لطفا منتظر باشید ...
10.4 Data Recovery
Although automated tools are necessary to perform routine forensic examination tasks efficiently, it is important to understand the underlying process to explain them in court or perform them manually in situations where the tools are not suitable. There are two main forms of data recovery in FAT file systems: recovering deleted data from unallocated space and recovering data from slack space.[14]Recently deleted files can sometimes be recovered from unallocated space by reconnecting links in the chain as described in Section 10.2. For instance, to recover the deleted file named "greenfield.doc" on the aforementioned floppy diskette it is necessary to modify its entry in the root directory, replacing the sigma ("σ") with an underscore ("_") as shown here. The sigma is used on FAT file systems to indicate that a file is deleted. Notably, this recovery process must be performed on a copy of the evidentiary disk because it requires the examiner to alter data on the disk.
Name .Ext ID Size Date Time Cluster 76 A R S H D V
_REENF~1 DOC Erased 19968 5-08-03 2:34 pm 275 A - - - - -
Then it is necessary to observe that the file begins at cluster 275 and its size is the equivalent of 39 clusters (19,968 bytes 512 bytes/cluster = 39 clusters). Assuming that all of these clusters are contiguous, the FAT can be modified to reconstruct the chain as shown here in bold.
[] Disk Editor
Object Edit Link View Info Tools Help
0 0 0 0 0 0 0 0
185 186 187 188 189 190 191 192
193 194 195 196 197 198 199 200
201 202 203 204 205 206 207 208
209 210 211 212 213 214 215 216
217 218 219 220 221 222 223 224
225 <EOF> <EOF> <EOF> 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 276 277 278 279 280
281 282 283 284 285 286 287 288
289 290 291 292 293 294 295 296
297 298 299 300 301 302 303 304
305 306 307 308 309 310 311 312
313 <EOF> 315 316 317 318 319 320
321 322 323 324 325 326 327 328
329 330 331 332 333 334 335 336
337 338 339 340 341
FAT (1st Copy) Sector1
DriveA: Cluster 275, hex 113
Recovering fragmented files is more difficult. When a file was not stored in contiguous clusters, it requires more effort and experience to locate the next link in the chain.
Recovering deleted directories is beyond the scope of this book. The process involves searching unallocated space for an unique pattern associated with directories and is covered in the Handbook of Computer Crime Investigation, Chapter 7, pp. 143–145 (Sheldon 2002). EnCase has a useful utility for automatically recovering all deleted directories (and the files they contained) on a FAT volume.
10.4.1 Windows-Based Recovery Tools
The recovery process described above is time consuming and must be performed on a working copy of the original disk. More sophisticated examination tools like EnCase and FTK can use a bitstream copy of a disk to display a virtual reconstruction of the file system, including deleted files, without actually modifying the FAT. All of these tools recover files on FAT systems in the most rudimentary way, assuming that all clusters in a file are sequential. Therefore, in more complex situations, when files are fragmented, it is necessary to recover files manually. Windows-based tools like EnCase and FTK can also be used to recover deleted files on NTFS volumes.
10.4.2 Unix-Based Recovery Tools
Linux can be used to perform basic examinations of FAT and NTFS file systems as described in Chapter 11. Also, tools like fatback,[15] The Sleuth Kit, and SMART[16] can also be used to recover deleted files from FAT file systems. For instance, the following shows fatback being used to recover a deleted file from a FAT formatted floppy diskette.
examiner1% fatback -l biotechx.log hunter-floppy.dd
Parsing file system.
/ (Done)
fatback> dir
Sun Apr 13 15:36:52 2003 0 SALES
Sun May 13 11:58:10 2003 21504 SKIWAY~1.DOC skiways-
getafix.doc
Sun May 13 12:40:48 2003 122 TODO.TXT todo.txt
Sun May 13 12:42:18 2003 122 NEWADD~1.TXT newaddress.txt
Sun May 8 14:34:16 2003 19968 ?REENF~1.DOC greenfield.do
Sun May 8 14:41:44 2003 0 ?PRIL/ april
Sun Feb 18 12:49:16 2001 16896 CONTACTS.XLS contacts.xls
fatback> copy greenfield.do /e1/biotechx/recovered
The contents of a deleted file named "greenfield.doc" was extracted and saved into a file named "/e1/biotechx/recovered" using the copy command within fatback. The Sleuth Kit, combined with the Autopsy Forensic Browser, can be used to examine FAT file systems through a Web browser interface and recover deleted files as shown in Figure 10.5.
