Module 5 - Defeating Anti-forensic Techniques

The original files pertaining to the $I files are not visible in the Recycle Bin folder when...

$I file is corrupt or damaged; the attacker/insider deletes $I files from the Recycle Bin.

When a file is deleted in Vista and later versions, the corresponding metadata file is created, which is named as:

$I<#>.<original extension>, where <#> represents a set of random letters and numbers.

During the forensic investigation, the investigator should check the ______ files in the recycle bin to counter the anti-forensic technique used by the attacker.

$R. If the metadata files related to the original files are not present in the folder, then the investigator can use 'copy' command to recover the deleted files ($R files). copy <$R*(or File name)> <Destination Directory>

In Windows Vista and later versions, the deleted file is renamed using this syntax:

$R<#>.<original extension> where <#> represents a set of random letters and numbers.

Investigators can take a look at file headers to verify the file format using tools such as....

010 Editor, CI Hex Viewer, Hexinator, Hex Editor Neo, Qiew, WinHex, etc.

Recover My Files features:

1. Recovers files even if emptied from Recycle Bin data. 2. Recovers files after accidental format, even after Windows is reinstalled. 3. Performs disk recovery after hard disk crash 4. Recovers files after partitioning error. 5. Recovers data from RAW hard drives. 6. Recovers documents, photos, videos, music, and email. 7. Recovers from a hard drive, camera card, USB, Zip, floppy disk, or other media.

321Soft Data Recovery

321Soft Data Recovery for Mac recovers deleted, inaccessible, and lost files from Mac's hard drive. It can recover files lost due to deletion, formatting of the drive, partition errors, corrupted file system, hard disks, solid state drives (SSDs), memory cards, USB sticks, CD/DVD discs, and various other storage devices.

Handy Recovery:

A data recovery software designed to restore files deleted from hard disks and memory cards. Can recover files damaged by virus attacks, power failures and software faults, or files from deleted and formatted partitions. If program does not use the Recycle Bin when deleting files, Handy Recovery can restore them. Can also recover files moved from Recycle Bin after it has been emptied.

DDrescue

A data recovery tool. Copies data from one file or block device (hard disk, cdrom, etc.) to another, trying to rescue the good parts first in case of read errors. The basic operation of ddrescue is fully automatic. If you use the mapfile feature of ddrescue, the data are rescued very efficiently (only blocks needed are read).

Active@ UNDELETE

Active@ UNDELETE is data recovery software that helps to recover deleted files and restore deleted partitions. It restores the deleted volumes/partitions in-place, fixing volume boot sectors and ability to rollback partition changes. It supports Windows 10/8/7/Vista/XP, 2003/2008 Server OSs.

What tools can be used to carve data from a disk?

Autopsy, EaseUS Data recovery, etc.

Data recovery tools:

Autopsy, Recover My Files, Ease US Data Recovery Wizard, and R-Studio

The $R and $I files are located at....

C:\$Recycle.Bin\<USER SID>

Active@ File Recovery

Contains a CD/DVD ISO image that allows burning a bootable CD or DVD with a lightweight version of Windows 7 running in RAM (WinPE 3.0). Can recover data in case the system is not bootable and cannot attach damaged hard disk drive to another machine.

Pandora Recovery

Finds and recovers files from NTFS and FAT-formatted volumes, regardless of their types. Scans the hard drive and builds an index of existing and deleted files and directories (folders) on any logical drive of the computer with supported file formats. Once scanning is complete, the user gets full control over the files to be recovered and the destination to be used for recovery.

Handy Recovery tool can restore the _______ containing selected files and folders.

Full branch of a folder tree. Along with the main file data, the program can recover alternate data streams, which are used on the NTFS file system to store additional information about files.

Prior to Windows Vista, a file in the Recycle Bin was stored....

In its physical location and renamed using the syntax: D<original drive letter of file><#>.<original extension>. The "D" denotes the file was deleted. Ex: De7.doc

_____ is an essential part of ddrescue's effectiveness.

Mapfile.

What does a perpetrator do to make it difficult for an investigator to identify a lost partition?

Merge the unallocated partition with the system's primary partition (or existing partition). Automated tools such as R-Studio should be used to retrieve the lost partition data.

