Recovering Deleted Files

Sept. 30, 2017 0 comments Detection & Response deletedfiles

Among the most fundamental skills necessary for a forensic investigator, recovering deleted files is the most basic. As you know, files that are "deleted" remain on the storage medium until overwritten. Deleting these file simply makes the cluster available to be overwritten by the filesystem. This means that if the suspect deleted evidence files, until they are overwritten by the file system, they remain available to us to recover. In this tutorial, we will be using open source The Sleuth Kit for identifying and recovering deleted files. The Sleuth Kit was first developed for Linux, but has now been ported for Windows, so we will be using it with our Windows examination system. You can download it here. ‚Äč