DOCSLIB.ORG

Recovery Deleted Files Undelete on Ext3 Filesystem on Debian / Ubuntu GNU / Linux - Undelete Just Deleted Directories

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Recovery Deleted Files Undelete on Ext3 Filesystem on Debian / Ubuntu GNU / Linux - Undelete Just Deleted Directories ? Walking in Light with Christ - Faith, Computing, Diary GNU Linux, UNIX, FreeBSD, Windows, Mac OS - Hacks, Goodies, Tips and Tricks and The True Meaning of life http://www.pc-freak.net/blog Recovery deleted files undelete on ext3 filesystem on Debian / Ubuntu GNU / Linux - Undelete just deleted directories Author : admin I've recently deleted a file by mistake on my Debian Linux. I did quite a research on possible ways to recover my lost .odt file I've tried various approaches by using different tools. The most straight forward way to recover plain text data is through simply using the grep command over the partition where the recently deleted file occured. I used egrep and was able to find the file inodes pointer of the deleted files using the command: debian:~# egrep -b -o --binary-files=text "meta:creation-date.*meta:creation-date" In the above example /dev/sda5 was actually my ext3 partition Though this command presented me with inode numbers where I can look up for files I was not able to find a good straight forward way to retrieve information contained by this inodes. However before proceeding with using grep to recover anything on your partition it's recommandable that you switch to another system runlevel (init level) Best practice after you realize you have a certain mistakenly deleted file is to switch to init 1 and unmount the mounted partition which previosuly containted recently deleted file. To do so: Issue the init command to enter init 1 Next step is to try to use the unix traditional way to recover raw portions of data from your partition. For instance if you want to recover a text file starting with the text Assignment do the following grep grep -i -a -B10 -A100 'Assignment' /dev/sda5 > /root/file.txt The above command will recover everything found on /dev/sda case insensitive and containing the word Assignment in it data will be recoverd in a way that everywhere Assignment is matched data will be retrived 10 lines before the word itself and 100 lines of text after the grep key word. Thought this will be helpful in recovering simple text files messages that were scaped out, it's completely unusable with retrieving binary files data. Yet if you're trying to recover just a plain text sentences which contains a certain key word like let's say payments 1 / 4 ? Walking in Light with Christ - Faith, Computing, Diary GNU Linux, UNIX, FreeBSD, Windows, Mac OS - Hacks, Goodies, Tips and Tricks and The True Meaning of life http://www.pc-freak.net/blog You might once again execute the grep command in the following way: grep -b 'payments' /dev/sda5 > /root/file.txt Be aware that you will end up in your newly created file from the binary grep with a lot of bulk data and you will have the time to sort out which parts exactly of the data wer the ones you are interested, this is really inconvenient and time consuming but seems to be a way still. For binary files you have the option to use foremost Foremost is said to be able to recover a certain range of binray formats, however it is a really serious limitation that using it you have only the option to recover the following file formats: jpg gif png png bmp avi exe mpg wav riff wmv mov pdf ole doc zip rar htm cpp foremost should also be able to recover all of the forementioned formats at once. To start using the program on Debian to recover your deleted files you can simply install the software which is already available as a Debian package, to install you need to issue: debian:~# apt-get install foremost To start using the program right away you will need to execute something similar to: debian:~# foremost -i /dev/sda5 -t doc -o /root/foremost Again in the above command line the /dev/sda5 is the device name where you will be willing to look up for you lost files, the -t argument does provide foremost with the exact file extension you're looking for the -o switch instructs it where to save the found files into. Nevertheless my personal experience with foremost wasn't good. I tried to recover just a recently deleted .doc file. What foremost does recoved were two doc files which had the size of about 6.8 mbytes. I wasn't able to open none of the 2 files with both Open Office and Microsoft Office 2003. Right after executing foremost you will see a progress bar similar to: Processing: /dev/sda5|*****************************************.. On a 15 GB partition the program execution time was about 10 or 15 minutes until it completes it's recovery operations, but as I said the recovered data wasn't good at all. The other ext3 file recovery programs I tried was: 1. PhotoRec 2. TestDisk 3. ext3grep 4. 