introducing
COMPUTER FORENSIC
DATA RECOVERY TECHNIQUES
AND SOLUTIONS WORKSHOP
COMPUTER FORENSIC
DATA RECOVERY
TECHNIQUES AND
SOLUTIONS WORKSHOP
C OMPUT ER F ORE NSIC D A TA RE C O VER Y TE CHNIQU ES AN D SO LUT IONS W ORK SH OP
Objectives:
• To provide a critical understanding of
major types of failure experienced by
HDDs.
• To examine the principles and methods
used to correctly diagnose HDD failures.
• To explore various methods used to effect
repair of different failure scenarios.
• To introduce various data recovery
C OMPUT ER F ORE NSIC D A TA RE C O VER Y TE CHNIQU ES AN D SO LUT IONS W ORK SH OP
Course Objectives
• Gain the overall understanding on Data
Recovery
• General File System Overview
• General Hard Disk Overview as a storage device
• File System On- Disk format
• Indexing Methods
• Data Area
• File System Weaknesses
• Scenarios & Data recovery Techniques And
Solutions
C OMPUT ER F ORE NSIC D A TA RE C O VER Y TE CHNIQU ES AN D SO LUT IONS W ORK SH OP
Training Course would offer an excellent solution
• File Deletion
• Crash Windows operating system corrupt. • Accidental Disk Formatted
• Virus Attack
• Partition loss or corruption
• Lost or Missing files and folders
• Email recovery. pst / .wab / .dbx / .mbx
• Password recovery (workstation and Server) • Re-formatted or re-partitioned drive
Deplo
ymen
t
Data Recovery
• Data recovery is the process when the
corrupt or inaccessible data is being
retrieved from the damaged or in some
way corrupted digital media when it
Deplo
ymen
t
DATA RECOVERY
• It is frequently used when the data needs
to be recovered from such devices as
DVDs, CDs, Floppy Disks, Hard Disk Drives,
Xboxes, Mobile Phones, Tapes, Memory
Cards, Personal Digital Assistants and
Deplo
ymen
t
Causes for Data Loss
• Mechanical failure of the device
• Damage to the device,
• Human error,
• power surges
Deplo
ymen
t
DATA LOSS
There are two categories of data loss :-
• Logical Failures
Deplo
ymen
t
Logical Failures
• Reasons behind a logical hard drive crash,
such as
• File system corruption,
• OS malfunction,
• Severe conflict with recently installed
hardware/software
Deplo
ymen
t
Logical Failures
• Generally, in these situations, data is
easier to recover as long as the data has
not been overwritten by subsequent
Deplo
ymen
t
Physical Hard Drive Failure
• If BIOS is not showing your hard drive or
there is clicking/clinging sound at start-up
or even no sound of disk movement, then
may be your hard drive has been
physically damaged.
• It can be a mechanical components
failure, electrical damage or firmware
corruption that is responsible for the
failure of the hard drive.
Deplo
ymen
t
Physical Hard Drive Failure
• With advanced data recovery tools,
techniques, skilled team of engineers and
must needed CLASS 100 Clean Room labs,
these recovery service providers are able
to recover data from any damaged hard
drive safely..
Deplo
ymen
t
What Is DATA?
• In computing, data is information that has
been translated into a form that is more
convenient to move or process.
• Relative to today's computer s and
transmission media, data is information
converted into binary digital form
The Da
ta R
ec
ov
er
y
Pr
ocess
The Data Recovery Process
DATA RECOVERY Repair Disk
Damage to the hard disk drive, if applicable, is diagnosed and
repaired. Damaged components are replaced. Firmware failures are identified and repaired.
Image Disk
The repaired drive is read and data copied to another disk,
preserving the state of the data when the drive or media was received.
Restore Data
The retrieved data is then copied to new media (for example a USB drive) and returned to the client
Retrieve Data
Damage or corruption to the file system is
diagnosed and repaired to permit access to the individual files. Individual files are checked
for corruption and repaired if necessary.
Basic File system
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
File System
• A file system is a means to organize data
expected to be retained after a program
terminates by providing procedures to
store, retrieve and update data, as well as
manage the available space on the
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
File System
• File systems are used on data storage
devices, such as hard disk drives, floppy
disks, optical discs, or flash memory
storage devices, to maintain the physical
locations of the computer files
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
File System
• Organizes data in an efficient manner and is
tuned to the specific characteristics of the
device
• There is usually a tight coupling between the
operating system and the file system
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
File System
• Without a filesystem programs would not
be able to access data by file name or
directory and would need to be able to
directly access data regions on a storage
device.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
METADATA
• Metadata /Metacontent data providing
information about one or more aspects of
the data, such as:
• Means of creation of the data
• Purpose of the data
• Time and date of creation
• Creator or author of data
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
In Windows, what file system should I use?
