Task 9.6: Recovering Deleted Content from the File System
There may be several reasons why deleted content needs to be recovered. In some cases, users accidentally delete files and need assistance in their recovery efforts. In other cases, administrators or forensic investigators need to recover deleted content as part of an investigation of unacceptable use of a system, or perhaps even from criminal activity.
Scenario
You are a security professional for an organization. A computer system is delivered to you with a report of suspected unacceptable use of the company’s computer system. The report indicates that a preliminary scan of the system shows nothing but approved software and content, but management wants to be sure that the suspected unauthorized content wasn’t removed from the computer before it was confiscated. Your job will be to investigate the system and recover any deleted content. To prepare for the investigation, you want to familiarize yourself with the tools and procedures you will use during the recovery effort.
Scope of Task
Duration
This task should take 30 minutes.
Setup
When a user deletes a file from Windows system, the file system by default places the deleted content in the Recycle Bin, sometimes called the Recycler. This allows for the easy recovery of the file by the user, just in case the user deleted the wrong file. You will first check the Recycle Bin for deleted content.
On an NTFS file system, when a user empties the Recycle Bin, the file system updates the partition’s table of contents, called the Master File Table (MFT), by overwriting the first character of the deleted file’s name with a question mark (?). (On a FAT partition, this file system table of contents is called the File Allocation Table, or FAT, which is where FAT partitions get their name.) This tells the file system that the space that contains the file content is now available for reuse. The file content actually remains written on the disk and is called remanents. The remanents could be overwritten at any moment, since the space is deemed “free space.”
Remanents can be recovered and converted into files for inspection. Often, because parts of the original, deleted file have been overwritten, the recovered content is fragments of the original content, but these fragments can still be useful in an investigation.
Caveat
In a real investigation you never analyze the original disks. You make exact, bit-level copies of the original disk(s) and analyze that. Also, when you boot up an operating system (OS), the OS builds its page file and writes many different files and updates (like log files) to the disks. These writes are potentially destroying the target of the investigation, so in a real investigation, you would never boot up the target but would mount the disk as a read-only data disk from a different OS to disallow overwriting any remnants.
This task is only intended to test the tool and familiarize you with the nature of file remanents and their recovery.
Procedure
First you’ll create a file with some known content. Next you will delete the file, placing it into the Recycle Bin. Then you will restore the file from the Recycle Bin and examine its contents to verify intact recovery.
You will download a tool designed to recover remanents from the file system and install it. Then you will delete the file again, this time emptying the Recycle Bin. Using the tool UndeletePlus, you will scan the disk drive and recover the deleted content from the remanents on the disk.
Equipment Used
For this task, you must have:
- Windows 7 system
- Administrator access
- Internet access
Details
Using the Recycle Bin
1. Log on to the Windows 7 system as the Administrator.
2. Right-click on the desktop and select New ⇒ Text Document.
Document the time of file creation. You will need this information later.
3. Double-click the New Text Document.txt file to open it.
4. Type a line from your favorite song or movie into the text document.
5. From the menu, select File ⇒ Save.
6. Close the text document by clicking the red X in the upper-right corner of the Notepad document.
7. Right-click on the TXT file and select Delete, or click on the file and drag it to the Recycle Bin.
8. Verify that you want to move the file to the Recycle Bin by clicking Yes in the confirmation dialog box. Notice the file is removed from your desktop.
9. Double-click the Recycle Bin. You should see New Text Document.txt.
10. Double-click New Text Document.txt. This would normally open the file in Notepad, but in the Recycle Bin, this brings up properties of the file and an option to restore the file.
11. Click the Restore button. The file should disappear from the Recycle Bin and reappear on the desktop.
12. Click the OK button in the New Text Document Properties dialog box and exit the Recycle Bin.
13. Double-click New Text Document.txt to verify the complete contents of the file. You have successfully recovered deleted content from the Recycle Bin.
