Can every file be r...
 
Notifications
Clear all

Can every file be recovered by forensic tools?

14 Posts
6 Users
0 Likes
1,215 Views
(@theojm)
Posts: 2
New Member
Topic starter
 

I am new when it comes to computer forensics so bear with me, but I just have a general enquiry about this.

Is every file on somebody's computer recoverable? Is there no such thing as permanently deleting a file? I'm talking about a scenario where a picture or a document that has been deleted permanently from the recycle bin for months, or almost a year. Is it possible for that file not to be corrupted and is still accsessible over months the time it was created? Because what if you find some data on your forensic case but you can't open it because it's corrupted?

And also can this data be recoverd by free forensic software such as FTK Imager or does paid software enable me to do this?

Thanks for your help.

 
Posted : 23/01/2013 12:25 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

General answers to general questions. Since you didn't specify, I'm operating on the assumption that it's a Windows system (XP/Vista/Win7).

Is every file on somebody's computer recoverable?

No, not necessarily.

Is there no such thing as permanently deleting a file?

Yes, there is. Files can definitely be wiped and no longer recoverable.

I'm talking about a scenario where a picture or a document that has been deleted permanently from the recycle bin for months, or almost a year. Is it possible for that file not to be corrupted and is still accsessible over months the time it was created?

Yes, it is possible for the file not to be corrupted. It would depend on a number of things, including how close the hard drive was to being full and how much computer activity there was in the ensuing months, to mention a couple of factors.

Because what if you find some data on your forensic case but you can't open it because it's corrupted?

It's very common for files to be partially recovered and therefore corrupted. Sometimes they're still usable. Sometimes not.

And also can this data be recoverd by free forensic software such as FTK Imager or does paid software enable me to do this?

While paid forensic software will recover deleted files, there are lots of free tools as well. Which tool is the right one depends on a lot of factors. If this is an actual legal case, I recommend you don't attempt it yourself. Hire an expert to ensure the results will be admissible in court.

 
Posted : 23/01/2013 1:22 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Is every file on somebody's computer recoverable?

No. Not every.

Is there no such thing as permanently deleting a file?

Yes. (such thing as to permanently delete a file does exist, voluntarily or "by accident" like the OS defragging the disk, or downloading/copying data to disk and overwriting the given file - totally or partially)

I'm talking about a scenario where a picture or a document that has been deleted permanently from the recycle bin for months, or almost a year. Is it possible for that file not to be corrupted and is still accsessible over months the time it was created?

Yes. (it is possible that a file is still accessible, as well it is possible that it cannot be recovered )

Because what if you find some data on your forensic case but you can't open it because it's corrupted?

Maybe it can be recovered/fixed, maybe it cannot, maybe it can be recovered partially.

And also can this data be recoverd by free forensic software such as FTK Imager or does paid software enable me to do this?

A tool (Commercial or Freeware) is a tool, what really counts is the hand that drives it (and the knowledge/experience/etc. of the brain behind the hand).
At the very basic, all you need (if you know what you are doing) is a disk editor and a calculator.
Tools, Commercial or not are only handy ways to do something, sometimes they *all* work, sometimes one will be able to do something that another one cannot, sometimes all the tools in the world won't produce a result.

Thanks for your help.

You are welcome ) though, each and every of your questions is so "generic" that they can ALL be answered by "it depends", i.e. they have no real unique (or actually useful) answers.

jaclaz

 
Posted : 23/01/2013 1:29 am
(@theojm)
Posts: 2
New Member
Topic starter
 

Thank you.
I just tested freeware recovery programs such as Mini Tool Power Data Recovery to see what files I could recover from my Windows system and some files were corrupted. Do you think forensic software would still detect them as corrupted or would you think it'd likely be accessible?

 
Posted : 23/01/2013 1:39 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

Do you think forensic software would still detect them as corrupted or would you think it'd likely be accessible?

You may want to try several tools that do "data carving," and see if any are successful. There's no canonical approach, so some algorithms are more successful than others at recovery, and it would be impossible to predict which will be successful, based on the very limited info you've provided.

Incidentally, I hope you're doing this work on a bitstream copy of the hard drive, not on the original, right? Because, depending on your approach, you could be writing data to the drive, further diminishing the chances of success. As I said before, if this is actual forensics, hire an expert. If not, you may want to consult a data recovery firm.