• NTFS and FAT32 are two file systems used
in Windows operating systems
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
NTFS
• NTFS, short for NT File System, is the most
secure and robust file system for Windows
7, Vista, and XP.
• It provides security by supporting access
control and ownership privileges, meaning
you can set permission for groups or
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
NTFS
• NTFS supports compression of individual files and folders which can be read and written to while they are
compressed.
• NTFS is a recoverable file system, meaning it has the
ability to undo or redo operations that failed due to such problems as system failure or power loss.
• Disk quotas: Administrators can limit the amount of disk space users can consume on a per-volume basis.
• Encryption: The NTFS 5.0 file system can automatically encrypt and decrypt file data as it is read and written to the disk.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
FAT32
• FAT32 is the file system used in some older versions of Microsoft Windows. You can also install the FAT32 files system on Windows XP (all versions), and even Windows Server 2003.
Advantages of FAT32
• FAT32 supports disk partitions as large as 2 TB. FAT16 supports partitions up to only 2 GB.
• FAT32 wastes much less disk space on large partitions, since the minimum cluster size is a mere 4 KB for
partitions under 8 GB. Disadvantages of FAT32
• FAT32 does not allow compression using DriveSpace. • FAT32 is not compatible with older disk management
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
File Attributes
• One of the characteristics stored for each file is a set of file attributes that give the operating system and
application software more information about the file and how it is intended to be used.
– Read – Only – Hidden – System – Volume Label – Directory – Archive
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
Read-Only
• Read-Only: Most software, when seeing a file marked read-only, will refuse to delete or modify it.
• This is pretty straight-forward. For example, DOS will say "Access denied" if you try to delete a read-only file. On the other hand, Windows Explorer will happily munch it. Some will choose the middle ground: they will let you modify or delete the file, but only after asking for
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
Hidden
• Hidden: This one is pretty self-explanatory
as well; if the file is marked hidden then
under normal circumstances it is hidden
from view.
• DOS will not display the file when you
type "DIR" unless a special flag is used, as
shown in the earlier example.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
System
• System: This flag is used to tag important
files that are used by the system and
should not be altered or removed from
the disk.
• In essence, this is like a "more serious"
read-only flag and is for the most part
treated in this manner..
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
Volume Label
• Volume Label: Every disk volume can be
assigned an identifying label, either when
it is formatted, or later through various
tools such as the DOS command "LABEL".
The volume label is stored in the root
directory as a file entry with the label
attribute set.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
Directory
• Directory: This is the bit that differentiates
between entries that describe files and
those that describe subdirectories within
the current directory.
• In theory you can convert a file to a
directory by changing this bit. Of course in
practice, trying to do this would result in a
mess--the entry for a directory has to be
in a specific format.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
DOS – attrib /?
ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [+I | -I] [drive:][path][filename] [/S [/D] [/L]]
+ Sets an attribute. - Clears an attribute.
R Read-only file attribute. A Archive file attribute. S System file attribute. H Hidden file attribute.
I Not content indexed file attribute. [drive:][path][filename]
Specifies a file or files for attrib to process. /S Processes matching files in the current folder and all subfolders.
/D Processes folders as well.
/L Work on the attributes of the Symbolic Link versus
LAB 1
• CMD
• Type attrib /?
LAB 2
• How to view a computer file
extension
Viewing the file extension of a single file
1 Right-click the file.
2 Click Properties.
3 In the Properties window, similar to what is
shown below you should see the "Type of file:" this is the file type and extension. As can be seen in the below example this file is a TXT file with a .txt file extension and in this case opens with the Text Pad program.
LAB 3
• How to view a computer file
system
Gener
al Har
d
Disk
Ov
er
view
as
a
st
or
ag
e
de
vice
How hard disks work
• If you are to dismantle the hard disk drive by opening the top casing (after removing all the necessary screws), the first thing you'll see is a spindle holding one or a number of mirror-like hard rotating platters (commonly called data platter).
• The platters could be made to spin at an extremely high speed, technically between 5,400 to 10,000 revolutions per minute
(RPM).
