Digital Forensics, Part 3: Recovering Deleted Files

Sept. 30, 2017 0 comments hackers-arise.com Detection & Response deleted digital files

In the first two parts of this series, we captured a forensically sound image of the hard drive or other storage device and an image of the RAM. In this tutorial, we will recover any files deleted by the suspect. Among the most fundamental skills necessary for a forensic investigator, recovering deleted files is probably the most basic. As you know, files that are "deleted" remain on the storage medium until overwritten. Deleting these file simply makes the cluster available to be overwritten. This means that if the suspect deleted evidence files, until they are overwritten by the file system, they remain available to us to recover. In this lab, we will be using the open-source The Sleuth Kit (TSK) for identifying and recovering deleted files. The Sleuth Kit was first developed for Linux, but has now been ported for Windows, so we will be using it with our Windows examination system. A GUI interface was developed for TSK named Autopsy that we will be using in this tutorial.

https://www.hackers-arise.com/single-post/2016/10/10/Digital-Forensics-Part-3-Recovering-Deleted-...