 
Posted : 23/01/2013 2:09 am
(@belkasoft)
Posts: 169
Estimable Member
 

So far, I am yet to see a freeware data recovery tool that can reliably carve more than a few types of deleted files. In your case, the procedure would be as follows

1. Choose a data recovery tool that can work with drive images AND supports file carving (e.g. Belkasoft Evidence Center (see my signature), or Diskinternals Partition Recovery, or HDD Recovery Pro, but there are *many* of those). Make sure to install the tool anywhere BUT the disk you're about to recover.

2. Take a bitstream copy ("virtual image", "disk image" or whatever else the tool calls it) of the drive you're about to recover, with the tool of your choice.

3. Use that tool on that copy, making sure the carving mode (we call it "carving", Diskinternals and HDD Recovery Pro call it "PowerSearch") is engaged. You may be able to discover a lot more or a lot less data than expected, depending on how they were stored, whether or not there was a scheduled defragmentation going on, how much disk activity etc.

4. If a file comes out corrupted, it does not necessarily mean it's completely unrecoverable. User-created documents are often saved multiple times; they are about 80% more likely to get fragmented in the process. Most commercial data recovery tools will NOT carve fragmented files correctly UNLESS information about them still appears in the file system (which is less likely if a lot of time has already passed). Depending on exact type of informatio, you may or may not be able to carve fragmented files (e.g. text-based formats such as .txt, .htm, .xml, .eml etc. are easier to carve even if they are scattered around the disk).

5. If you need to present the results, make sure to document your every step.

 
Posted : 23/01/2013 4:05 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

So far, I am yet to see a freeware data recovery tool that can reliably carve more than a few types of deleted files.

I would have thought that Photorec does more than "a few" types
http//www.cgsecurity.org/wiki/PhotoRec#Known_file_formats

Known file formats

PhotoRec searches for known file headers. If there is no data fragmentation, which is often the case, it can recover the whole file. PhotoRec recognises numerous file formats including ZIP, Office, PDF, HTML, JPEG and various graphics file formats. The whole list of file formats recovered by PhotoRec contains more than 390 file extensions (about 225 file families).

http//www.cgsecurity.org/wiki/File_Formats_Recovered_By_PhotoRec

Of course fragmentation is an issue (often a very serious one).

jaclaz

 
Posted : 23/01/2013 9:04 pm
(@belkasoft)
Posts: 169
Estimable Member
 

I would have thought that Photorec does more than "a few" types
http//www.cgsecurity.org/wiki/PhotoRec#Known_file_formats

Known file formats

Live and learn, live and learn… )

That said, Photorec still ignores the file system, which is bad for recovering fragmented files. So at least two different tools then must be used in order to recover existing files and files from unallocated space. In my experience, tools using combined approach (analyzing the file system, if any, and taking information obtained from the file system into account when reading unallocated space) usually work best.

 
Posted : 24/01/2013 2:26 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

That said, Photorec still ignores the file system, which is bad for recovering fragmented files. So at least two different tools then must be used in order to recover existing files and files from unallocated space. In my experience, tools using combined approach (analyzing the file system, if any, and taking information obtained from the file system into account when reading unallocated space) usually work best.

Yes, but we were talking of "carving" or "file based recovery" (or at least I was wink ).

If the file is just plainly "deleted" filesystem analysis is needed BUT knowledge of the file format is then irrelevant. (you either find an entry marked as deleted in the filesystem indexing or you don't find it).

So, yes, two passes (with two different tools) are needed, but I would guess that the "added trouble" might be compensated by the "right price" of such tools.

A quick list of "undelete" tools is here
http//pcsupport.about.com/od/filerecovery/tp/free-file-recovery-programs.htm

jaclaz

 
Posted : 24/01/2013 3:44 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm not going to jump on the bandwagon with answers to all of these questions, as I think that they've been addressed very well so far.

Is it possible for that file not to be corrupted and is still accsessible over months the time it was created?

One of the things I discuss in my courses and presentations is how active Windows systems are, even when the user doesn't do anything - there is a great deal that goes even when no user is interacting with the system at the keyboard. Software updates, defrags, etc. As such, it's not likely that you'd be able to retrieve/carve deleted files, even a week or so after the date/time that the file was deleted.

I have seen instances where a file was deleted, and the system was shut down, and then not touched for several months. I've also seen cases where the system was in heavy use by the user after a specific date, and the system wasn't acquired for more than a year - in those cases, most of the information we were able to 'carve' was stuff that remained resident in logical files on the system, so it hadn't actually been deleted.

 
Posted : 24/01/2013 4:23 pm
Page 1 / 2
Share: