Autopsy Digital Forensics: Recover Deleted Files

Autopsy: As you know, the that are "deleted" remain on the storage medium until they are replaced. The deletion of these it just renders the freed space to replace. This means that if the criminal deleted evidence , until replaced by the system, remain available to us for recovery.

autospy

In this guide, we will use the open source The Sleuth Kit (TSK) to locate and recover deleted files. The Sleuth Kit was originally developed for Linux, but now it's also available for Windows, so we'll use the program on Windows. For TSK a GUI interface named Autopsy, which we will use in this guide.

Install it Autopsy in your system.

fore

After installing Autopsy and launching it, you will be greeted with a screen similar to the one above.

Click on "Create New Case"

When you do this, you'll be greeted with a new window asking you to name your new project and what directory you want to put the rest of your projects into. Type “New Cases 101” and place it in the root directory C:\Cases.

front1

Now, tap Newer posts.

Another window will open asking you for the project number and examiner name. Provide a 101 case number and your name or the examiner's initials.

front2

Click the “Finish"

Then click on “Add New Data” (Add new data) in the upper left corner. When you do, the window will open “Add Data Source” (Add data source).

Since we will be using the image file we created in the previous section, select “Image File” and then browse to the image file you created in section 1. I saved mine in a directory C:\forensic . Yours may be different.

front3

Now, add the image first.image.dd.001 which we saw earlier.

front4

After adding the image, click the button Next and Autopsy will start analyzing the image. Finally, you will be greeted with a screen like the one below.

Click on "Finish".

front5

Now, you should see an environment like the one below. Note that the “firstimage.dd.001” should appear as the data source.

front6

If we expand the section “File types” in the object explorer, Autopsy will display all file types and the number of files in each category. Below you can see that I clicked on the file type “Pictures” and Autopsy will display all image files.

front7

A little further down in the object explorer, we can see a file type named “Deleted files". When we click on it, all the deleted files will be displayed.

front8

When we click on a deleted file, we can do some analysis in the lower right window. There you will see the tabs labeled: Hex, Strings, File , Results and Indexed Text. In this case, click on the “File Metadata” and the metadata of the file will be displayed, including the name, type, size, modification, and the creation of (MAC).

front9

Now, to recover the deleted file, right click on the deleted file and select “Export". This will open a window like the one below.

front10

Go ahead and save the deleted file in the subdirectory “Export".

To find the extracted/deleted file, navigate to,

C:\Cases\New Case 101\Export

front11

You can now double-click this file to open it in the appropriate application.

Conclusion

Suspects often try to cover their tracks by deleting key evidence files. As a researcher I know that until these files are overwritten by the file system they are recoverable. With tools like Autopsy and almost every other forensic suite (Encase, ProDiscover, FTK, Oxygen, etc.) recovering these deleted files is easy and simple.

iGuRu.gr The Best Technology Site in Greecefgns

Autopsy

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).