1. Basic File Recovery Techniques BACS 371 Computer Forensics

2. File Recovery  The easiest type of recovery is to go to the Recycle Bin and recover the file.  Once the file is deleted form the Recycle Bin, this option is not available.  To recover these files you need to open the disk with a hex editor (like WinHex)  Some files are easily recoverable with this tool, others will need a bit of work to reconstruct the FAT chains.

3. Simple WinHex Recovery  Directory of disk shows 3 files.

4. Simple WinHex Recovery  WinHex shows that there are more files present. Notice symbols to the left of files. They indicate status and likelihood of successful recovery.

5. Simple WinHex Recovery  Select a file and right click. If you select “Recover/Copy”, WinHex will try to recover the file.  Result is a successful recovery!

6. Simple WinHex Recovery  List Clusters will print out the FAT linked-list chain. Useful for possible chain reconstruction.

7. WinHex Recovery  Other files are not as likely to be recoverable. Note the red X next to the file.  Recovery appeared to work, but file was corrupt and unreadable.

8. Advanced Deleted File Recovery In WinHex 1. Scan Disk for deleted entries 2. Define cluster chain for deleted entry 3. Recover cluster chain  Assumptions  File entry still exists  File entry pointer to first cluster is correct  File data clusters are not yet overwritten

9. Scan Disk for Deleted Entries  Deleted entries are marked with 0xE5 in the first character position of the file/folder name

10. Find the Clusters  Determine the Size of the deleted file  0x0000D000 (little endian!) =  #Clusters = 53248/4096 = 13  Determine the Starting Cluster of the deleted file 0x0004 (little endian!) = cluster #40x0004 (little endian!) = cluster #4

11. Reconstruct the Cluster Chain Mostly 0x00 – is this OK?

12. Reconstructed Cluster Chain File can now be recovered and read by program.