Mondo Rescue

Mondo Rescue is a GPL disaster recovery solution. It supports Linux (i386, x86_64, ia64) and FreeBSD (i386). It's packaged for multiple distributions (Fedora, RHEL, openSuSE, SLES, Mandriva, Mageia, Debian, Ubuntu, Gentoo). It supports tapes, disks, network and CD/DVD as backup media, multiple filesystems, LVM, software and hardware Raid, BIOS and UEFI.

Recycle Bin storage location on FAT file systems:

On older FAT file systems (Windows 98 and prior), it is located in Drive:\RECYCLED.

When accessing password protected resources, an investigator can utilize what password cracking tools?

Ophcrack and Rainbow Crack.

The $I file contains the following metadata:

Original file name, original file size, the date and time the file was deleted.

Disk Drill

Data recovery software for Windows. Can recover data from internal and external hard drives, USB flash drives, iPods, memory cards, etc. Can recover files from partition loss, hard drive reformatting, failed bootups, accidental deletion, Recycle Bin cleanup, and memory card corruption.

R-Studio

Data recovery software that can recover files from FAT12/16/32/exFAT, NTFS, NTFS5 (Windows 10, 8, 7, 2000/XP/2003/Vista). Functions on local and network disks, formatted, damaged, or deleted partitions. Has an advanced RAID reconstruction module, a feature-rich text/hexadecimal editor, and an entire advanced disk copying/imaging module in one single piece of software. The ideal complete solution for creating a data recovery workstation.

PhotoRec

Data recovery software that recovers lost files, videos, documents, archives from hard disk, CD-ROMS, and lost pictures from digital camera memory.

Wise Data Recovery

Data recovery software used to retrieve lost or formatted data, or data that is lost due to system crash. Can recover lost files from hard drive, external hard drive, USB drive, memory card, digital camera, mobile phone, MP3 player, etc.

Windows Data Recovery Software

Disk Doctors Windows Data Recovery Software can recover deleted files, including files emptied from Recycle BIN and from Windows Explorer with Shift + Delete. Allows one to recover data from a reformatted partition (to any file system), and from a corrupted, deleted, or missing partition.

Recycle Bin storage location on NTFS file systems (Vista and later)

Drive:\$Recycle.Bin\<SID>

Recycle Bin storage location on NTFS file systems (Windows 2000, NT, XP):

Drive:\RECYCLER\<SID>

File Scavenger

File Scavenger is a file "undelete" and data recovery utility for Windows 10, 8, 7, Vista, Server 2003, 2000, NT, and ME/98/95. File Scavenger recovers files that have been accidentally deleted (including files removed from the Recycle Bin, in a DOS window, from a network drive, and from Windows Explorer with the SHIFT key held down) provided that recovery is attempted before the files are permanently overwritten by new data. File Scavenger supports basic and dynamic disks, NTFS compression, alternate data streams, sparse files, Unicode filenames, etc. Except in severe cases, both the file and the folder path leading to the file can be recovered

The forensically acquired image from a TRIM disabled SSD should be examined using....

File carving tools such as Autopsy, R-Studio, etc.

File is deleted from FAT file system:

The OS replaces the first letter of a deleted file name with hex byte code: E5h. The E5h is a special tag that indicates that the file has been deleted. The corresponding cluster of that file in FAT is marked as unused, although it will continue to contain the information until it is overwritten.

True or false: File carving does not require file system structure to recover data from a disk.

True. However, file recovery requires knowledge of the file system structure to recover deleted data.

When a partition is deleted from a drive, the partition is marked as _______ in Disk Management

Unallocated.

UndeletePlus

UndeletePlus scans a computer or storage medium for deleted files and restores them on command. It works with computers, flash drives, cameras, and other forms of data storage. It scans the device, selects the files needed to recover, and restores the information or picture with the click of a button.

Ontrack Easy Recovery

Unites legacy backup catalogs from various systems and mediums into a single inventory. Provides support to multiple workstations and allows users to create catalogs on their own. Once received, the catalogs are ingested into Ontrack DataAdvisor. Has recovery tools such as email recovery; hex viewer; self-monitoring, analysis, and reporting technology (SMART); bad block/block usage diagnostics; image tools; copy disk; reflect disk. Offers hard-drive monitoring with SMART scan to protect hard drives and erase function to free-up storage.

