File000130

Module XVII – Recovering Deleted Files and Partitions

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Rescue Tool for Crashed Exchange Files

Source: http://www.networkworld.com/

By Bryan Betts , TechWorld , 01/22/2009

A new data recovery tool can rescue mailbox files from crashed or corrupted Microsoft Exchange servers, even when the files are password-protected, its developer has claimed.

DataNumen, a software house based in Hong Kong, said that with the release of version 2.0, its Advanced Exchange Recovery tool can now recover data by scanning Exchange's OST offline storage files and saving it as Outlook PST files.

The company added that the new version can also cope with OST files larger than 2GB, and can recover deleted items from the Exchange mailbox, including messages, whether plain text, RTF or HTML, attachments and embedded objects, appointments, tasks, notes and so on. Exchange's OST file is an offline copy of the mailbox on the server. However, if the server or mailbox is not available due to hardware failure or malicious software, the OST file is orphaned and inaccessible. Corrupt or damaged OST files cannot be accessed either.

"Thanks to a byte-level scan performed by an advanced algorithm, Advanced Exchange Recovery 2.0 recovers every possible item in OST files," DataNumen claimed. Other capabilities of the software include recovering and splitting oversized OST files, batch recovery, searching for OST files on the local PC, drag-and-drop operations, and the ability to work either via a command line interface or through Windows Explorer. It supports versions of Microsoft Exchange from 5.0 to 2007.

A single-user license costs US$249.95 (around £180), with volume discounts available. DataNumen said that it also offers a free trial copy for download.



Module Objective

• Recovery of the Deleted Files• Deleting Files• What happens when the File is Deleted• Recycle Bin• Data Recovery in Linux• Data Recovery Tools

• Recovery of the Deleted Partitions• Deletion of Partitions• Recovery of the Deleted Partitions• Partition Recovery Tools

This module will familiarize you with:



Module Flow

Deleting Files

Data Recovery Tools

Data Recovery in Linux

Deletion of Partition

Recycle Bin

What happens when the

File is Deleted

Partition Recovery toolsRecovery of

The Deletion Partition



Recovering the Deleted Files



Deleting Files

Files are moved to the Recycle Bin in the following ways:

• By right-clicking on a file and selecting delete from the menu

• Selecting the file and pressing the delete key• Selecting delete from the side menu in Windows XP• From a context menu command or some other function

in a software application (usually configurable)• By a computer virus• By dragging and dropping a file into the Recycle Bin

icon



What happens when a File is Deleted in Windows

When a file is deleted, the operating system marks the file’s name in the MFT with a special character that indicates that the file has been deleted

The first letter of a file name is replaced by a hex byte code E5h

Corresponding clusters in FAT are marked as unused

Index field in MFT is marked with a special code in NTFS

The computer now looks at the clusters occupied by that file as being empty and therefore avails space to store a new file

The deleted file can be recovered if the space is not allocated to any other file



Recycle Bin in Windows

You can retrieve files that have been deleted from the Recycle Bin

When a file is deleted, it is sent to the Recycle Bin where it remains until the Recycle Bin is emptied

The Restore all items option of the Recycle Bin properties, allows to restore the data to its original location

After the Recycle Bin is emptied, the data still remains in its original location on the hard drive for a period of time

The data will disappear only when the operating system over-writes original location of the file

Data deleted from removable media such as floppy disks is not stored in the Recycle Bin



Recycle Bin in Windows



Storage Locations of Recycle Bin in FAT and NTFS System

Files in the Recycle Bin are stored in C:\RECYCLED folder on FAT file systems and, in the C:\RECYCLER folder on NTFS file systems

All recycled files on FAT system are dumped into a single C:\RECYCLEDdirectory, whereas recycled files on NTFS system are categorized into directories named as C:\RECYCLER\S-.... based on the user's SID

The maximum possible size of the Recycle Bin is 3.99 gigabytes per drive

Items larger than the storage capacity of the Recycle Bin cannot be stored in the Recycle Bin



How the Recycle Bin Works

Files stored in the Recycle Bin in its physical location are renamed as Dxy.ext where ‘x’ represents the drive name ‘y’ a sequential number starting at 1 and ‘.ext’ being the original file name’s extension

