Undeleting Data
It is common for people to delete files from their computers. Even criminals who are not very technically savvy think that deleting a file will keep authorities from discovering it. So you should expect that evidence will frequently be deleted from computers you examine. For this reason, one of the most fundamental tasks a forensic examiner will conduct is to retrieve deleted data.
This chapter does not delve into the specifics of the three major operating systems— Windows, Linux, and Macintosh. Instead, the focus is simply on recovering files from them. However, those operating system issues most closely related to deletion of files are discussed.
File Systems and Hard Drives
Hard drives store data as a sector. For many years, a typical sector was 512 bytes; however, modern hard drives use what is called the Advanced Format, which has 4096-byte sectors. A sector is basically an area of one of the disk platters defined by two radii. This is how the hard drive views data. However, file systems look at clusters, not sectors. A cluster can be from 1 to 128 sectors. Sectors are contiguous on a disk and are defined by two radii on the platter. However, clusters need not consist of contiguous sectors (see FIGURE 6-1); for example, a 10-sector cluster may have sectors from many different locations.
Note: The formal definition has been changed from cluster to allocation unit; however, in most technical literature the term cluster is still used.
Windows
Windows is a very common operating system. In fact, it would be quite a challenge to find an office that did not have any computers running Windows. PCs running Windows also account for the overwhelming majority of home computers. So, recovering deleted Windows files is the first skill you learn in this chapter.
FIGURE 6-1
Clusters and sectors.
You can recover deleted files from the Windows operating system because of the way the file system works. Older versions of Windows use FAT (either FAT16 or FAT32); newer versions (since Windows 2000) use primarily NTFS. Even today, with Windows 10, NTFS is the file system used in Microsoft Windows. This section explores FAT and NTFS file systems in relationship to recovering deleted files. In both file systems, a table is used to map files to specific clusters where they are stored on the disk.
FAT
In FAT16 and FAT32, the table used to store cluster/file information is the file allocation table (FAT), thus the name of the file system. The file allocation table is really a list of entries that map to each cluster on the disk partition. Each entry records one of five things:
The cluster number of the next cluster for this file is recorded.
If this cluster is the end of a chain, then it has a special end of cluster chain (EOC) entry.
Bad clusters have a special entry in the file allocation table.
Reserved clusters have a special entry in the file allocation table.
Open, or available, clusters are also marked in the file allocation table.
When a file is deleted, the data is not actually removed from the drive. Rather, the FAT is updated to reflect that those clusters are no longer in use. If new information is saved to the drive, it may be saved to those clusters, overwriting the old information. What this means from a forensic point of view is that the more recently a file was deleted, the more likely you will be able to recover the file. Over time, it becomes more likely that those clusters have had other information saved in them. In fact, the cluster may have been deleted and saved over several times. Because of this, recovering a deleted file is not always an all-or-nothing procedure. It is possible to recover just a portion of a file.
NTFS
Starting with Windows 2000, NTFS has been the preferred file system for Windows operating systems. NTFS is an acronym for New Technology File System. From a forensic point of view, there are two fundamental files that are part of NTFS that are of most interest. These are the Master File Table (MFT), which some sources call the Meta File Table, and the cluster bitmap. The MFT describes all files on the volume, including filenames, timestamps, security identifiers, and file attributes, such as read-only, compressed, encrypted, and so on. This file contains one base file record for each file and directory on an NTFS volume. It serves the same purpose as the file allocation table does in FAT and FAT32. The cluster bitmap file is a map of all the clusters on the hard drive. This is an array of bit entries where each bit indicates whether its corresponding cluster is allocated/used or free/unused.
When files are deleted from an NTFS system, the process is similar to what occurs in FAT. The main difference is that clusters are first marked as deleted, thus “moved” to the Recycle Bin. In NTFS prior to Vista, the Recycle Bin resides in a hidden directory called RECYCLER. In Vista, Windows 7, Windows 8, and Windows 10, the name of the directory was changed to $recycle.bin. Only when you empty the Recycle Bin is the cluster marked as fully available. More specifically, when a file is deleted, the filename in the MFT is marked with a special character that signifies to the computer that the file has been deleted. Even at this point, not a single bit is actually deleted. The MFT is simply updated to note that the clusters in that file are deleted. This means that at this point, one can completely recover the entire file. There are any number of file recovery utilities available for this purpose. Just as with FAT systems, clusters in an NTFS system are more likely to be overwritten as more time elapses after deletion.