Installing UndeletePlus
In this exercise, you do not have specific recovery targets and are only interested in becoming familiar with the UndeletePlus tool and recovery process. In this case, it is safe to download the software to the target system and install the program on the system directly. Normally you would install the software on a separate system and scan the target disk(s) without booting the target system OS.
1. Still logged on to the Windows 7 system as the Administrator, launch Internet Explorer.
2. Download UndeletePlus from the following website:
http://undelete-plus.en.softonic.com/
Clear the options to install any toolbars and home-page configuration.
3. Launch undeleteplus_setup.exe.
4. If you are prompted for approval to make changes to the system by User Account Control, click Yes to allow the installation program to proceed.
Notice that the operating system locks the desktop as a protective measure while it waits for confirmation to escalate privilege and install the application.
5. Click Next to proceed into the installation of UndeletePlus.
6. Accept the license agreement and click Next.
7. Accept the default installation path and click Next.
8. Enable the check box to install a desktop icon. Click Next, and then click Install.
9. Clear the check box to visit the UndeletePlus home page. Click Finish.
10. Minimize the UndeletePlus utility to the taskbar.
Creating a Remanent: A Recovery Target
1. Right-click on the TXT file and select Delete, or click on the file and drag it to the Recycle Bin.
2. Confirm moving the file to the Recycle Bin.
3. Right-click the Recycle Bin on the desktop and select Empty Recycle Bin.
You can delete content without placing it in the Recycle Bin by holding the Shift button, then right-clicking the file and selecting Delete. This removes the first and easiest option for recovering the deleted content.
4. Click Yes to confirm removal of the contents of the Recycle Bin. The file is now unrecoverable using standard Windows recovery techniques.
Recovering Content from Remanents
1. Click the UndeletePlus utility on the taskbar.
2. Confirm the C: drive is selected and click the Start Scan button in the upper-left corner. The scan may take a few minutes to complete.
3. When the scan completes, in the right pane review the list of remanents that may be recoverable.
4. Below the list of remanents in the right pane, clear the Keep Folder Structure check box. Click the ellipsis button to the right of the Undelete Selected File(s) To text box (not the Open button).
5. Set the recovery folder location to C:AA. If the C:AA folder does not exist, create the C:AA folder.
6. Sort the list of remanents by creation time by clicking the Date Created column heading in the right pane.
7. Scroll down the list of remanents and locate a TXT file that was created when you created the New Text Document.txt file. The target file should be relatively small based on the small amount of copy you typed into it: probably less than 100 bytes. Click on the file.
The filename may be different from New Text Document.txt. Take note of the target filename that was created when you created New Text Document.txt.
8. Ensure the check box to the left of the file is checked, and click the Start Undelete button in the upper left of the utility.
9. Minimize UndeletePlus.
10. Launch Windows Explorer and expand the folders to the C:AA folder.
11. Double-click the file you recovered. The file should contain the information you entered previously in New Text Document.txt.
If the file does not contain your target copy, review the recoverable files in the UndeletePlus utility and recover any other TXT files that were created at approximately the time you created New Text Document.txt. If your content is not recoverable, the system may have overwritten your content between the time you deleted the file and the time you recovered the file. You can repeat the file-creation steps and the file-deletion steps, including emptying the Recycle Bin, and then repeat the scanning and recovery using UndeletePlus.
12. Close Notepad and close Windows Explorer.
13. In the UndeletePlus utility, notice the file type filters in the left pane labeled Types. Click on several to see the types of files that may be recoverable on your system.
14. Click the Filter button at the top of the application. This dialog box allows you to specify additional criteria to help you locate target deleted content for recovery. You enter the search criteria and click the Set Filter button. Then you click the Start Scan button again. The search shows only recoverable files that match the filter criteria.
15. Feel free to recover other deleted content.
Criteria for Completion
You have completed this task when you have successfully recovered deleted content using the UndeletePlus recovery utility.