• An extremely thin magnetic coating is layered onto the surface of the platter that is polished to mirror-type smoothness.
Gener
al Har
d
Disk
Ov
er
view
as
a
st
or
ag
e
de
vice
A platter
• The platter is usually made of glass or ceramic (modern platter may use titanium). Commonly a hard disk
contains 1 to 10 identical platters that are stacked in parallel to form a cylinder. There is usually one Read Write (RW) head designated per platter face, and each head is attached to a single actuator shaft which moves all heads in unison and performs a uniform synchronous motion during reading or writing of data.
Gener
al Har
d
Disk
Ov
er
view
as
a
st
or
ag
e
de
vice
Read Write Head
• The RW head is the key component that performs the reading and writing functions. It is placed on a slider which is in term connected to an actuator arm which allow the RW head to access various parts of the platter during data IO functions by sliding across the spinning platter.
Gener
al Har
d
Disk
Ov
er
view
as
a
st
or
ag
e
de
vice
Flying Height
• To write a piece of information to the disk, an
electromagnetic flux is transmitted through the head which hovers very closely to the platter.
• The RW head suspends on a thin cushion of air which the spinning platter induces.
• This designed distance between the head and platter is called the flying height. It can literally measure to a few millionths of an inch.
Gener
al Har
d
Disk
Ov
er
view
as
a
st
or
ag
e
de
vice
Read Write Function of Disk
• As the head writes data onto the disk, it changes its magnetic polarization to induce either a one or zero value.
• During a read request, data is interpreted when the
magnetic fields on the platter brings about an electrical change (as a result of change in electrical resistance of some special material property) in the read-head that passes over it.
• These electrical fields are then encoded and transmitted to the CPU to be processed and read by the system.
Gener
al Har
d
Disk
Ov
er
view
as
a
st
or
ag
e
de
vice
Parking of RW Head
• When the computer is switched off, the head is usually pulled to a safe parking zone to prevent the head from scratching against the data zone on platter when the air bearing subsides.
• This process is called a parking and different techniques have been implemented in various hard disks to handle the take offs and landings.
• In a Ramp load/unload design, a lifting mechanism parks the head outside of the platter onto a "parking bay" prior to a shutdown. It then automatically unparks and relocates itself above the disk platter when the
Gener
al Har
d
Disk
Ov
er
view
as
a
st
or
ag
e
de
vice
Hard Disk Controller PCB Board
• A hard disk also contains a pcb controller circuit board that regulates data traffic.
• It ensures massive data to be streamed in and out of the disk smoothly. A logic board that sits under the drive
controls and connects the spindle, head actuator, and various disk functions of the disk.
• Embedded with a micro-controller, it executes
self-diagnostics test and cleans up data working area in the memory and all internal chip bus in the hard drive when it powers up.
Gener
al Har
d
Disk
Ov
er
view
as
a
st
or
ag
e
de
vice
Gener
al Har
d
Disk
Ov
er
view
as
a
st
or
ag
e
de
vice
S.M.A.R.T
• Majority of all hard disk today support a technology known as S.M.A.R.T. (Self-Monitoring, Analysis, and Reporting Technology) which helps to predict
imminent disk failures so that users can be alerted to take preventive actions before the disk fails completely.
Gener
al Har
d
Disk
Ov
er
view
as
a
st
or
ag
e
de
vice
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
What is a head crash in a hard disk drive?
• In a nutshell, a head crash is a physical damage of a hard disk when the faulty electronic or mechanism causes the read-write head to land on the rotating platter instead of retracting to its safe zone, hence by damaging and
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
How does a head crash occur?
• When the platter is rotating at rates between 5,400 to 15,000 revolutions per minute, a thin firm of air
suspends the read/write head extremely closely above the disk surface.
• This distance, called the head gap is typically measured in millionths of an inch. So, it is possible that heads can make contact with the media on the hard disk when there is faulty disk mechanism.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
How does a head crash occur?
A Bad Parking
• While the platter is idle, the head typically rests on the surface of the disk or on parking bay. When the disk powers up and the platter starts to spin, the head rubs along the surface of the platter briefly before a cushion of air is strong enough to hover the head above its
surface.
• During a power down, the process is reversed till the platter finally stalls. Damage can likely set in after a prolonged period of wear and tear. Hence, a landing zone or an empty track was developed to set aside for the head to take-off and land. This safety process is known as the parking technology.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
How does a head crash occur?
