RECOVERING DELETED INFORMATION

84
CHAPTER 7
Seizing, imaging, and analyzing digital evidence
RECOVERING DELETED FILES AND FOLDERS
The deletion process for files and folders involves simply marking the clusters used 
by the deleted file or folder as unallocated in the file table. Until the clusters are phys-
ically overwritten the data in the file or folder remains accessible in the unallocated 
clusters. Most forensic tools will allow for identification and recovery of deleted files 
where the clusters have not yet been overwritten.
RECOVERING DELETED PARTITIONS
Deleting partitions makes the data inside them unavailable to the operating system; 
however the data itself is not destroyed at the point of deletion and can often be re-
covered. Information concerning which sectors the deleted partition used to occupy 
are recorded in the partition table held in the MBR. Most tools will parse the infor-
mation in the partition table, allowing the examiner to see the names of partitions, 
deleted or otherwise, and which sector they start and end at. Using this information 
the VBR, or backup VBR, for any individual partition can be located. The location 
differs depending on the file system used, but is well documented for all common file 
systems. Once located, most tools will parse the information in a VBR allowing the 
examiner to rebuild the deleted partition.
WHERE EVIDENCE HIDES
The following sections will discuss some of the more intricate hiding places that 
exist within Microsoft Windows operating systems. Some of these places may get 
overlooked in a forensic examination, and yet they frequently hold much sort after 
forensic evidence.
REGISTRY
The registry is responsible for holding system settings and configuration information 
for all aspects of the Windows operating system and installed software. In modern 
Windows operating systems the registry is composed of five files stored in the folder 
Winnt\system32\config\
, namely Default, System, Security, Software and Sam, 
with another file Ntuser.dat being present for each user of the system (
Nelson, et al. 
2010
). Their purpose is shown in 
Table 7.2
.
On a live system the registry can be examined and modified using the registry edi-
tor regedit. Regedit combines the information stored in the files into hives, a format 
designed to make their information more accessible to the user. This information is or-
ganized within handle keys, referred to as HKEY’s which in turn contain sub-keys and 
associated values (name, type, and data). These keys are HKEY_LOCAL_MACHINE 

Download 5,67 Mb.

Do'stlaringiz bilan baham: