Scribd
Upload
41 views

Understanding Data Deletion and Data Recovery in Windows

1. Understanding Type of Data Deletion in Windows 2. Understanding Type of Data Recovery in Windows a. Recovering file from $Recycle.bin b. Recovering file from exploring raw data on NTFS c. Creating your own scripts to data carving

Uploaded by

Izazi Mubarok
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
41 views

Understanding Data Deletion and Data Recovery in Windows

1. Understanding Type of Data Deletion in Windows 2. Understanding Type of Data Recovery in Windows a. Recovering file from $Recycle.bin b. Recovering file from exploring raw data on NTFS c. Creating your own scripts to data carving

Uploaded by

Izazi Mubarok
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Izazi Mubarok SST, MSc, CHFI, CEH, ACE, OFCE, CISA, CDSS

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1 1
About me
1 Professional Experiences
1. Chairman of AFDI
Outline
2. Chief of Tax Forensics at DGT
3. Digital Forensics Investigator (±10 years)
4. Founder of Forensor.com
5. Assessor of Digital Forensics Labs at KAN, BSN Understanding Type of Data
2 Education
Master in Forensic Computing and Cybercrime Investigation, Deletion in Windows
University College Dublin, Ireland (First Class Honours)
3 Professional Certification
1. Computer Hacking Forensic Investigator (CHFI)
2. Certified Ethical Hacker (CEH)
3. AccessData Certified Examiner (ACE)
Understanding Type of Data
4. Oxygen Forensic Certified Examiner (OFCE) Recovery in Windows
5. Certified Information System Auditor (CISA)
6. Certified Data Science Specialist (CDSS)
4 Overseas training
1. Benchmarking Study on Digital Forensics, USA • Recovering file from $Recycle.bin
2. Counterpart Training on Criminal Investigation, JAPAN
3. Digital Economy, Turkey
• Recovering file from exploring raw data on NTFS
5 Teaching/Sharing Experiences • Creating your own scripts to data carving
1. Government: BSSN, TNI AD, Polda Jatim, PPATK, KPK, OJK,
Itjen DKI, Itjen Kemenag RI, DJP, etc.
2. Private Sec: Banks, Insurance, etc.
3. University: UI, UNDIP, UMP, Gunadharma, etc.
Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 2 2
Forensic Computing and Cybercrime Investigation

Data &
Computer Mobile Phone Live Data
Database
Forensics Forensics Forensics
Forensics

Money
Network VoIP & Wireless Malware
Laundering
Investigation Investigation Investigation
Investigation

Programming Advanced
Linux For Advanced
for Investigators Computer
Investigators Scripting [Linux]
[Python] Forensics

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 3 3
The Role of Digital Forensics

Digital Digital Digital


Digital Era
Crime Forensics Evidence

• Technology • Cyber incident • Principles (ISO 27037; ACPO) • Rules of evidence


• Individuals, • Cyber crime or • Standard/best practices (ISO (ISO 27037; UU ITE)
businesses and Cyber-related 27037/27042; ACPO; NIJ; NIST, • In the form of a file
organizations crime SWGDE, etc.) or a collection of
• Benefit or loss; • Internal fraud • Resources (personnel, tools, files
opportunities or facility, methodology/ process) • File Signature
threats • Aims: 1) preserve 2) recovery • Digital Fingerprint
3) reconstruct • Metadata
• Content

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 4 4
File is so meaningful as it has at least four!

File Signature

Digital Fingerprint

Metadata

Content

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 5 5
What do we look for?

File Signature

Digital Fingerprint

Metadata

Content

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 6 6
File is organized by File system

File Signature File System • Allocates space on


Manages disk for files and
file maintains this space
storage so that it may not be
Digital Fingerprint overwritten

Metadata Stores • Time: Modified;


Metadata Accessed; Created
a set of structures that about the • Size; Permissions;
Content is used to control how file Attributes, etc.
information is stored
on a disk

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 7 7
Windows File system

NTFS
special
files

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 8 8
How to delete a file in Windows?
1. Drag and drop file into Recycle Bin
2. Select file, press “Delete” key
3. Select file, right-click, select
“Delete” option

Send to Recycle Bin

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 9 9
How to delete a file in Windows?
4. Select file, press “Shift” and
“Delete” keys
5. Select file, right-click, press “Shift”
key and select “Delete” option
6. Delete file from command line

Moved Permanently from


the Filesystem

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1010
How to delete a file in Windows?

