Deleted files can still contain valuable information for forensic investigations. Recovering and analyzing these files can provide critical evidence of user activities or malicious actions. This project will guide you through the process of recovering and analyzing deleted files on Windows systems using various forensic tools.
To complete this project, you will need access to a Windows operating system. You can use a physical machine or set up a virtual machine using software like VirtualBox or VMware.
- Basic understanding of Windows OS
- Familiarity with command-line interface
- Administrative privileges on the Windows machine
For this project, we will use the following tools:
- Recuva: A tool for recovering deleted files.
- FTK Imager: A forensic imaging tool.
- Autopsy: A digital forensics platform and graphical interface to The Sleuth Kit.
- Download Recuva from the official website.
- Run the installer and follow the on-screen instructions.
- Download FTK Imager from the AccessData website.
- Run the installer and follow the on-screen instructions.
- Download Autopsy from the official website.
- Run the installer and follow the on-screen instructions.
Objective: Learn how to recover deleted files using Recuva.
Steps:
- Open Recuva.
- Select the type of files you want to recover (e.g., All Files).
- Choose the location to scan for deleted files (e.g., a specific drive or folder).
- Start the scan and wait for it to complete.
- Review the list of recoverable files and select the ones you want to recover.
- Click on
Recoverand choose a location to save the recovered files.
Expected Output: You should be able to recover deleted files and save them to your specified location.
Objective: Learn how to create a forensic image of a disk for detailed analysis.
Steps:
- Open FTK Imager.
- Select
File>Create Disk Image. - Choose the source type (e.g., Physical Drive) and select the drive you want to image.
- Follow the prompts to create an image file (e.g., E01 format) and save it to your desired location.
Expected Output: You should have a forensic image of the selected disk saved in your specified location.
Objective: Use Autopsy to analyze the forensic image and recover deleted files.
Steps:
- Open Autopsy and create a new case.
- Add the forensic image created in Exercise 2 as a data source.
- Navigate to the
File Analysismodule. - Filter the files to show only deleted files.
- Review the list of deleted files and examine their contents.
Expected Output: You should be able to analyze and view the contents of deleted files using Autopsy.
Objective: Extract and analyze metadata of recovered files to gather additional information.
Steps:
- In Autopsy, locate the recovered files.
- Right-click on a file and select
Extract File Metadata. - Review the extracted metadata, including creation, modification, and access times, as well as file size and type.
Expected Output: You should be able to view and interpret the metadata of recovered files, providing additional context for the forensic investigation.
Objective: Correlate recovered files with system events to understand the context of their deletion.
Steps:
- In Autopsy, examine the timeline of system events around the time the files were deleted.
- Look for events such as file creation, modification, and deletion, as well as user login and application execution.
- Correlate these events with the recovered files to understand the context and reasons behind their deletion.
- Document your findings and provide recommendations for further investigation.
Expected Output: You should be able to correlate recovered files with system events, providing a comprehensive understanding of the context and reasons behind their deletion.
With these exercises, you will gain practical experience in recovering and analyzing deleted files on Windows systems. This will enhance your skills in digital forensics and help you effectively investigate security incidents by uncovering valuable evidence from deleted files.