2 / 4 ? Walking in Light with Christ - Faith, Computing, Diary GNU Linux, UNIX, FreeBSD, Windows, Mac OS - Hacks, Goodies, Tips and Tricks and The True Meaning of life http://www.pc-freak.net/blog ext3undel's reviews and articles online I found were really interesting, and does presented the ext3undel collection of wrapper shell scripts based on top of the sleuth kit , photorec and foremost as a mean tools to conduct it's recovery. After I've red a few positive feedbacks of people who succeeded in recovering their deleted files on an ext3 partitions I immediately went to check out the tool and installed it. The tool has already a packaged debian version to install it you will have to add the following deb repository to your /etc/apt/sources.list file. debian:~# echo 'deb http://apt.izzysoft.de/ubuntu generic universe' >> /etc/apt/sources.list Next to install the ext3undel package issue: debian:~# apt-get update && apt-get install ext3undel The ext3undel is actually pretty interactive, so it was not necessary for me to pass any program options to it, therefore I simply started it: debian:~# ext3undel You will be prompted with the partition selection menu where you will have to firstly select the partition from which you would like to recover files: Next you will be prompted to select another partition which should be compulsory a different one than the first one chosen. Third thing you will be prompted about will be the file type you would like the ext3undel program to look up for you, in my case that was .odt After a minute time or so the program will show you up all the .odt files which were recently wiped out of the hdd. It will next up to you to use the /usr/bin/ralf - (R.A.L.F. - Recover A Lost File, a tool to undelete an (accidentally) deleted file from ext2/ext3 file systems) program to undelete the mistakenly deleted files on your ext3 Linux filesystem. However it appeared that the ralf utility is not properly working on current Debian testing/unstable (Squeeze/Sid) distributions. Invoking the ralf binary I was suprised by the following error message: Could not find the 'dls' executable in your $PATH. This is part of the sleuthkit package. One or more of the essential tools required to recover your file cannot be found. Please make sure you have them installed, and they can be found in your $PATH. 3 / 4 ? Walking in Light with Christ - Faith, Computing, Diary GNU Linux, UNIX, FreeBSD, Windows, Mac OS - Hacks, Goodies, Tips and Tricks and The True Meaning of life http://www.pc-freak.net/blog sleuth kit the name for the previous dls binary has changed to blkls therefore it seemed quite natural for me to simply link the blkls binary to dls and my assumption was that would probably solve the error message printed by the ralf wrap up script. Thus I did the dsl symlink to point to blkls: debian:~# ln -sf /usr/bin/blkls /usr/bin/dls Then once again I tried the ralf file recovering utility: debian:~# ralf /home/hipo/filetorecover.odt This time the error returned by the ralf proggie changed and was like: * FileName set to '/home/hipo/filetorecover.odt'* Real filename: '/home/hipo/filetorecover.odt'/usr/bin/ralf: line 239: /tmp/undel_FIFO: Interrupted system call * Evaluated '' as corresponding mount point, using '' file system. ! WARNING: This is not an ext2/ext3 file system, so our algorithm may fail! Sorry - something went wrong, could not determine the source device. * Cleaning up... I looked online if somebody has experienced the same error with the program but I couldn't find anything therefore I eventually decided to drop off the idea to use ex3undel As I continued further my research on the possible tools that exists nowadays to undelete files on Linux I've came across debugfs A very good article about a possible way to debugfs to retrieve a deleted files on ext3 is found on Symantec's website However in my case using debugfs as a recovery tool didn't worked out. Anyways as I scraped through the internet I've found a couple of posts which pointed out that a good commercial software which will be able to recover lost files on an ext3 partition is Stellar Phoenix Linux Recovery you can check out the product as well here Stellar Phoenix Linux Recovery After few hours spend on a futile attempts to recover my recently deleted file I finally decided to drop it out and rewrite the file :( As a conclusion I would say that for Linux there are plenty of ways to recover files on an ext3 partition, however the process is really complex and the lack of simple user friendly robust program to do it is a big gap in GNU/Linux as a modern day operating system.
