Hi all,
I am a student who studying Forensic Computing in Malaysia. Currently my group mate and I is involving in an assignment where we need to "hack" to Windows 7 with Metasploit and recover the deleted files. However, when I use FTK Imager Lite, Autopsy and Pro Discover Basic, I can't see the deleted file. Am I using the wrong method to search for the deleted file or is there any methods / open-source tools can recover the files that deleted with Metasploit? This is my OS specification
Hacking OS Kali Linux 2017.2 64 bit
Victim OS Windows 7 Pro 32 bit
Thank you in advance.
If a recovery program cannot see a required file I would always try data carving. This assumes that the file you want has a findable signature. Data carving will probably produce too many hits, but it may be possible to search through these.
You may also want to be sure that encryption has not been used.
… also I don't see the "hacking" need.
The file (deleted or not) resides on a disk, there is not really any *need* (actually as I see it it is pointless) to "hack" into the installed OS, the normal procedure is to image the disk and then attempt to find the file on the image leaving the poor Windows 7 OS alone.
Maybe there is some reason not to use the above "standard" procedure. ?
jaclaz
mscotgrove, I would try, but can I do the file carving from the disk image?
jaclaz, the "hacking" part is needed as this is part of my assignment. The process will be
1) One of our member will act as the "hacker", to hack the victim.
2) The other members will act as digital forensic investigator, to examine the victim machine.
Thank you.
jaclaz, the "hacking" part is needed as this is part of my assignment. The process will be
1) One of our member will act as the "hacker", to hack the victim.
2) The other members will act as digital forensic investigator, to examine the victim machine.Thank you.
Sure, good ) , but there are two phases, or, maybe better, two "roles", choose yours.
Are you
1) the "hacker"
OR
2) the "digital forensic investigator"?
If you are #1 you know (in this case because your professor told you to use it) that you used Metasploit.
If you are #2 you don't know (or shouldn't know, and however it is totally irrelevant, particularly in the context of the question you asked) the tool used to hack the victim, the only thing you know for sure is what you can find from the evidence (that as suggested in this case would be a forensic sound copy of the victim's PC disk).
There is no difference between a "deleted" file and " a deleted file with Metasploit" (which in itself means nothing, Metasploit is just a tool to gain control of the PC by the hacker).
There may be differences between different ways the file may have been deleted by the hacker.
Anyway try Photorec (open source)
http//
and/or DMDE (commercial but with a free, only slightly limited, version)
https://dmde.com/
before anything else.
jaclaz
Thank you for your advise. I would try it.
If you for some reason are not able to locate the file, I would recommend giving this tool a try; https://
Perhaps a dumb question, but what type of storage are you trying to recover the deleted data from? If it's an SSD, then the sectors have likely been erased by T.R.I.M.
JaredDM, both of the OS are installed on Oracle VirtualBox v5.1.22. Will it matters? Thanks for the reply.
Did you find any trace of it in $LogFile?