When a file or folder is deleted, the complete path including the original file name is stored in a special hidden file called “Info” or “Info2” in the Recycled folder

Recycle Hidden folder contains files deleted from My Computer, Windows Explorer, and some Windows applications



How the Recycle Bin Works (cont’d)

The deleted file is renamed, using the syntax:

D<original drive letter of file><#>.<original extension>



Damaged or Deleted INFO File

If the INFO file is damaged or deleted, no file appears in the Recycle Bin

The files in the Recycled folder have been renamed

If the INFO file is deleted, it is re-created when you restart Windows

The INFO file is a hidden file. To delete the INFO file, follow these steps:

• Open a command prompt window• Type cd recycled

• Type attrib -h inf*

• Type del info



Damaged Files in Recycled Folder

Damaged files in the Recycled folder do not appear in the Recycle Bin

To restore the deleted files, follow this process:

• Create a copy of the Recycled\Desktop.ini file in another folder, and then delete the entire contents of the Recycled folder

• Delete all files in the Recycle Bin• Restore the Desktop.ini file to the Recycled folder• If the Desktop.ini file is not present or is damaged, you can recreate it by

adding the following information to a blank Desktop.ini file:•[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}



Damaged Recycle Folder

The Recycled folder itself can become damaged

Files are moved to the folder, and the Recycle Bin appears full but, you cannot view the contents and ‘Empty The Recycle Bin’ command is unavailable

Deleting this folder and restarting Windows will re-create this folder and restore functionality:

• Restart to a command prompt• Type attrib -s -h recycled

• Type del recycled

• Restart the computer



Recycle Folder



How to Undelete a File

The procedure principally involves finding the data on the raw partition device and making it visible again to the operating system

There are basically two ways of doing this:

• Modify the existing file system such that the deleted inodes have their ‘deleted' flag removed

• Find out where the data lies in the partition and write it out into a new file on another file system



Data Recovery in Linux

In Linux, files that are deleted using /bin/rm remain on the disk

The second extended file system (ext2) is commonly used in most of the Linux systems

The design of the ext2 filesystem is such that data can be hidden in several places

Run a process that keeps the file open and then removes the file

The file contents are still on the disk and the space will not be reclaimed by other programs

Note that if an executable erases itself, its contents can be retrieved from /proc memory image: command "cp /proc/$PID/exe /tmp/file" creates a copy of a file in /tmp



Tools to Recover Deleted Files

Search and Recover

Zero Assumption Digital Image Recovery

E2undel

R-linux

O&O Unerase

Restorer 2000

Badcopy Pro

File Scavenger

Mycroft

PC Parachute

Stellar Phoenix

Filesaver

Virtual Lab

Drive and Data Recovery

Active@ UNERASER - DATA recovery

Restoration

PC Inspector File Recovery

PC Inspector Smart Recovery

Fundelete

Disk Investigator



Tools to Recover Deleted Files (cont’d)

RecoverPlus Pro

OfficeFIX

Recover My Files

Zero Assumption Recovery

SuperFile Recover

IsoBuster

CDRoller

DiskInternals Uneraser

Disk internal Flash Recovery

Undelete

Active@ UNDELETE

CD Data Rescue

File Recover

Win Undelete

R-Undelete

Image Recall

eIMAGE

Recover4all Professional

eData Unerase

Easy Undelete

Active@ UNERASER

Handy Recovery

inDIsk Recovery



Tool: Search and Recoverhttp://www.iolo.com/

Search and Recover tool allows the investigator to quickly recover the deleted or destroyed files, folders, songs, pictures, videos, programs, critical system components, web pages, and email messages in Microsoft Outlook and Outlook Express, Netscape, and Eudora

Search and Recover works with any hard drive, floppy drive, irrespective of the drive format, and can recover the deleted items from digital cameras, MP3 players, USB flash drives, and other portable devices



Tool: Zero Assumption Digital Image Recoveryhttp://www.z-a-recovery.com/

Zero Assumption Digital Image Recovery can retrieve digital photographs that are deleted from a digital camera

It supports media such as CompactFlash, MemoryStick, and SmartMedia that can be accessed through an operating system

Supported formats are:

• GIF • JPEG • TIFF • CRW - Canon RAW data• MOV - QuickTime movie• WAV - Waveform audio




e2Undel is an interactive console tool that recovers the data of the deleted files in Linux

R-Linux recovers files from the existing logical disks even when file records are lost




O&O Unerase recovers the deleted files with the help of an algorithm which enables more files to be recovered at a time

Restorer 2000 allows the investigator to Undelete , Unerase , and Unformat files




BadCopy Pro is a tool that is valuable to forensic investigators with regard to removable storage mediums

File Scavenger can recover files that have been accidentally deleted



Tool: Mycroft V3http://www.dibsusa.com/

Features of MyCroft tool:

• It sorts out the suspect computers from a given pool before copying the data

• Searches unallocated sectors in the disk to map the given information in order to identify the stolen computers

• Searches for references to specific types of crimes on the suspect systems

• Conducts the first high-speed search to test the search attributes



Tool: PC ParaChutehttp://www.unitrends.com/

PC ParaChute automatically protects and recovers data stored on any Intel-based PC on a network without user’s intervention

The system that crashes can be recovered back to its full functional state without the need to re-install the operating system, patches, configuration etc.

It recovers the systems to its last state before the incident




Stellar Phoenix is a non-destructive and read-only software equipped with an automated wizard which helps in recovering files

FileSaver tool is an undelete application that works by searching for bits of data that can be recovered and pieced together to form the original file




Virtual Lab recovers files from Jaz, Zip, disk, and other removable drive formats and digital camera media

The Drive and Data Recovery tool helps the forensic investigators in un-deleting and recovering the important files



Active@ UNERASER - DATA Recovery is a compact and powerful undelete utility that can recover the deleted files and folders on FAT12, FAT16, FAT32, and NTFS systems

Restoration is an easy-to-use tool designed to recover files deleted from Windows as well as recycle bin





PC Inspector File Recoverysupports FAT and NTFS file systems, and recovers deleted files with original date and time stamp

PC Inspector Smart Recovery is a data recovery program for Flash Card, Smart Media, and other data devices for digital cameras




Fundelete replaces the standard Windows NT/2000/XP recycle bin and allows you to undelete files

RecoverPlus Pro allows to recover the deleted images from hard drives




OfficeFIX recovers Access data bases created using MS Access 95, 97, 2000 and XP, all versions of MS Excel, and all versions of Word

‘Recover My Files’ recovers the deleted files including documents, graphics, Zip files, email, and music




‘Zero Assumption Recovery’ is a read only data recovery solution

‘SuperFile Recover’ searches for the deleted files, and recovers them, even if they have been emptied from the Recycle Bin




IsoBuster tool recovers the data from all possible CD and DVD formats and supports direct CD compressed files

CDRoller is an easy-to-use, well-featured, and low-cost tool for CD and DVD data recovery




DiskInternals Uneraser is an undelete tool to recover the deleted files, including documents, photos, mp3, and zip files

DiskInternals Flash Recovery is a flash memory file recovery tool that restores all the corrupted and deleted photographs or the ones that were lost due to hardware malfunction




DiskInternals NTFS Recoveryis a fully automatic tool that restores data from damaged or formatted drives

DiskInternals CD and DVD Recovery, as the name implies is a software solution capable of recovering data from CDs and DVDs, including multi-session ones




Undelete is a data recovery tool that replaces the standard Windows Recycle Bin with a Recovery Bin

Active@ UNDELETE is a data recovery software that helps to recover lost, deleted, and formatted data on the local and network drives, and hardware or software RAID




CD Data Rescue recovers files from damaged or defective CDs

File Recover and undelete program restores the accidentally deleted files on the logical and physical disks



Tool: WinUndeletehttp://www.winundelete.com/

WinUndelete is an undelete utility to recover the previously deleted files from the hard drives, floppy disks, ZIP drives, USB external flash drives, and digital camera cards