Load more

Recommended publications
  • Imagemounter Documentation Release 1.5.1
    imagemounter Documentation Release 1.5.1 Ralph Broenink, Peter Wagenaar December 11, 2016 Contents 1 Contents 3 1.1 Installation................................................3 1.2 Command-line usage...........................................4 1.3 Python interface.............................................7 1.4 File and volume system specifics.................................... 18 1.5 Release notes............................................... 22 Python Module Index 31 i ii imagemounter Documentation, Release 1.5.1 imagemounter is a command-line utility and Python package to ease the mounting and unmounting of EnCase, Affuse, vmdk and dd disk images (and other formats supported by supported tools). It supports mounting disk images using xmount (with optional RW cache), affuse, ewfmount and vmware-mount; detecting DOS, BSD, Sun, Mac and GPT volume systems; mounting FAT, Ext, XFS UFS, HFS+, LUKS and NTFS volumes, in addition to some less known filesystems; detecting (nested) LVM volume systems and mounting its subvolumes; and reconstructing Linux Software RAID arrays. In its default mode, imagemounter will try to start mounting the base image on a temporary mount point, detect the volume system and then mount each volume seperately. If it fails finding a volume system, it will try to mount the entire image as a whole if it succeeds in detecting what it actually is. Note: Not all combinations of file and volume systems have been tested. If you encounter an issue, please try to change some of your arguments first, before creating a new GitHub
    [Show full text]
  • Forensic Toolkit (FTK)
    Forensic Toolkit (FTK) User Guide | 1 AccessData Legal and Contact Information Document date: January 31, 2018 Legal Information ©2018 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. AccessData Group, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, AccessData Group, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to make changes to any and all parts of AccessData software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. AccessData Group, Inc. 588 West 400 South Suite 350 Lindon, UT 84042 USA AccessData Trademarks and Copyright Information The following are either registered trademarks or trademarks of AccessData Group, Inc. All other trademarks are the property of their respective owners. AccessData® AD Summation® Mobile Phone Examiner Plus® AccessData Certified Examiner® (ACE®) Discovery Cracker® MPE+ Velocitor™ AD AccessData™ Distributed Network Attack® Password Recovery Toolkit® AD eDiscovery® DNA® PRTK® AD RTK™ Forensic Toolkit® (FTK®) Registry Viewer® LawDrop® Summation® | 2 A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc.
    [Show full text]
  • Improving the Efficiency of Big Forensic Data Analysis Using Nosql
    Improving the Efficiency of Big Forensic Data Analysis Using NoSQL Md Baitul Al Sadi Hayden Wimmer Lei Chen Kai Wang Department of Information Department of Information Department of Information Department of Computer Technology Technology Technology Science Georgia Southern University Georgia Southern University Georgia Southern University Georgia Southern University Statesboro, GA 30458, USA Statesboro, GA 30458, USA Statesboro, GA 30458, USA Statesboro, GA 30458, USA [email protected] [email protected] [email protected] [email protected] them in NoSQL (Not Only SQL) database. There is a variety of ABSTRACT tools available including Autopsy, EnCase, Foremost, FTK, The rapid growth of Internet of Things (IoT) makes the task for Registry Recon, PTK Forensics, The Sleuth Kit, The Coroner's digital forensic more difficult. At the same time, the data analyzing Toolkit, COFEE etc. to extract data from IoT devices. The technology is also developing in a feasible pace. Where traditional extracted data will be in an unstructured format, hence NoSQL is Structured Query Language (SQL) is not adequate to analyze the the best solution to analyze them. Here the document-oriented data in an unstructured and semi-structured format, Not only database program, MongoDB has been chosen to analyze the data Standard Query Language (NoSQL) unfastens the access to from Internet of Things (IoT). To our best knowledge this is pioneer analyzing the data of all format. The large volume of data of IoTs work in terms of using NoSQL and MongoDB for DF. turns into Big Data which just do not enhance the probability of attaining of evidence of an incident but make the investigation 2 BACKGROUND process more complex.
    [Show full text]
  • Performance of Android Forensics Data Recovery Tools
    This is author accepted copy; for final version please refer to: B.C. Ogazi-Onyemaechi, Ali Dehghantanha, Kim-Kwang Raymond Choo, “Performance of Android Forensics Data Recovery Tools”, Pages 91-110, Chapter 7, (Elsevier) Contemporary Digital Forensic Investigations Of Cloud And Mobile Applications Performance of Android Forensics Data Recovery Tools Bernard Chukwuemeka Ogazi-Onyemaechi1, Ali Dehghantanha1; Kim-Kwang Raymond Choo2 1School of Computing, Science and Engineering, University of Salford, Manchester, United Kingdom 2 Information Assurance Research Group, University of South Australia, Australia [email protected]; [email protected]; [email protected] Abstract- Recovering deleted or hidden data is among most important duties of forensics investigators. Extensive utilisation of smartphones as subject, objects or tools of crime made them an important part of residual forensics. This chapter investigates the effectiveness of mobile forensic data recovery tools in recovering evidences from a Samsung Galaxy S2 i9100 Android phone. We seek to determine the amount of data that could be recovered using Phone image carver, Access data FTK, Foremost, Diskdigger, and Recover My File forensic tools. The findings reflected the difference between recovery capacities of studied tools showing their suitability in their specialised contexts only. Keywords: Data recovery, digital forensics, deleted file recovery, mobile forensics, Android forensics. 1 1.0 INTRODUCTION Smart mobile devices, particularly smartphones, are increasingly popular in today’s Internet-connected society (1–4). For example, few years ago in 2010, shipments of smartphone grew by 74 percent to 295 million units (3,4). Unsurprisingly, sales of smartphones have been increasing since then (5,6), and it has been estimated that 1.5 billion smartphones will be sold by 2017 and 1 billion mobile subscribers by 2022 (7–15).
