Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login
Site Notices
10/20/2017 1:01:18 AM
9/22/2017 12:11:25 AM
Posted: 7/30/2005 12:03:23 PM EDT
My Bro's wife moved out, took all her $hit, and deleted her user account off of his Windows XP machine.

Under her profile were all of his pics from his trip to Europe. When he attempts to find the pics, he can see the thumbnails, but there is not "path" to the pictures (Since the C:\Documents and Settings\dumb-soon-to-be-ex-wife folder is not there.

The problem is, since the pictures were never placed in the trash bin, none of the undelete programs are able to rectify this situation.

Suggestions?



(Tonight, I am going to create a NEW profile on my computer tonight, store a few images in it, then delete the profile. I have a few ideas, but want to see what you gurus come up with...)
Link Posted: 7/30/2005 4:35:55 PM EDT
[Last Edit: 7/30/2005 4:38:36 PM EDT by rocko]
Even when a file is "deleted", the only thing that happens is the area of the disk on which it is stored is marked as unallocated. The next time you need to write to the disk, it may write to that area - or it may choose another unallocated area on the disk. However, until that happens, the original data is still actually there. There are several forensics tools that can more or less easily recover such files, but I'm not aware of any freeware ones for Windows. OTOH, there are several such for Linux (namely, Lazarus and unrm), but the use may be a bit beyond your average user. Linux can mount a Windows FAT or NTFS partition just fine. Google Knoppix, which is a bootable Linux Live CD distro, which has those tools - among a host of others. Knoppix isn't the best Live CD for forensics work, but for what you need to do, it would be fine.

Don't create another user. In fact, given the above, you want to avoid writing anything to the disk at all until you attempt recovery of the files. And as long as the machine is running, it is more or less writing to the disk all the time. If you are really, really, concerned, you should yank the power cord instead of shutting it down before booting w/ your Live CD, as the OS will write lots of stuff to the disk on normal shutdown. Modern disks are so large, that the chances of overwriting the data you want so soon is small (unless the disk is already mostly full, of course), but you want to minimize the chance.
Link Posted: 7/31/2005 5:47:55 AM EDT
excellent advice


Originally Posted By rocko:
Even when a file is "deleted", the only thing that happens is the area of the disk on which it is stored is marked as unallocated. The next time you need to write to the disk, it may write to that area - or it may choose another unallocated area on the disk. However, until that happens, the original data is still actually there. There are several forensics tools that can more or less easily recover such files, but I'm not aware of any freeware ones for Windows. OTOH, there are several such for Linux (namely, Lazarus and unrm), but the use may be a bit beyond your average user. Linux can mount a Windows FAT or NTFS partition just fine. Google Knoppix, which is a bootable Linux Live CD distro, which has those tools - among a host of others. Knoppix isn't the best Live CD for forensics work, but for what you need to do, it would be fine.

Don't create another user. In fact, given the above, you want to avoid writing anything to the disk at all until you attempt recovery of the files. And as long as the machine is running, it is more or less writing to the disk all the time. If you are really, really, concerned, you should yank the power cord instead of shutting it down before booting w/ your Live CD, as the OS will write lots of stuff to the disk on normal shutdown. Modern disks are so large, that the chances of overwriting the data you want so soon is small (unless the disk is already mostly full, of course), but you want to minimize the chance.

Link Posted: 7/31/2005 7:25:51 AM EDT
I have never used Knoppix, but I am running Ubuntu on my other machine (Using a KVM...)

I have the Ubuntu AND Knoppix live CD also. (I just never tried the Knoppix one...)

With Linux, will I be able to see all the files, even the ones marked as unallocated?


In regards to my little test...

I created a new user on my main XP machine, saved a bunch of pics on it, each with unique filenames. I then went to USER ACCOUNTS under the CP, and deleted the user profiles. It gave me the option to either save the files to my desktop, or to delete them. I chose delete, since that is what the crazy biatch did.

I THEN logged in as MUGZILLA, and opened MY COMPUTER. I went to MY DOCUMENTS, and changed the directory from:

C:\Documents and Settings\Mugzilla\My Documents

to

C:\Documents and Settings\Crazy Biatch\My Documents

It opened a window, showing all the files! I am able to drag and drop from it, which seems to be restoring the files!!!!