R-Undelete is an easy-to-use, powerful file recovery and undelete solution for FAT, NTFS, NTFS5, and Ext2FS file systems



Tool: Image Recallhttp://www.imagerecall.com/

Image Recall enables you to recover the deleted or formatted files from any type of flash memory card, USB memory drive, or other removable media

It supports all popular image (including RAW), audio, video, and data files

The recovered files can be previewed (JPEG) and saved to a folder on your hard drive or burned directly to CD

It also includes a secure deletion feature that allows you to erase your card, so that it cannot be recovered



Image Recall: Screenshot



Tool: eIMAGE Recoveryhttp://www.octanesoft.com/

eIMAGE Recovery is a tool to recover the digital photos and multimedia from media that is defective or damaged, as well as images that you may have accidentally deleted from your storage card

The interface is user-friendly and offers a fast scan, as well as an in-depth scan

It supports all popular image formats, including Canon Raw (CRW), Kodak Raw (DCR), Nikon Raw (NEF), and several other specialized formats



eIMAGE Recovery: Screenshot




Recover4all Professional allows you to recover the deleted files, even after they have been removed from the Recycle Bin

eDATA Unerase enables to recover lost or deleted files from hard drives, floppy disks, digital cameras, SmartMedia, and CompactFlash



Tool: Easy-Undeletehttp://www.easy-undelete.com/

Easy-Undelete tool can recover the deleted files, even if they have been emptied from the Recycle Bin or erased by other programs

It enables you to recover deleted files from your PC, also from your digital camera card, and similar devices

It recovers lost files on any physical storage device

It can recover files on unformatted or un-partitioned hard drives

It is simple and easy to use



Easy-Undelete: Screenshot

Advanced File Recovery

Image Preview

Data Preview

Cluster Recovery




InDisk Recovery is a CD or DVD data recovery tool designed to recover any type of deleted, lost or unreadable files and folders

TOKIWA DataRecovery is a data recovery tool which enables un-deleting files, even if they have been removed from the recycle bin




Data Recovery Wizard Professional can recover files lost due to deleting, formatting, lost partition or damaged logical drives, virus infection, software crash, unexpected shutdown, and other unknown reasons

CD Recovery Toolbox Free is a data recovery tool, designed to recover files from scratched or otherwise damaged or corrupt CD, DVD, HD DVD, and Blue-Ray disks




Smart Protector - Internet Eraser protects private data on all Windows systems

Active File Recovery for Windows provides the ability to effectively recover data as a result of having been accidentally deleted, formatted, or otherwise lost




SoftPerfect File Recovery tool restores the deleted files from hard and floppy disks, USB flash drives, CF, and SD cards and other storage media

Partition Recovery helps to recover lost partitions occurred due to invalid partition table, virus, or others reasons




Final Recovery was developed to recover files and folders from the hard disks, floppy disks, PCMCIA-attached digital camera cartridges, smart media, compact flash, & memory sticks

Mutilate File Wiper is a file eraser and disk free space wiper that securely deletes the sensitive files from the hard drive




Repair My Excel is a Microsoft Excel file recovery Software that restores the damaged or corrupt files that cannot be opened

Repair My Word is a data recovery program for Microsoft Word documents




Zip Repair is a utility that will repair corrupt Zip files that gives the error message

CRW Repair is a data recovery program for Canon RAW (.CRW) photos



Recovering Deleted Partitions



Deletion of Partition

You cannot delete a partition if it is assigned to an item such as calling search space or to a route pattern

You cannot delete a partition that is in use

Before deleting a partition that is currently in use, perform either or both of the following tasks:

• Assign a different partition to any calling search spaces, devices, or other items that are using the partition that you want to delete

• Delete the calling search spaces, devices, or other items that are using the partition that you want to delete

What happens when partition is deleted?