    [Show full text]
  • Creating Highly Specialized Fragmented File System Data Sets
    CREATING HIGHLY SPECIALIZED FRAGMENTED FILE SYSTEM DATA SETS FOR FORENSIC RESEARCH A Thesis Presented in Partial Fulfillment of the Requirements for the Degree of Master of Science with a Major in Computer Science in the College of Graduate Studies at University of Idaho by Douglas Drobny May 2014 Major Professor: Jim Alves-Foss, Ph.D. ii AUTHORIZATION TO SUBMIT THESIS This thesis of Douglas Drobny, submitted for the degree of Master of Science with a Major in Computer Science and titled \Creating Highly Specialized Fragmented File System Data Sets for Forensic Research", has been reviewed in final form. Permission, as indicated by the signatures and dates given below, is now granted to submit final copies to the College of Graduate Studies for approval. Major Professor Date Dr. Jim Alves-Foss Committee members Date Dr. Paul Oman Date Dr. Marty Ytreberg Computer Science Department Administrator Date Dr. Gregory Donohoe Discipline's College Dean, College of Engineering Date Dr. Larry Stauffer Final Approval and Acceptance by the College of Graduate Studies Date Dr. Jie Chen iii ABSTRACT File forensic tools examine the contents of a system's disk storage to analyze files, detect infections, examine account usages and extract information that the system's operating system cannot or does not provide. In cases where the file system is not available, or information is believed to be outside of the file system, a file carver can be used to extract files. File carving is the process of extracting information from an entire disk without metadata. This thesis looks at the effects of file fragmentation on forensic file carvers.
    [Show full text]
  • Testdisk Step by Step
    TestDisk Step By Step Jump to: navigation, search More Sharing Services Share Share on facebookShare on twitter Share on linkedinShare on tumblrShare on stumbleuponShare on redditShare on email This recovery example guides you through TestDisk step by step to recover a missing partition and repair a corrupted one. After reading this tutorial, you should be ready to recover your own data. Translations of this TestDisk manual to other languages are welcome. Contents 1 Example problem 2 Symptoms 3 Running TestDisk executable 4 Log creation 5 Disk selection 6 Partition table type selection 7 Current partition table status 8 Quick Search for partitions 9 Save the partition table or search for more partitions? 10 A partition is still missing: Deeper Search 11 Partition table recovery 12 NTFS Boot sector recovery 13 Recover deleted files Example problem We have a 36GB hard disk containing 3 partitions. Unfortunately; the boot sector of the primary NTFS partition has been damaged, and a logical NTFS partition has been accidentally deleted. This recovery example guides you through TestDisk, step by step, to recover these 'lost' partitions by: rewriting the corrupted NTFS boot sector, and recovering the accidentally deleted logical NTFS partition. Recovery of a FAT32 partition (instead of an NTFS partition) can be accomplished by following exactly the same steps. Other recovery examples are also available. For Information about FAT12, FAT16, ext2/ext3, HFS+, ReiserFS and other partition types, read Running the TestDisk Program. One condition: TestDisk must be executed with Administrator privileges. Important points for using TestDisk: To navigate in TestDisk, use the Arrow and PageUp/PageDown keys.