VirtualLab

VirtualLab is a data recovery software that works with all Windows OSs from Windows 98 to Windows 10, 8, 7, FAT 12/16/32, and NTFS file systems. It can restore the deleted files from lost/damaged partitions, formatted disks, deleted emails, hard drives and RAID systems, and photos and flash memory cards.

File Carving (Linux)

When a file is deleted from Linux using the command /bin/rm/, the inode pointing to the file gets removed but the file remains on the disk until it is overwritten by new data. If a running process keeps a file open and then removes the file, the file contents are still on the disk, and other programs will not reclaim the space

Data/File Deletion

When a file is deleted from a hard drive, the pointer to the file gets deleted but the contents of file remain on the disk. The deleted files can be recovered from the hard disk until the sectors containing the contents of the file are overwritten with the new data.

The MBR partition table contains records of the.....

Primary and extended partitions of a disk. When a partition is deleted from a disk, the entries with respective to deleted partitions are removed by the computer from the MBR partition table.

What tools should an investigator use to scan disks for lost partitions and recover them?

R-Studio and EaseUS Data Recovery. These automated tools perform full disk scan, looks for deleted partition information and reconstruct the partition table entry for deleted partition

Data Rescue PC

Recovers all file types from a crashed or virus-corrupted hard drive. Recovers an external drive or secondary drive. Scans the drive for files and copies them to second drive. Works if the drive fails to mount or only partially operates. Recovers digital pictures from camera media even after it has been erased or reformatted. Recovers whole drive or just the files you need.

Disk Drill for Mac

Recovers data loss due to partition errors on external hard drives, files, and documents in the internal hard drive. It recovers and runs through all of its scanning functions and display a list of files that can be potentially recovered. This tool allows previewing the files and lets you choose the ones that can be successfully recovered.

Recover My Files tool

Recovers deleted files emptied from Windows Recycle Bin, including files lost due to formatting or reinstall of hard drive, or files removed by a virus, Trojan infection, unexpected system shutdown, or software failure.

Recuva

Recovers deleted files from Windows computer, recycle bin, digital camera card, or MP3 player. Has superior file recovery, being able to recover lost pictures, music, documents, emails, etc. Recovers from damaged or newly formatted disks with greater chances of recovery. Has deep scan for buried files that sours the drives to find any traces of files that have been deleted. Also securely deletes files with an overwrite feature that uses industry and military standard deletion techniques to make sure your files stay erased.

Mac Data Recovery Guru

Recovers deleted files from a disk that has been formatted, corrupted, or files with no file system at all. Can make it filesystem independent. Can work on hard disks, USB flash sticks, USB hard disks and SSDs, SD cards, digital cameras, and android phones and tablets that are plugged into Mac

DDR Professional Recovery Software

Recovers deleted files in all major data loss situations from fixed hard drive partitions or from any USB storage media drive.

Seagate File Recovery Software

Recovers files and rescues service plans for storage devices. recovers files from laptops, desktops, external hard drives, tablets, and on-chip memory smartphones.

Data Rescue 4

Recovers files from a crashed or virus-corrupted hard drive. Recovers photos, videos, and documents from crashed, corrupted, or non-mounting hard drives; accidentally formatted hard drives or reinstalled OS; previous deletion, damaged, or missing files. Can recover all types of files from any HFS/HFS+ formatted drive.

Quick Recovery

Recovers files that have been lost, deleted, corrupted, or even deteriorated. Searches, scans, and recovers files that are encrypted and password protected and restores them. Repairs and recovers Disk bad sectors.

PhotoRec for Linux

Recovers lost files; video, documents, and archives from hard disks; CD-ROMS; and lost pictures from digital camera memory. Recover media's file system if it has been severely damaged or reformatted. Recovers lost partitions on different file systems and makes non-bootable disks function.

Stellar Phoenix Windows Data Recovery

Recovers lost, deleted, or inaccessible data from Windows OS HDDs and other storage media. Helps recover data lost due to hard drive corruption, formatting, and virus attack.

Data Recovery for Linux

Recovers lost, formatted or deleted data from Linux based volumes. A Linux Data Recovery software that helps you recover lost or inaccessible data from any Ext4, Ext3, Ext2, exFAT, FAT32, FAT16, and FAT12 file system-based LINUX volumes. Recovers from all available hard drive types, including SCSI, SATA, EIDE, and IDE

Cisdem DataRecovery 3

Recovers photos, videos, documents, etc. on Mac hard drives and external devices. Can restore files from Mac hard drives, external hard drives, Mac notebooks, desktops, Mac server, USB drives, camcorders, memory cards, SD cards, digital cameras, mobile phones, laptops, MP3 and MP4 players. Restors the lost partition and gets back the data from HFS+, FAT16, FAT32, exFAT, ext2-ext4, and NTFS file systems.

Scalpel

Scalpel is a file carving tool that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is file system independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery.

AppleXsoft File Recovery for Mac

Scans and recovers files from the hard disk and external storage devices. Supports RAID recovery, includes RAID Reconstructor, Mail Recovery, Hex Viewer, SMART, Bad Block Diagnostics, Imaging tools, and Disk Copy.

Advanced Disk Recovery

Scans entire system for deleted files and folders and recovers them. Scans the hard drives, partitions, external devices, and even CDs and DVDs for recoverable files. Provides two types of scans: the Quick Scan that uses MFT and the Deep Scan that uses file signatures . Once scan is complete, one can either preview the files/folders or recover them to a preferred location.

Orion File recovery Software

Searches for deleted files on the hard drive, on any external or portable drive connected to the computer. Files that are not overwritten can either be recovered or permanently deleted to prevent future recovery. Can permanently erase files to increase security.

WinUndelete

WinUndelete software can be used to recover deleted files from a hard drive, flash drive, USB external drive, digital camera card, and more. WinUndelete recovers deleted files after emptying the Recycle Bin or by using other deletion actions that bypass the Recycle Bin.

Glary Undelete

Works on FAT and NTFS file systems. Recovers files emptied from recycle bin, in a DOS window, and Windows Explorer with the SHIFT key held down. Recovers files that have been deleted by bugs, crashes, and viruses. Can recover files that the user has compressed or fragmented or even encrypted on NTFS file system.

R-Studio for Mac

Works similar to R-Studio for other OSes, but this specifically works for Mac. Recovers files from HFS/HFS+ (Macintosh) partitions. Raw file can be used for heavily damaged or unknown file systems. Can recover data on disks, even if partitions are formatted, damaged or deleted.

Autopsy

a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.

R-Undelete

recovers files from FAT and NTFS file systems. R-Undelete recover files on any local disk recognized by the software. An additional file recovery algorithm increases the file recovery quality. R-Undelete can be run from disk and folder context menus. Graphics files, videos, and audio files can be previewed in R-Undelete.

Recover4all Professional

recovers files under Windows from the recycle bin, formatted drive, and even damaged files. Does not require installation and can run directly from USB disk, flash drive, etc.

Total Recall

recovers lost data from hard drives, RAID, photos, deleted files, iPods, and even removable disks connected via FireWire or USB.

A file format is confirmed as .jpg if it shows...

"JFIF" in the file header and hex signature as "4A 46 49 46"

File Carving

A technique to recover files and fragments of files from the hard disk in the absence of file system metadata. File identification and extraction is based on certain characteristics, such as file header or footer rather than the file extension or metadata.

In Autopsy, the carved data from the forensic evidence file is displayed under the appropriate data source with the heading _________

"$CarvedFiles"

Anti-forensics goals:

1. Interrupt and prevent information collection 2. Make difficult the investigators task of finding evidence. 3. Hide traces of crime or illegal activity 4. Compromise the accuracy of a forensics report or testimony. 5. Delete evidence that an anti-forensics tool has been run.

DiskDigger

A program that undeletes and recovers lost files from hard drives, memory cards, and USB flash drives. Can be used to recover documents or photos accidentally deleted or from reformatted camera memory card. Can be used to check the files on an old USB drive. Works in Windows 10, 8, 7, and XP.

File header:

A signature (aka magic number) which is a constant numeric or text value that determines a file format. Ex: A suspect may try to hide an image from being detected by changing the file extension from .jpg to .dll, but changing the extension does not change the file header

True or false: ddrescue writes zeroes to the output when it finds bad sectors in the input.

False. Ddrescue does not write zeroes to the output and does not truncate the output file if not asked to. Every time you run it on the same output file, it tries to fill in the gaps without wiping out the data already.