• All data on that deleted partition or logical drive is lost • Deleting a partition on a dynamic disk can delete all the dynamic volumes on the disk, thus leaving the

disk in a corrupt state



Deletion of Partition using Windows



Deletion of Partition using the Command Line



Recovery of the Deleted Partition

The Partition Recovery process is a significant part of the data recovery

Recovery of the deleted Partition is the process by which the investigator evaluates and extracts the deleted partitions

Partition Recovery utility helps in recovering all important data lost after accidental lost partition

Partition Table Doctor recovers any deleted partitions or logical drive



Recovering the Deleted Partition Tools

GetDataBack recovers data which is lost due to formatting, fdisk, virus attack, power or software failure

DiskInternals Partition Recovery supports a multitude of file systems and recover partitions in FAT12, FAT16, FAT32, VFAT, NTFS, NTFS4, and NTFS5



Recovering Deleted Partition Tools (cont’d)

Active@ Partition Recovery is small and easy to use DOS program that recovers the deleted partitions and FAT and NTFS logical drives

Handy Recovery is an easy-to-use data recovery software designed to restore files accidentally deleted from the hard disks and floppy drives



Recovering the Deleted Partition Tools (cont’d)

Acronis Recovery Expert tool protects data by recovering hard disk partitions, if damaged or lost by any reason and supports disks with capacity greater than 180 GB

Active Disk Image is a DOS-based solution designed for complete backup and restoration of particular FAT / NTFS partitions and logical drives



Tool: TestDiskhttp://www.cgsecurity.org/

TestDisk can find lost partitions for various file systems such as BeFS(BeOS), DOS/Windows, Hierarchical File System, Linux Raid and Logical Volume Manager, Novell Storage Services (NSS), IBM's Journaled File System, and Compressed File System



Tool: Recover It All!http://www.dtidata.com/

‘Recover It All!’ recovers and restores the deleted or damaged partition or boot sectors

It performs functions such as partition recovery in memory first, also eliminating the accidental data loss

• Recovers data lost due to formatting• Fdisk (partition recovery) restores lost, deleted or corrupt partition

tables

• Works with most RAIDs (redundant array of inexpensive disks)• Restores lost partitions, corrupt partition, and partition

recovery• Easy to use and powerful

Features:



Recover It All!: Screenshot



Tool: Scavenhttp://www.pjwalczak.com/

Scaven is a micro-tool for data recovery

It is an effective tool that recovers the lost partitions and permanently deleted files

It recovers:

• Accidentally formatted drives• Drives with damaged MBR / lost partitions• Drives with corrupted FATs• Permanently deleted files• Drives which developed bad sectors



Recovering Deleted Partition Tools

‘Partition Table Doctor’ recovers your data if the partition table or boot sector on hard disk is lost or damaged

NTFS Partition Data Recovery software recovers and restores NT 2000/2003 operating system hard drive volume files folders



Flash Retriever Forensichttp://www.infinadyne.com/

Flash Retriever Forensic Edition is a tool for examining, recovering, and documenting flash-based media

It supports multi-core CPUs to increase the speed of examination

• Complete imaging of flash devices in raw format• Simultaneously examines multiple devices and/or

image files all within the same session• Thumbnail display for photos, including a

complete print capability• MD5 hashing of media, images, and individual

files

Features:



Screenshot: Flash Retriever Forensic



ThumbsDisplayhttp://www.infinadyne.com/

ThumbsDisplay is a tool which displays Thumbs.db and Vista thumb cache files

Features:

• It displays all thumbnail images with original file name and timestamp• It copies the individual images to the clipboard for inclusion in a

document or save them as JPEG or BMP format files• It shows all thumbnail files:

• thumbs.db, • thumbcache_idx.db, • thumbcache_32.db, • thumbcache_96.db, • thumbcache_256.db, • thumbcache_1024.db• thumbcache_sr.db



Summary

In Windows, files of the recycle bin are stored in C:\RECYCLED folder on FAT file systems and in the C:\RECYCLER folder on NTFS file systems

Damaged files in the Recycled folder do not appear in the Recycle Bin

In Linux, files that are deleted using /bin/rm, remain on the disk

Files or folders deleted from floppy disks, Zip disks, or network servers are not stored in the Recycle Bin

Deleting a partition on a dynamic disk can delete all dynamic volumes on the disk, thus leaving the disk in a corrupt state

Recovery of the deleted Partition is the process by which the investigator evaluates and extracts deleted partitions





Technology

File000130