Figure 10.5: The Sleuth Kit and Autopsy Forensic Browser being used to examine a FAT file system (checkmarks indicate files are deleted).
The Sleuth Kit and Autopsy Forensic Browser enable examiners to examine data at the logical and physical level and can also be used to recover files from NTFS file systems. The Sleuth Kit can also be used to recover slack space from FAT and NTFS systems using "dls -s". Although SMART has a feature to recover deleted files from FAT and NTFS volumes, it does not display them in a logical view, making the recovery process somewhat cumbersome.
10.4.3 File Carving with Windows
Another approach to recovering deleted files is to search unallocated space, swap files, and other digital objects for class characteristics such as file headers and footers. Conceptually, this process is like carving files out of the blob-like amalgam of data in unallocated space. File carving tools such as DataLifter (Figure 10.6) and Ontrack's Easy-Recovery Pro (Figure 10.7) can recover many types of files including graphics, word processing, and executable files. Also, user defined files can be carved using WinHex "File Recovery by Type" feature or EnCase E-scripts available from the EnScript library.[17] Specialized tools like NTI's Graphics Image File Extractor also exist to extract specific types of files. Some of these tools can extract images from other files such as images stored in Word documents.
Figure 10.6: DataLifter being used to carve files from two blobs of unallocated space and one blob of file slack from a system.
Figure 10.7: Easy-Recovery Pro from Ontrack.
One of the main limitations of these tools is that they generally rely on files having intact headers. Therefore, when file headers have been obliterated, it may be necessary to search for other class characteristics of the desired files and piece fragments together manually. Even when it is not possible to piece recovered fragments together, it may be possible to extract useful information from them. For instance, cluster 37 of the aforementioned floppy disk contains a Word document fragment with Windows date-time stamps from April 14, 2003, at around 0800 hours, shown here in bold.
Slack space contains fragments of data that can be recovered but that can rarely be reconstituted into complete files. However, if a small file overwrote a large one, it may be possible to recover the majority of the overwritten file from slack space. It is easiest to recover textual data from slack space because it is recognizable to the human eye. Figure 10.8 shows remnants of a shopping cart on CD Universe in slack space.
Figure 10.8: File slack of a recovered file viewed using EnCase.
Interestingly, the slack space shown in Figure 10.8 is associated with a deleted file that was recovered.
10.4.4 Dealing with Password Protection and Encryption
It is generally acceptable, and usually desirable, for digital investigators to overcome password protection or encryption on a computer they are processing. In some instances, it is possible to use a hexadecimal editor like Winhex to simply remove the password within a file. There are also many specialized tools that can bypass or recover passwords of various files. For instance, NTI sells a collection of password recovery tools that they have validated.[Usborne 2002].However, Microsoft Windows EFS generally uses 128-bit keys (Microsoft 2001) and because each additional bit doubles the number of possibilities to try, a brute force search quickly becomes too expensive for most organizations or simply infeasible, taking million of years. Therefore, before brute force methods are attempted, some exploration should be performed to determine if the files contain valuable evidence and if the evidence can be obtained in any other way. It may be possible to locate unencrypted versions of data in unallocated space, swap files, and other areas of the system. Alternatively, it may be possible to obtain an alternative decryption key. For instance, Encrypted Magic Folders[Microsoft 1999]. In Windows 2000, the built-in Administrator account is the default recovery agent (an organization can override the default by assigning a domain-wide recovery agent provided the system is part of the organization's Windows 2000 domain). Notably, prior to Windows XP, EFS private keys were weakly protected and it was possible to gain access to encrypted data by replacing the associated NT logon password with a known value using a tool like ntpasswd and logging into the system with the new password.[14]A full discussion of recovering lost or hidden partitions is beyond the scope of this text. EnCase, gpart and testdisk (see Chapter 11) can be used to recover partitions on disks with incorrect or damaged partition tables.
[15]http://sourceforge.net/projects/biatchux/
[16]http://www.asrdata.com
[17]http://www.encase.com/support/escript_library.shtml
[18]http://www.forensics-intl.com/breakersl
[19]http://lostpassword.com/
[20]http://www.password-crackers.com/crackl
[21]http://home.eunet.no/~pnordahl/ntpasswd/
[22]http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp
[23]http://www.atstake.com/research/lc/
[24]http://www.pc-magic.com/