Send to • Drag and drop file into Recycle Bin


• Select file, press “Delete” key
Recycle Bin • Select file, right-click, select “Delete” option

Delete file • Select file, press “Shift” and “Delete” keys


• Select file, right-click, press “Shift” key and select “Delete”
from the file option
system • Delete file from command line

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1111
How to recover a file deleted in Windows?

Send to • Drag and drop file into Recycle Bin


File system Recovery make use of the file system
• Select file, press “Delete” key information that remains after
(Restore)
Recycle Bin deletion of a file
• Select file, right-click, select “Delete” option

Delete file • Select file, press “Shift” and “Delete” keys


deals with the raw data on the
• Select file, right-click, press “Shift” keyand
anddoesn’t
selectuse“Delete”
from the file option Data Carving media the file
system structure during its process
system • Delete file from command line

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1212
Recovering file from $Recycle.bin
File Recycling Recycle Bin on NTFS drives SID Named Folder

Not permanently deleted

Renamed and moved to a hidden folder

Can be restored to its original name and


location

Each logical drive has hidden recycle bin


folder for files recycled from that drive

Recycle Bin folder structure is different on $I = metadata


FAT and on NTFS drives
$R = actual recovery data

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1313
$IYB6LR4.txt Have fixed size of 544 bytes

Date & time of recycling


Size of $R… file in bytes
(Windows 64-bit timestamp)

Original name and location of $R… file in Unicode

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1414
Case study: Forensics Analysis of a File $IYB6LR4.txt
Name : $IYB6LR4.txt
File Size : 544 bytes
Physical Size : 544 bytes
Date Accessed : 4/25/2020 1:49:13 AM
Date Created : 4/25/2020 1:49:13 AM
Date Modified : 4/25/2020 1:49:13 AM
Size of $RYB6LR4.txt file in bytes
64-bit LE Value A6 01 00 00 00 00 00 00
01 A6 = 422 bytes
Date & Time of Recycling
Decode Hex Value 40 EA 9A B8 A3 1A D6 01
Sat, 25 April 2020 01:49:13 UTC
Convert Hex Value to Unicode

E:\Folder B\Select file, press “Delete” key.txt


Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1515
Case study: Forensics Analysis of a File $RYB6LR4.txt
Name : $RYB6LR4.txt
File Size : 422 bytes
Physical Size : 422 bytes
Date Accessed : 4/25/2020 12:15:08 AM
Date Created : 4/25/2020 12:15:08 AM
Date Modified : 4/25/2020 12:15:08 AM
Original name :
Select file, press “Delete” key.txt
Path :
E:\Folder B\Select file, press “Delete” key.txt
Size : 422 bytes
Date & Time of Recycling :
Sat, 25 April 2020 01:49:13 UTC
Deleted by Owner SID :
S-1-5-21-2869703517-4213650454-
673425579-1001 (forensor)

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1616
Recover file from exploring raw data on NTFS
Disk Structure Size on disk Number system Raw Data

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump


Record (MBR) • Byte • Convert Hex to • Locate bytes in
• Partition • Sector Decimal Hex
• Cluster • Negative value • Little/Big Endian

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1717
Logical disk structure
Disk Structure Size on disk Number system Raw Data

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump


Record (MBR) • Byte • Convert Hex to • Locate bytes in
• Partition • Sector Decimal Hex
• Cluster • Negative value • Little/Big Endian

Partition table is located in the MBR

Gives start and size of each partition

Four primary partitions can be created

Partitions are area than can be used to store a file system

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1818
Information storage
Disk Structure Size on disk Number system Raw Data

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump


Record (MBR) • Byte • Convert Hex to • Locate bytes in
• Partition • Sector Decimal Hex
• Cluster • Negative value • Little/Big Endian

Bits (Binary Digits) is (0;1)s as data stored on computer

Bytes consist of 8 bits

Sector is the basic disk unit, usually contains 512 data bytes

A cluster is composed of a number of sectors (basic unit to store a file)

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1919
Number system
Disk Structure Size on disk Number system Raw Data

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump


Record (MBR) • Byte • Convert Hex to • Locate bytes in
• Partition • Sector Decimal Hex
• Cluster • Negative value • Little/Big Endian

Binary Digits: 0, 1

Decimal Digits: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Hex Digits: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 2020
Representing textual-information
Disk Structure Size on disk Number system Raw Data

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump


Record (MBR) • Byte • Convert Hex to • Locate bytes in
• Partition • Sector Decimal Hex
• Cluster • Negative value • Little/Big Endian
Locate a byte at offset 0x1E?

Convert to Decimal

Interpret to ASCII/Unicode

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 21 21
SK

Multi-bytes value in little endian


Locate
Disk2Structure
bytes, little-endianSize
at offset
on disk0x1A? Number system Raw Data

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump


Record (MBR) • Byte • Convert Hex to • Locate bytes in
• Partition • Sector Decimal Hex
• Cluster • Negative value • Little/Big Endian

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 2222
Convert multi-bytes value of hex
Convert the multi-bytes value
Disk Structure Sizeof
on0x0080
disk to decimal?
Number system Raw Data

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump


Record (MBR) • Byte • Convert Hex to • Locate bytes in
• Partition • Sector Decimal Hex
• Cluster • Negative value • Little/Big Endian

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 2323
SK

Recovering Files & Gathering Metadata

Interpreting Master Boot Record

Interpreting $BOOT Structure

Analyzing $MFT File Record Entries

Extracting files from $DATA attribute

Extracting metadata from $STANDARD_INFORMATION

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 2424
Search all file signature (hex) of $MFT. Check each of $MFT from
the last result
Search for filenames that start with “$I” in $FILE_NAME
Open image using HXD attribute (3000 000)

Read MBR (sector 0 on image/disk, size 512b) Get the original filename in $DATA attribute (8000 000)

Search for filenames that start with “$R” in $FILE_NAME


Find Partition Table (offset 0x1BE, size 64b) attribute (3000 000)
Copy/Save as Partition Table Find $DATA attribute (8000 000) and save the attribute

Get 64 bytes of partition table Find $STANDAR_INFORMATION attribute (1000 000) and save the
attribute
Check offset 0x04, find the ID type NTFS (07)
If Non-Resident (0x08 value 0x01), check value 0x20 for the offset
Find the starting sector of Partition (4 bytes offset 0x08)
of the Run List
Get the number of sector (4 bytes offset 0x0C)
Interpret the Run List to get starting cluster of file and get the
Go to the starting sector of NTFS, add number of sectors & save NTFS number of cluster used
Extract data (hex) from the starting cluster (Run List) and add
Get the size of sector (2 bytes offset 0x0B) Logical Size (8 bytes offset 0x30)
Get the number sectors per cluster (1 byte offset 0x0D)
Find the size (4 bytes offset 0x10) and offset to the attribute
Calculate size per cluster (in bytes) stream (2 bytes offset 0x14)
Find metadata (Creation; Modification, $MFT Modification; Last
Get the starting cluster for $MFT (8 bytes offset 0x30) Access and each 8 bytes) and decode using Dcode

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 2525
Create your own scripts to data carving

Use Data Recovery apps


(commercial, free, open source)
or
Write a script to carve a file from a
raw dd image, particularly from
unallocated space

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 2626
Summary
Digital Forensics help us to preserve and recovery Digital Evidence, and
reconstruct any Digital Crime.

Understanding several types of data deletion in windows is good for us


to know what really happens with the files deleted in windows and
then to select the best method to recover the files.

As the Digital Forensics is a science, understanding several types of


data deletion in windows is also important for us to develop our own
methods or even apps.

Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 2727
[email protected]
[email protected]
+62 852 8647 0009

Contribute to developing our nation 🇮🇩


Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 28
Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 2929

You might also like