Digital Forensics: Recovering a Deleted Document
Hello Reader, Our first blog post was inspired by a common question our clients pose to us, how do you recover a deleted document? You have probably heard by now that a deleted file is not necessarily deleted. You've come to the right place and this is a question that we often help our clients answer. The objective of this blog post is to provide you an overview of how a digital forensic examiner recovers a deleted file from a thumb drive. In this blog post, we are going to cover the FAT file system, which a lot of small removable media devices, such as the 1GB thumb drive referenced in this blog post store data. Larger capacity removable media storage devices use other file systems, such as NTFS for storing data. Your Windows PC is using NTFS as its file system (unless there is a small chance you are using an antiquated PC running Windows XP or older operating system). FAT and NTFS file systems are beyond the scope of this blog post, but something that forensic examiners are familiar with when it comes to performing forensic examinations. There are many methodologies and tools that a forensic examiner may utilize when recovering a delete file. This blog post is going to focus on recovering a deleted Microsoft Word document from a thumb drive. There are many forensic artifacts associated with this exercise, but we are just focusing on viewing a deleted file from a thumb drive. The file that we are going to recover is called "secret.docx" and it was deleted from a FAT formatted 1GB Kemper Technology USB Thumb Drive as pictured below (Figure 1).Are you ready? Buckle up! First as part of this exercise, we inserted a freshly formatted 1GB Kemper Technology thumb drive into our Windows 7 forensic workstation in our lab. We created "secret.docx" using Microsoft Word 2010 on our forensic workstation and saved it locally on the computer for this exercise. We then copied and pasted the Word document onto our "KEMPEFOREN" USB thumb drive, which is the E:\ drive on our forensic workstation (Note: The copy and paste function from our computer to the E:\ drive creates a forensic artifact that we may highlight in an upcoming blog post). After adding “secret.docx” to our Kemper thumb drive we then right clicked on the file and then selected delete to begin the delete file operation (Figure 3). You may notice that our prompt states, “Are you sure you want to permanently delete this file?” Since “secret.docx” is on a thumb drive we are not prompted to move the file to the Recycle Bin on our computer (Note: We may highlight this artifact in a future blog post). After we deleted this file from our Kemper thumb drive, we began the forensic acquisition phase. We completed a raw forensic image of the entire Kemper thumb drive to ensure that we were able to forensically preserve data on the thumb drive. In Figure 4, after we deleted “secret.docx”, we also re-formatted the USB drive to make the data recovery process a little more trivial (and realistic in some of the cases we work with our clients) in recovering the “secret.docx” that we did not want our forensic examiner to recover. Figure 5 (below) is a hexadecimal view of the raw data that a forensic examiner would see when viewing the file system data in the root directory of the USB drive. We find a reference to our USB drive name (KEMPERFOREN) and instances of our file, "secret.docx". (Tech note: FAT file system data structures are outside the scope of this blog post, but may be something we discuss in a further blog article). If you would like additional information on the FAT file systems start with the Forensics Wiki and checkout this book, which should be found on every forensic examiner's bookshelf). In Figure 5, can you identify the name of our Kemper thumb drive? Can you also identify our filename? Remember, the file was deleted. So how does a computer file system handle the file deletion process? Basically, when a user deletes a file from a file system, the pointer (or index card in the Dewey decimal classification system for those that can remember) is removed so a file no longer will appear in a directory listing. The data still resides on the hard disk drive, but the file system shows those sectors available for new data to overwrite the old (or deleted) data that previously resided in that sector. Using various data carving techniques, a forensic examiner would then begin the data carving process to recover deleted file, “secret.docx”. Our recovered file (000001.docx) partially looks like this at the hexadecimal view: The trained and experienced forensic examiner would immediately notice the file signature (PK…… or 50 4B 03 04 14 00 06 00), which upon further analysis indicate this is a .docx file. 000001.docx and secret.docx are the same document. We’ll discuss hash sets at another time, but hash sets are used in computer science and digital forensics for data authenticity and verification. Finally, we preview our recovered file and provide you with Figure 7 to assist you in answering your question. Can deleted data be recovered? Yes, and we’ll touch upon more of these types of questions in future blog posts. This blog post was a brief overview of how a deleted document is recovered. It is not inclusive, but should provide you an overview of how a forensic examiner may recover a deleted file. Do you have something you would like feature in an upcoming blog post? @KemperForensics on Twitter or visit our contact page.