Data Recovery/Discovery Files Deleted Files Text Searches Slack Space Free Space Lab

Data Recovery/Discovery

• Files

• Deleted Files

• Text Searches

• Slack Space

• Free Space

• Lab

Files on the Drive

• List all the files on the drive

• WinHex can show only one folder at a time

• Import file list into Excel

• Sort by file extension

Open Floppy Image

Interpret Image File as Disk

“Crtl A” Select All Files and Folders

Export File List

Choose the Fields to Export

To choose the fields that you want hold the “Ctrl” key down and click on the desired fields

Pertinent Data

• Name

• Description

• Extension (file type)

• Path

• Size

• MAC date/times

Save in your Case Folder

Open it in Excel

• It may open it automatically• If not

– Go to your case folder– Start Excel– File -> Open– Find your Case Folder – Select All files– Open the .txt file

All Files

Run through formatting options

Run through formatting options

Run through formatting options

Make it Pretty

• Landscape format

• Smaller font

• Expand columns to show full date time

• Etc.

Pretty

Description Column

• Note an assessment of recoverability

• Find the file in WinHex

• “Recover/Copy”

• A deleted file has been recovered

Deleted Files

• With your spreadsheet you know what deleted files you can recover

• Recover them

Text Searches

• Search the entire disk/image for varioous words

• WinHex returns a list of hits

• You have look for the context on the words and determine if it is of probative value

• Select all hits and delete to clear the search list

Simultaneous Search

Enter Search Terms

High light a search hit

Lab Assignment

• List of files organized by file extension

• Highlight recoverable deleted files

• Recover the files and comment on their relevance to charges of cat porn

• Select keywords and search for them.