When files are deleted from an NTFS system, the process is similar to what occurs in FAT. However, there is one difference. Before the cluster is marked as available it is first marked as ‘deleted,’ which effectively moves it to the recycle bin. Note that not a single bit is actually deleted. The clusters are simply noted as being in the recycle bin. Before Windows Vista, the Recycle Bin resided in a hidden directory called RECYCLER. In Vista and beyond, the name of the directory was changed to $Recycle.bin. When a user empties the recycle bin is the cluster marked as fully available. However,
In digital forensics, it is often the case that you will analyze older systems as well as newer systems. So, when discussing how Windows handles deleted files, let’s first examine Windows XP. With Windows XP, the Recycle Bin keeps an associated file named INFO2. This file is used to keep track of the deleted files’ or folders’ original location, as well as file size and deletion time. This way it is possible to restore a file from the Recycle Bin. When you delete a file, the INFO2 list looks like this:
D%DriveLetter%_%IndexNumber%_%FileExtension%.
The “D” stands for Drive.
%DriveLetter% is the drive that the file was on before it was deleted.
%IndexNumber% is a number assigned to each file or directory that is sent to the Recycle
Bin, and indicates the order of deletion.
%FileExtension% is the original file extension. If it is a folder, there will be no extension.
In Windows 7 and Vista, Microsoft did away with the INFO2 file. Starting with Vista, the Recycle Bin is located in a hidden directory named $Recycle.Bin\%SID%, where %SID% is the SID (Security Identifier) of the user that performed the deletion. When files are moved into the Recycle Bin, the original file is renamed starting with $R, followed by a set of random characters, but maintaining the original file extension. Also, a new file is created beginning with $I followed by the same set of random characters given to the $R file and the same extension; this file contains the original filename/path, original file size, and date and time the file was moved to the Recycle Bin. Note that all of the $I files are exactly 544 bytes long.
In Windows 7 and Vista, The $I structure is as follows:
Bytes 0–7—$I file header—always set to 01 followed by seven sets of 00.
Bytes 8–15—Original file size stored in hex, in little-endian.
Bytes 16–23—Deleted date/time stamp represented in number of seconds since midnight, January 1, 1601. Use a program such as Decode to assist with figuring out the exact date/time, if you don’t want to do the math.
Bytes 24–543—Original file path/name.
File systems view a cluster as entirely utilized if even 1 bit is used. To illustrate this, assume that a system has a sector size of 4096 bytes. Then further assume that it is using a cluster size of 10 sectors. This means each cluster has a total of 40,960 bytes of storage. If the user saves a file that is 42,000 bytes in size, the file system will need to utilize two clusters. All 10 sectors of the first cluster are used, but only one sector of the second cluster is used. From the file system’s point of view, and thus the operating system’s point of view, both clusters are completely used. The space between where a file actually ends and the end of the cluster (if the file does not take up 100% of the cluster) is called slack space. This is illustrated in FIGURE 6-2
FIGURE 6-2
Cluster usage.
Windows Tools
There are a number of mechanisms for recovering deleted files. Most major forensics tools such as Encase, Forensic Toolkit (FTK), and OSForensics will recover deleted files.
A number of tools are available specifically to recover deleted files from Windows computers. This section introduces a few of these tools. You should definitely take the time to explore the various tools available and select the one you prefer. Simply using your favorite search engine to look for “how to recover deleted Windows files” will result in a number of tools you can try. Many are free, and those that are not usually have a trial version with which you can experiment.
DiskDigger
DiskDigger (http://diskdigger.org) is an easy-to-use tool. It can be downloaded free of charge and is fully functional. But when recovering files in the free version, you have to recover them one at a time. If you pay for the commercial version, you can recover as many files at one time as you want. The interface is very easy to use. When you launch the program, you see a screen like the one shown in FIGURE 6-3. Then you select the drive you want to examine, and choose Dig Deep or Dig Deeper, as shown in FIGURE 6-4. The difference is the level of recovery.