    [Show full text]
  • Taxonomy of Digital Forensics: Investigation Tools and Challenges
    Taxonomy of Digital Forensics: Investigation Tools and Challenges Nikita Rana1, Gunjan Sansanwal1, Kiran Khatter1,2 and Sukhdev Singh1,2 1Department of Computer Science and Engineering Manav Rachna International University, Faridabad-121004, India 2Accendere Knowledge Management Services Pvt. Ltd., India Abstract In today’s world of computers, any kind of information can be made available within few clicks for different endeavours. The information may be tampered by changing the statistical properties and can be further used for criminal activities. These days, Cybercrimes are happening at a very large scale, and possess big threats to the security of an individual, firm, industry and even to developed countries. To combat such crimes, law enforcement agencies and investment institutions are incorporating supportive examination policies, procedures and protocols to address the complete investigation process. The paper entails a detailed review of several cybercrimes followed by various digital forensics processes involved in the cybercrime investigation. Further various digital forensics tools with detail explanation are discussed with their advantages, disadvantages, challenges, and drawbacks. A comparison among all the selected tools is also presented. Finally the paper recommends the need of training programs for the first responder and judgement of signature based image authentication. 1. INTRODUCTION Computer is a masterpiece made by the human race that has made our lives smooth and effortless. Computers have become the very bedrock of today’s technological environment and we use them in almost every aspect of our customary life. They are everywhere from shopping, banking to school and hospitals, even our own homes. Businesses depend on these devices and the Internet to do their daily transactions, marketing and communications across the globe and given to our desideratum to have the best of everything it has seen noteworthy diversifications.
    [Show full text]
  • A Comparison of Computer Forensic Tools: an Open-Source Evaluation
    A Comparison of Computer Forensic Tools: An Open-Source Evaluation Adam Cervellone, B.S., Graduate Student, Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV 25701 901725850 Agency Supervisor-Robert Price Jr., M.S., Forensic Scientist I, North Carolina State Crime Laboratory, 121 E. Tryon Road, Raleigh NC 27601 Technical Assistant- Joshua Brunty, M.S., Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV, 25701 MU Topic Advisor-Terry Fenger, Ph.D., Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV, 25701 Cervellone 1 of 30 Abstract The world of digital forensics is an ever-evolving field with multiple tools for analysis from which to choose. Many of these tools have very focused functions such as Mac and iOS device analysis, registry examination, steganography analysis, mobile device examination, password recovery and countless others. Other tools are full featured suites capable of analyzing a large case containing multiple items. The major problem with many of these tools is cost. While they may be robust, they may not be affordable for a smaller lab that wants to do digital forensics. This research focuses on industry standard forensic software such as: Guidance Software® EnCase® Forensic 6, AccessData® FTK® (Forensic Toolkit) 5, as well as SANS SIFT Workstation 3.0. The SIFT Workstation is a freely available open-source processing environment that contains multiple tools with similar functionality to EnCase® and FTK®. This study evaluates the processing and analysis capabilities of each tool. In addition to processing functionality, a simple cost analysis study was done. The latter portion of the research displayed how much a lab may have to spend to get a single examiner fully on-line with each tool.
    [Show full text]
  • GNU MANUALINUX 6.8 This (Manual) Is Free and Is Realized Also with Collaboration of Others Passionated (THANKS !!!)
    Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. A copy of the license is included in the section entitled "GNU Free Documentation License". Copyright (c) 2001-2008 Cristiano Macaluso (aka Panther) E' garantito il permesso di copiare, distribuire e/o modificare questo documento seguendo i termini della Licenza per Documentazione Libera GNU, Versione 1.2 o ogni versione successiva pubblicata dalla Free Software Foundation. Una copia della licenza è acclusa in fondo al documento nella sezione intitolata "GNU Free Documentation License". GNU MANUALINUX 6.8 This (Manual) is free and is realized also with collaboration of others passionated (THANKS !!!). Last update on October 6 2008 version: 6.8 Manualinux Homepage: http://www.manualinux.com http://www.manualinux.it http://www.manualinux.eu http://www.manualinux.in http://www.manualinux.cn http://www.manualinux.org http://www.manualinux.net http://www.manualinux.tk DO YOU WANT TO MODIFY OR INSERT OTHER ARTICLES ? WRITE ME ! EMAIL: [email protected] (Cristiano Macaluso). NEWS OF THE VERSION 6.8 Modified 38b)INSTALL SLAX ON HARD-DISK AND ON USB STICK Modified 3c)CREATE AND BURN CD AND DVD MENU' Page a)COMMANDS 2 b)UTILITY 2 c)PROGRAMS 3 d)KERNEL 4 e)NETWORKING 4 f)OTHER 5 GNU Free Documentation License 151 DO YOU WANT ADD / MODIFY OTHER ARGUMENTS ??? WRITE ME !!! 1 COMMANDS Page 1a)COMMON COMMANDS TO MOVE FIRST STEPS ON LINUX 5 2a)DIFFERENT COMMANDS