So, in summary, if anyone can lend a Linux hand in regards to recovering files, it would be appreciated.
Link Posted: 8/1/2005 5:13:43 PM EDT
[Last Edit: 8/1/2005 5:32:14 PM EDT by rocko]
Actually, I made a slight boo boo as it's been awhile. Lazarus wasn't the program I was thinking of... that will search the disk for any unallocated space and write it to a separate image, but it doesn't really help with restoring individual files. What I was thinking of was foremost.

This will examine any unallocated blocks/clusters and look for file markers. I.e., any particular file type typically starts with a particular byte value which signifies its type - the file extension is really just a Windows thing and more or less not really necessary to determine a file type. Many file types also should have a file footer. So... foremost knows where the file starts and (in most cases) where it ends, so it can carve out the files from the unallocated space to recreate it. I believe all jpegs should have a footer, so you're golden there. Only issue is that, while it should work when pointing to the original device, you obviously don't want to write the files generated from foremost back to the original device (or at least not to the same partition) or you could be overwriting data from files you still want to recover. Also, foremost only really works if the file is contiguous, since it is looking at the raw data for a specific file header and footer. If the images are large, and the files are fragmented, then it won't work so well.

There are also other tools that can recover files based on metadata contained in a package called The Sleuth Kit. The metadata layer contains information about the files (even deleted files, for most filesystems), specifically, where they actually resided on the disk. Since these tools access this information, it doesn't matter whether or not the files are contiguous. Bad news is that if you are using a FAT32 filesystem, you're probably SOL as the metadata is stored in the directory entries. If the directory is deleted, you lost the metadata for its contents. If you were using NTFS, the metadata is stored in a single master file table, so is not lost when the directory is deleted.

Back to TSK... All the "i" commands (i.e., icat, istat, ils, etc.) in TSK are meant for use on the metadata layer. However, these are even a bit more cryptic to use. There are a few others tools that make them a bit easier. There is a pretty powerful tool called "sorter" included, that is basically just a script that uses other individual tools to look at the data, parse the file type, restore and sort all files by file type in the appropriate directory. You could configure sorter to only look for deleted files and only look for images.

There is a GUI, called Autopsy, available that does most of the heavy lifting and acts as a front end to those tools. The bad news is that Autopsy, I believe, only works on an image file - you can't just point it to the original disk or partition. So, you'd first need to make an bitwise image file of the partition you want to recover data from - which means you'll need another disk or partition to write to that is at least as large as the partition you want to image.

As you can see, you are getting into some more complicated stuff... Most of it aimed at "real" forensics, where you need to take extra caution in not altering the original device, will likely know much less about it, could have been otherwise tampered with, etc. If all you need to do is recover deleted files, I know there are commercial Windows programs that do this (they are all likely based on using the metadata layer). However, the ones I've seen all need to be installed, and each time you write to the disk you risk writing to that unallocated space that has your data.
Link Posted: 8/1/2005 6:02:11 PM EDT
[Last Edit: 8/1/2005 6:03:18 PM EDT by rocko]
Actually, I stand corrected again. I mentioned that Knoppix wasn't considered an ideal forensics platforms, but there is another Knoppix-based live CD that is - Helix. I recalled that Helix also contained some incident response tools meant to run on a live Windows system and gave it another look. There is a freeware Windows file recovery program included called PC Inspector. It can be downloaded separately, but you may want to burn a Helix CD (http://www.e-fense.com/helix) and run it from there so you don't need to install it. Of course, download the Helix ISO and burn it on another PC! Remember, the goal is to avoid writing to the disk.

You don't want to boot off the Helix CD, but insert it into your live Windows system and run helix.exe. Go to the IR Tools section, and you should see the file recovery options. I tried it, and it appeared to work fine. It likely only works off the metadata layer, though, so if you are using a FAT partition, and the directory was deleted in addition to the files (likely, if it was part of the user's profile and the whole thing was deleted), it may not help.
Top Top