounds like a sound, albeit ambitious plan.


Step2: Delete the File

We no longer need the file, and we don't want to leave any trace of our evil schemes behind, so let's erase it now that our plans to take over the world have been fulfilled.



Right click on the malicious file and select delete. If you put the file in the Recycle Bin, you have made it even easier for the forensic investigator to recover. The Recycle Bin is actually simply a folder where the files are moved until you empty the Recycle Bin. Nothing is deleted until you empty the Recycle Bin.


Step3: Create an Image

A forensic investigator will make a bit-by-bit copy of your hard drive—in this case, your flash drive—as their first step in inspecting your computer. There are several tools available for this, and the dd command in Linux—available on all Linux distributions, including BackTrack—performs a superb job of creating bit-by-bit copies. Because they frequently alter the data and do not replicate deleted files and directories, file backups and copies are not forensically sound.

Most forensic investigators use commercial tools. The two most popular being Encase by Guidance Software and Forensic Tool Kit by Access Data.

FTK, as it is commonly known in the industry, has a free imager that creates a bit-by-bit copy of the drive. This imager is probably the most widely used in the industry and its price is right, so let's use it.


You can download it here.

Now that have downloaded the FTK imager, we need to create a bit-by-bit image of the flash drive.



Go to menu at the top of the application and select:

File -> Create Image

It will open a wizard that will walk you through the process of opening a case and ask you for a case number, evidence number, examiner name, etc. Obviously, this software was designed for law enforcement and all evidence needs to be categorized and labelled.


Finally, it will ask for a location of the physical drive you want to image, a destination directory and a name for the image file. When you are done with all these administrative tasks, FTK Imager will be begin the process of creating a forensically sound bit-by-bit image of your drive.


Now that we've created a image of the flashdrive, we are ready to recover the deleted files.


Step4: Recover Deleted Files

To retrieve deleted files, a plethora of programs are available in the market, and they are all sufficient for the task. The easiest forensic task is most likely recovering deleted files. I'll be utilizing the RecoverMyFiles trial version here.

You can download a trial version here.

Once you have installed RecoverMyFiles, select the Start Recovery icon in the upper left corner. It will ask you to select either Recover Files or Recover Drive. Select Recover a Drive. It will then search and display all your drives like that in the screenshot below. Since we are using a forensic image, select Add Image button to the right. You will need to provide a path to your image file created with FTK.



Once you select an image file, start the automatic file recovery. When the recovery is completed, you will see a screen similar to the one below.


I then choose to organize the files by type by selecting the File Type tab located above the Explorer window.

This flash drive has a wide variety of file kinds recovered, as you can see. I've chosen the TXT UTF-16 file type because the malicious document we used was a.txt. Subsequently, the upper right pane displays all 158.txt files. As you can see, everything on our malicious.txt file has been recovered. Cracked!


I hope this instruction made it very evident to you how easy it is for a forensic investigator to retrieve the files that you erased. This should serve as a reminder to you to exercise extreme caution and, if at all feasible, to overwrite any deleted files in order to erase any traces of them. Even then might not always be sufficient to protect your files from an experienced forensic investigator.

My tenderfoot hackers, don't forget to return for more Hackerland adventures!

Comments

Post a Comment

Popular posts from this blog

Avoid Being Discovered! How to Prevent Data Forensics from Accessing Your Hard Drives

Image
The arrest of twenty-five Anons in Europe and South America, along with rumors of an FBI sweep on the east coast of the United States, make the situation for hackers precarious. I've been asked a number of concerns in the last few days concerning the removal of private information from hard drives. Concepts appear to cover a wide spectrum, from microwaves to magnets and all in between. I'll now go over some basic information on data forensics, including its operation and precautions you can take.  Anon frequently removes files from his computer, but it only tells half the story—the deleted files are still present. And when his door is kicked in and the FBI grabs his hard drive, they will have access to everything if the negligent anon doesn't take action to remedy that. Be not so anonymous. Computer Forensics: What Is It? The Individuals on CSI? The gathering, preserving, analyzing, and presenting of evidence pertaining to computers is known as computer forensics. In conclu
Read more

Expert Predictions for the Cybersecurity Industry for 2024: Part I

Image
 The experts of My1Login, i-confidential, and OSP Cyber Academy share their forecasts for the year ahead in the first section of our roundup. As 2023 comes to an end, cybersecurity professionals should look into their crystal balls to see what the security industry might expect in the coming year. Experts from My1Login, i-confidential, and OSP Cyber Academy share their forecasts for the year ahead in the first section of our roundup. CEO of My1Login Mike Newman: Cloud migration will increase attack surface Organizations have been transforming over the past year, and more of their data and apps are now stored in the cloud. Although this has increased service availability and efficiency, it has also increased the corporate attack surface. Simultaneously, companies are moving their whole corporate directory to the cloud, usually using Microsoft Entra ID platforms. Due to the requirement for manual, password-based authentication, many of the applications that were previously connected with
Read more