FIGURE 6-3
DiskDigger main screen.
Courtesy of Defiant Technologies, LLC
FIGURE 6-4
DiskDigger starting data recovery.
Courtesy of Defiant Technologies, LLC
Once recovery is done, you will see a screen like the one shown in FIGURE 6-5. You can select any file and recover it. On your screen the files will be in color. For files in green, you should get the entire file back. Gray indicates a partial file, and red indicates very little of the file is left. You can view and recover individual files from this screen.
Forensically Scrubbing a File or Folder
Many webpages report that U.S. Department of Defense (DOD) 5220.22-M recommends that data be overwritten with random characters seven times to ensure it is completely wiped (http://www.wipingdata.com/index.html). That is accurate, but incomplete. There is actually a matrix of how to sanitize different types of media (http://recycleyourmedia.com/webuytape/compliance/d-o-d-data-sanitization-matrix/), as shown in TABLE 6-1.
WinUndelete
WinUndelete (http://www.winundelete.com/download.asp) is another tool that is relatively easy to use. When launched, it starts a wizard that first asks you to select which drive to recover. This is shown in FIGURE 6-6. Step 2 allows you to select the file types you want to recover. This is shown in FIGURE 6-7. The third step is to select a folder in which to place recovered files. You can see this in FIGURE 6-8.
When WinUndelete has completed running the recovery process, you can go to that folder to see the files.
FIGURE 6-5
Recovering an individual file using DiskDigger.
Courtesy of Defiant Technologies, LLC
|
TABLE 6-1 Forensically scrubbing a file or folder. |
||
MEDIA |
CLEAR |
SANITIZE |
MAGNETIC TAPE |
||
Type I |
a or |
ba, b, or m |
Type II |
a or b |
b or m |
Type III |
a or b |
m |
MAGNETIC DISK |
||
Bernoullis |
a, b, or c |
m |
Floppies |
a, b, or c |
m |
Nonremovable rigid disk |
c |
a, b, d, or m |
OPTICAL DISC |
||
Read many, write many |
c |
m |
Read-only |
|
m, n |
Write once, read many (WORM) |
|
m, n |
MEMORY |
||
Dynamic random access memory (DRAM) |
c or g |
c, g, or m |
Electronically alterable PROM (EAPROM) |
l |
j or m |
Electronically erasable PROM (EEPROM) |
l |
h or m |
Flash EPROM (FEPROM) |
l |
c then i, or m |
Programmable ROM (PROM) |
c |
m |
Magnetic core memory |
c |
a, b, e, or m |
Magnetic plated wire |
c |
c and f, or m |
Magnetic resistive memory |
c |
m |
Nonvolatile RAM (NOVRAM) |
c or g |
c, g, or m |
Read-only memory (ROM) |
m |
|
Static random access memory (SRAM) |
c or g |
c or f, g, or m |
EQUIPMENT |
||
Cathode ray tube (CRT) |
g |
q |
PRINTERS |
||
Impact |
g |
p then g |
Laser |
g |
o then g |
a. Degauss with a Type I degausser. b. Degauss with a Type II degausser. c. Overwrite all addressable locations with a single character. d. Overwrite all addressable locations with a character, its complement, and then a random character, and then verify. e. Overwrite all addressable locations with a character, its complement, and then a random character. f. Each overwrite must reside in memory for a period longer than the classified data resided. g. Remove all power to include battery power. h. Overwrite all locations with a random pattern, all locations with binary zeroes, and all locations with binary ones. i. Perform a full chip erase as per manufacturer’s data sheets. j. Perform i, then c, a total of 3 times. k. Perform an ultraviolet erase according to manufacturer’s recommendation. l. Perform k, but increase time by a factor of three. m. Destroy—disintegrate, incinerate, pulverize, shred, or melt. n. Destruction required only if classified information is contained. o. Run five pages of unclassified text (font test acceptable). p. Ribbons must be destroyed. Platens must be cleaned. q. Inspect and/or test screen surface for evidence of burned-in information. If present, the cathode ray tube must be destroyed. |
||
FIGURE 6-6
WinUndelete Wizard Step 1: selecting a drive.