    [Show full text]
  • Computer Forensics
    Lukas Limacher Department of Computer Science, ETH Zurich¨ Computer Forensics September 25, 2014 Contents 9 Computer Forensics ............................................ 1 9.1 Objectives...................................... ........... 1 9.2 Introduction.................................... ........... 2 9.2.1 IncidentResponse .............................. ..... 2 9.2.2 ComputerForensics............................. ..... 5 9.3 ThenewVirtualMachine:Charlie.................... ......... 7 9.4 Collection...................................... ........... 8 9.4.1 LiveDataCollection ............................ ..... 8 9.4.2 ForensicDuplication ........................... ...... 8 9.5 FileSystemAnalysis .............................. ......... 11 9.5.1 FileSystemAbstractionModel.................... ..... 11 9.5.2 LinuxFileSystem:Ext3 .......................... .... 12 9.5.3 Carving ....................................... ..... 19 9.5.4 FileSlack..................................... ...... 22 9.6 Application/OS Analysis,File Analysis ............. .......... 23 9.6.1 LinuxArtifacts ................................ ...... 23 9.6.2 FileAnalysis.................................. ...... 27 9.7 Internet-relatedArtifacts....................... .............. 30 9.7.1 InternetArtifacts............................. ........ 30 9.7.2 FirefoxBrowserArtifacts ....................... ...... 30 9.8 CounterForensics ................................ .......... 35 9.8.1 TraditionalCounterForensics................... ....... 35 9.8.2 DataHidingApproaches
    [Show full text]
  • Accelerating Digital Forensic Searching Through Gpgpu Parallel Processing Techniques
    ACCELERATING DIGITAL FORENSIC SEARCHING THROUGH GPGPU PARALLEL PROCESSING TECHNIQUES A thesis submitted for the degree of Doctor of Philosophy (PhD) by Ethan Bayne School of Design and Informatics, Abertay University. February 2017 Declaration Candidate’s declarations: I, Ethan Bayne, hereby certify that this thesis submitted in partial fulfilment of the requirements for the award of Doctor of Philosophy (PhD), Abertay University, is wholly my own work unless otherwise referenced or acknowledged. This work has not been submitted for any other qualification at any other academic institution. Signed ……………………………………………………………………… Date…………………………………………………………………………. Supervisor’s declaration: I, Robert Ian Ferguson, hereby certify that the candidate has fulfilled the conditions of the Resolution and Regulations appropriate for the degree of Doctor of Philosophy (PhD) in Abertay University and that the candidate is qualified to submit this thesis in application for that degree. Signed ……………………………………………………………………… Date…………………………………………………………………………. Certificate of Approval I certify that this is a true and accurate version of the thesis approved by the examiners, and that all relevant ordinance regulations have been fulfilled. Supervisor…………………………………………………………………. Date………………………………………………………………………… ii Dedication I would like to thank my supervisors – Dr Robert Ian Ferguson and Dr Adam Sampson – for the countless conversations around the different aspects of this research. Their timely encouragement and suggestions have aided in achieving successes beyond anything we expected at the beginning of this investigation. A notable mention goes to Dr Lynsay Shepherd and Dr Gavin Hales. Their friendship (and “bants”) in the department against the dark arts office has kept me sane for the duration of my PhD studies. This work is dedicated to my mum and dad for their continued love and support, without it, this research would have been impossible to accomplish.
    [Show full text]
  • Recovering Deleted Files from NTFS
    International Journal of Science and Research (IJSR) ISSN (Online): 2319-7064 Index Copernicus Value (2013): 6.14 | Impact Factor (2015): 6.391 Recovering Deleted Files from NTFS Rincy Roy Oommen1, Princy Sugathan2 1, 2Cochin University of Science and Technology, College of Engineering Kallooppara, Kerala, India Abstract: Recovering lost and deleted information is one of the main part in Digital Forensics. Data recovery is a process which finds and recovers data, in which there may be some risks happens, for no all situations can be defined or arranged previously. Data recovery also retrieves lost, deleted, unusable or inaccessible data that lost for various reasons. In computer forensics, the main source of evidence is the data which is stored in the file. The file system is used to manage all files present on the disk. A suspect can remove evidence by deleting evidence containing files. So, it is important for forensic investigator to get back the deleted evidences. This paper described the structure of the NTFS file system and proposed a method to recover deleted files from the system by analysing the MFT entry and also detects the directory from which the file was deleted. Keywords: Forensics, Data Recovery, File System, NTFS, MFT Entry 1. Introduction the NTFS volume is a file and everything in a file is designed as an attribute, from the data attribute to the file name A file system is used as the methods and data structures that attribute through the security attribute. The following figure an operating system uses to keep track of files on a disk or illustrates the NTFS volume layout when formatting has partition.
    [Show full text]