True or False: When a file is deleted from the hard drive, both the pointer and the contents of the file get deleted from the hard drive.

False. The pointer to the file gets deleted, but the contents of the file remain on the hard disk.

Obfuscated Passwords:

Encrypted using an algorithm and can be decrypted by applying a reverse algorithm.

When an Unallocated partition is found during forensic investigations, the investigator should use automated tools such as _________ to discover lost partitions and recover the data from it.

EaseUS Data Recovery Wizard. This tool recovers data from the FAT and NTFS based file system partitions.

Windows forensic image files are acquired using tools such as _____ and _____ and examined using ______

FTK Imager; DD Utility; Autopsy.

Foremost

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types.

GetDataBack

GetDataBack recovers data if the hard drive's partition table, boot record, FAT/MFT, or root directory are lost or damaged; data was lost due to a virus attack; the drive was formatted; fdisk has been run; a power failure has caused a system crash; files were lost due to a software failure; or files were accidentally deleted. It can even recover your data when the drive is no longer recognized by Windows. This tool can likewise be used even if all directory information—not just the root directory—is missing.

EaseUS Data Recovery Wizard:

Hard drive data recovery software to recover lost data from PC, laptop, or other storage media due to deleting, partition loss, OS crash, virus attacks, etc.

File is deleted from NTFS file system:

OS marks file entry as unallocated but does not delete the file contents. The clusters allocated to the deleted file are marked as free in the $BitMap (a record of all used and unused clusters). The computer notices the clusters are empty and avails that space for new files. The deleted file can be recovered if the space is not allocated to any other file.

Cleartext Passwords:

Passwords that are transmitted or stored on media without any encryption.

Windows tracks its files/folders on a hard drive using the _______ that tells the system where the file begins and ends.

Pointers

Anti-forensics

Set of techniques aimed at complicating or preventing a proper forensics investigation process.

The second extended file system (ext2) is designed in such a way that it....

Shows several places where data can be hidden.

Password Hashes

Signatures of the original password, generated using a one-way algorithm. Passwords hashed using hash algorithms (MD5, SHA, etc.) are not reversible.

Why is file carving in SSDs different from HDDs?

Since files deleted from the TRIM (enabled by default) enabled SSDs cannot be recovered.

Recycle Bin (Windows):

Temporary storage for deleted files. Files remain in Recycle bin until you empty the contents or restore the file.

TestDisk

TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.

What happens when a file is deleted in Windows 98?

The complete path of the file and its name is stored in a hidden file called INFO2 in the Recycled folder. This information is used to restore deleted files to their original locations.

Unlike Windows, Linux can access and retrieve data from a variety of machines. The Linux kernel supports:

VxFS, UFS, HFS, NTFS, and FAT file systems. Some file systems are not readable in a Windows environment, and users can easily recover such files using a bootable Linux distro such as Knoppix.

TestDisk can....

▪ Fix partition table, recover deleted partition ▪ Recover FAT32 boot sector from its backup ▪ Rebuild FAT12/FAT16/FAT32 boot sector ▪ Fix FAT tables ▪ Rebuild NTFS boot sector ▪ Recover NTFS boot sector from its backup ▪ Fix MFT using MFT mirror ▪ Locate ext2/ext3/ext4 Backup SuperBlock ▪ Undelete files from FAT, exFAT, NTFS and ext2 filesystem ▪ Copy files from deleted FAT, exFAT, NTFS and ext2/ext3/ext4 partitions

Kernel for Linux Data Recovery

▪ Recovers lost files and folders on Linux system ▪ Scans and Recovers Linux OS data files ▪ Performs data recovery from corruption and damages ▪ Facility to recover Ext2 and Ext3 file systems of Linux OS

Autopsy Features:

▪ Timeline Analysis - Advanced graphical event viewing interface (video tutorial included) ▪ Hash Filtering - Flag known bad files and ignore known good ▪ Keyword Search - Indexed keyword search to find files that mention relevant terms ▪ Web Artifacts - Extract history, bookmarks, and cookies from Firefox, Chrome, and IE ▪ Data Carving - Recover deleted files from unallocated space using PhotoRec ▪ Multimedia - Extract EXIF from pictures and watch videos