Courtesy of WinRecovery Software
FIGURE 6-7
WinUndelete Step 2: selecting file types.
Courtesy of WinRecovery Software
FreeUndelete
FreeUndelete (http://www.officerecovery.com/freeundelete/) is free for personal use; however, there is a fee for commercial use. When you launch this program, the first screen requires you to select the drive from which you want to recover files. This is shown in FIGURE 6-9. Then you simply click the Scan button, and any files that can be fully or partially recovered will be listed.
FIGURE 6-8
WinUndelete Step 3: selecting a restore file location.
Courtesy of WinRecovery Software
FIGURE 6-9
FreeUndelete selecting a drive.
Courtesy of Recoveronix Ltd.
OSForensics
OSForensics is a robust forensics tool that also provides for undeletion. You can undelete from an image you have mounted, or from the live system. You can find the Deleted Files search on the menu on the left side of the main OSForensics screen, as shown in FIGURE 6-10. The search result will be color-coded, indicating how likely it is that you can recover a given file. Obviously, some files will be so fragmented that recovery is unlikely. You can see this in FIGURE 6-11.
FIGURE 6-10
OSForensics Deleted Files search.
Courtesy of PassMark Software
FIGURE 6-11
OSForensics Deleted Files results.
Courtesy of PassMark Software
Linux
With Linux, you have the option of using prepackaged tools or some built-in Linux commands. This section discusses both, but first you need to understand the ext file system. Linux can run on multiple file systems, but ext is the most common. The most recent version of ext is ext4; however, many Linux distributions still use ext3.
First, consider how Linux stores files. The content of files is stored in contiguous blocks. The exact size of these blocks depends on the parameters used with the command to create that partition (for example, mke2fs can be used to make ext2 partitions). The size can be 1024, 2048, or 4096 bytes. You can think of these blocks as something similar to the clusters in NTFS, though they are not exactly the same thing, just related conceptually.
Hard drives that run Linux address blocks, or integer multiples of blocks, at a time. The specific block size is stored in the superblock. The entire partition is divided into an integral number of blocks, starting at 0.
Blocks are divided into groups. Each group uses one block as a bitmap to keep track of which block inside that group is allocated (used); thus, there can be at most 32,768 (4096 × 8 = 32,768) normal blocks per group. Another block is used as a bitmap for the number of allocated inodes. Inodes are data structures of 128 bytes that are stored in a table (4096 / 128 = 32 inodes per block) in each group. An inode is a data structure in the file system that stores all the information about a file except its name and its actual data.
An inode can refer to a file or a folder/directory. In either case, the inode is really a link to the file. This is important because there are basically two types of links. The first type is the hard link. A hard link is an inode that links directly to a specific file. The operating system keeps a count of references to this link. When the reference count reaches zero, the file is deleted. In other words, you can have any number of names referencing a file, but if that number of references reaches zero (i.e., there is no name that references that file), then the file is deleted.
The second type of file link is called a soft link or symbolic link. In this case, the link is not actually a file itself, but rather a pointer to another file or directory. You can think of this as the same thing as a shortcut, such as you might find in Windows.
Because there are at most 32,768 bits in the bitmap, that means that there will be a maximum of 32,768 inodes per group, and thus 1024 blocks (32,768 / 32 = 1024) in the inode table of each group. The actual size of the inode table is given by the actual number of inodes per group, which is also stored in the superblock.
The inodes in the inode table of each group contain metadata for each type of data that the file system can store. This type might be a symbolic link, in which case only the inode is sufficient; it might be a directory, a file, and so on. In the case of files and directories, the real data is stored in the file.
Manual Recovery
This method depends on manually recovering deleted files using Linux commands. It does not require external tools. Unfortunately, there are variations among the Linux distributions, so there is no guarantee that this process will work on your specific Linux installation.
The first step is to move the system to single-user mode. If this is a network system, you should probably notify network users first. This can be done with the wall command, which sends messages to all logged-in users.
Then, you can move to single-user mode, using the init command:
init 1The Linux/UNIX command grep can be used to search for files, contents of files, and just about anything you may want to search for. The grep command is very flexible and quite popular with Linux users. For example,
grep -b 'search-text' /dev/partition > file.txtwill search for ‘search-text’ in a given partition and output the results to file.txt. You can also use this syntax:
grep -a -B[size before] -A[size after] 'text'/dev/[your_partition] > file.txt
To recover a text file starting with the word forensics on /dev/sda2, you can try the following command:
# grep -i -a -B10 -A100 'forensics' /dev/sda2 > file.txtIn this case, grep is searching for this phrase, ignoring case, looking through binary files, and essentially looking to find the text, even if the file has a reference count of zero (i.e., has been deleted). Of course, if the file blocks have been overwritten enough times, then it will be irrecoverable.
The extundelete Utility
The extundelete utility (http://extundelete.sourceforge.net) works with both ext3 and ext4 partitions. This product works via shell commands, and they are relatively simple. For example, if you want to restore all deleted files from the sda1 partition, just use this command:
extundelete /dev/sda4 --restore-allThe website documents all the various options you can utilize with this tool.
|
TABLE 6-2 Using |
||
Linux run levels determine at what level the operating system is running. The |
||
MODE |
DIRECTORY |
RUN LEVEL DESCRIPTION |
0 |
/etc/rc.d/rc0.d |
Halt |
1 |
/etc/rc.d/rc1.d |
Single-user mode |
2 |
/etc/rc.d/rc2.d |
Not used (user-definable) |
3 |
/etc/rc.d/rc3.d |
Full multiuser mode without GUI |
4 |
/etc/rc.d/rc4.d |
Not used (user-definable) |
5 |
/etc/rc.d/rc5.d |
Full multiuser mode with GUI |
6 |
/etc/rc.d/rc6.d |
Reboot |
Scalpel
This tool works with both Linux and Mac OS, and it is even possible to compile the source code to work in Windows. However, it is easiest to install and work with in Linux. For example, if you are using Ubuntu Linux, this is all it takes to install:
sudo apt-get install scalpelNext is some text editing—the configuration file is /etc/scalpel/scalpel.conf. You will find that everything has been commented out—uncomment the specific file format that you want to recover. For example, if you want to recover deleted Zip files, then you need to uncomment the .zip file section in scalpel.conf.
Next, in a terminal, run the following command:
sudo scalpel [device/directory/file name] -o [output directory]The output directory, in which you want to store recovered files, should be empty before running Scalpel; otherwise, you will get an error.
Macintosh
Starting with OS X, Macintosh is actually based on FreeBSD, which is a UNIX clone, much like Linux. In fact, if you go to a terminal window in Mac OS X, what you actually get is a shell where you can run UNIX shell commands. This means that some of the techniques that work for Linux also work with Macintosh. However, there are also some tools you can use that are made specifically for Macintosh.
You should also be aware that Macintosh has its own file system. Mac OS X uses Hierarchical File System Plus (HFS+). Earlier versions of Macintosh used HFS. You can get details on HFS and HFS+ at http://www.osxbook.com/book/bonus/ancient/whatismacosx/arch_fs.html.
MacKeeper
MacKeeper (http://www.data-retrieval.net/osx/mackeeper-files-recovery.html) is a useful tool for recovering deleted files on a Macintosh computer. There is a free, fully functional trial version. Once you download and install this tool, you can recover files in just a few easy steps:
Open the Files Recovery tool. Select the volume where your lost files were and start the scan. This is shown in FIGURE 6-12.
Then select Undelete, shown in FIGURE 6-13.
That is it. This tool is remarkably simple to use.
There are certainly other tools that can recover Macintosh deleted files. You should experiment with various tools and find the one(s) that are most useful for you. As always, you should be comfortable with a given operating system before attempting forensic analysis of that operating system.
FIGURE 6-12
MacKeeper step 1.
Courtesy of ZeoBIT
FIGURE 6-13
Files Recovery Tool.
Courtesy of ZeoBIT