Autopsy Digital Forensics: Recover Deleted Files

Autopsy: As you know, the that are "deleted" remain on the storage medium until they are replaced. The deletion of these it just renders the freed space to replace. This means that if the criminal deleted evidence , until replaced by the system, remain available to us for recovery.


In this guide, we will use the open source The Sleuth Kit (TSK) to locate and recover deleted files. The Sleuth Kit was originally developed for Linux, but now it's also available for Windows, so we'll use the program on Windows. For TSK a GUI interface named Autopsy, which we will use in this guide.

Install it Autopsy in your system.


After installing Autopsy and launching it, you will be greeted with a screen similar to the one above.

Click on "Create New Case"

When you do this, you'll be greeted with a new window asking you to name your new project and what directory you want to put the rest of your projects into. Type “New Cases 101” and place it in the root directory C:\Cases.


Now, tap Newer posts.

Another window will open asking you for the project number and examiner name. Provide a 101 case number and your name or the examiner's initials.


Click the “Finish"

Then click on “Add New Data” (Add new data) in the upper left corner. When you do, the window will open “Add Data Source” (Add data source).

Since we will be using the image file we created in the previous section, select “Image File” and then browse to the image file you created in section 1. I saved mine in a directory C:\forensic . Yours may be different.


Now, add the image first.image.dd.001 which we saw earlier.


After adding the image, click the button Next and Autopsy will start analyzing the image. Finally, you will be greeted with a screen like the one below.

Click on "Finish".


Now, you should see an environment like the one below. Note that the “firstimage.dd.001” should appear as the data source.


If we expand the section “File types” in the object explorer, Autopsy will display all file types and the number of files in each category. Below you can see that I clicked on the file type “Pictures” and Autopsy will display all image files.


A little further down in the object explorer, we can see a file type named “Deleted files". When we click on it, all the deleted files will be displayed.


When we click on a deleted file, we can do some analysis in the lower right window. There you will see the tabs labeled: Hex, Strings, File , Results and Indexed Text. In this case, click on the “File Metadata” and the metadata of the file will be displayed, including the name, type, size, modification, and the creation of (MAC).


Now, to recover the deleted file, right click on the deleted file and select “Export". This will open a window like the one below.


Go ahead and save the deleted file in the subdirectory “Export".

To find the extracted/deleted file, navigate to,

C:\Cases\New Case 101\Export


You can now double-click this file to open it in the appropriate application.


Suspects often try to cover their tracks by deleting key evidence files. As a researcher I know that until these files are overwritten by the file system they are recoverable. With tools like Autopsy and almost every other forensic suite (Encase, ProDiscover, FTK, Oxygen, etc.) recovering these deleted files is easy and simple. The Best Technology Site in Greecefgns


Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).