• Most modern disk that uses the voice-coil or giant magneto-resistive head, supports auto-parking. In an event of power loss to the disk, a retract mechanism moves and secures the head to its landing zone without the use of external power. It then automatically unparks itself when the disk powers up again.
• Another similar technique is the load/unload technology which uses a ramp-like mechanism to lift the head from the disk surface and park it outside of the platter. Older drives that do not support auto-parking use software
utilities that execute head parking procedures before the computer shuts down.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
How does a head crash occur?
Dust Debris
• A hard disk is never 100% seal. If it is, then it is not possible to create the necessary air flow for the disk working mechanism. When dust enters and
contaminates the hard disk, it can obstruct the movement of the head, resulting in a crash as the clearance between the the head and platter is by far smaller than the size of a smoke particle.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
How does a head crash occur?
Mechanical Shock
• A shock applied to a disk while it is in active state may cause the head to bounce and slide against the platter henceforth scratching it.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
How does a head crash occur?
Power Surge
• Another reason is the effect of using poor power supply which has the same problem as power surges and power cuts, resulting in unpredictable movement of read write head mechanism causing the crash.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
How does a head crash occur?
Dust Debris
• A hard disk is never 100% seal. If it is, then it is not possible to create the necessary air flow for the disk working mechanism. When dust enters and
contaminates the hard disk, it can obstruct the movement of the head, resulting in a crash as the clearance between the the head and platter is by far smaller than the size of a smoke particle.
Master Boot Record (MBR)
Mas
ter Boo
t R
ec
or
d
(MBR)
Master Boot Record (MBR)
• Short for Master Boot Record, MBR is also sometimes referred to as the master boot block, master partition boot sector, and sector 0.
• The MBR is the first sector of the computer hard drive that tells the computer how to load the operating
system, how the hard drive is partitioned, and how to load the operating system.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
Master Boot Record (MBR)
• The MBR is also susceptible to boot sector viruses that can corrupt or remove the MBR, which can leave the hard drive unusable and prevent the computer from booting up. For example, the Stone Empire Monkey Virus is an example of a MBR virus.
Deplo
y a MSI
on multi
ple
machin
es
b
y us
ing
Gr
oup P
olicy
Partition
• In personal computers, a partition is a logical division of a hard disk created so that you can have different
operating systems on the same hard disk
LAB 4
• View Partition
• Create Partition
• Format FAT 32
• Format NTFS
• Convert Partition
• convert drive_letter: /fs:ntfs
Chkdsk /f
R
ecy
cle
Bin
Recycle Bin
• When you delete a file in Windows Explorer or My Computer, the file appears in the Recycle Bin.
• The file remains in the Recycle Bin until you empty the Recycle Bin or restore the file
Wher
e
the Windo
w
s R
ecy
cle
Bin
is Loc
at
ed?
Where the Windows Recycle Bin is Located?
• When you delete a file, the complete path and file name is stored in a hidden file called Info or Info2 in the
Recycled folder. The deleted file is renamed, using the following syntax:
LAB 5
• Recycle Bin
• Delete key
• Shift + Delete
• Delete Fails
• Delete Folder
LAB
Wher
e
the Windo
w
s R
ecy
cle
Bin
is Loc
at
ed?
RECUVA
• Recuva is a freeware data recovery program, developed by Piriform, and runs under Microsoft Windows 7, Vista, XP, 2003, and 2000.
• It is able to recover files that have been "permanently" deleted and marked by the operating system as free space. The program can also be used to recover files deleted from USB flash drives, memory cards, or MP3 players.
• Supports FAT12, FAT16, FAT32, exFAT, NTFS, NTFS5 , NTFS + EFS file systems
Scenarios & Data recovery
of the following
Scenarios & Da
ta r
ec
ov
er
y
What is format?
• Prepare a storage medium, usually a disk, for reading and writing
• When you format a disk, the operating system erases all bookkeeping information on the disk, tests the disk to make sure all sectors are reliable, marks bad sectors (that is, those that are scratched), and creates internal address tables that it later uses to locate information. You must format a disk before you can use it.
• Note that reformatting a disk does not erase the data on the disk, only the data on the address tables.
Scenarios & Da
ta r
ec
ov
er
y
How to Recover Data from Formatted Drive
• "Opps, I accidently performed format on my hard disk partition. I have many important documents and photos there. Help!" Did you run into the similiar situation?
• Wow, it must be hard to accept the data loss since drives were formatted. Well, don't worry! Data Recovery
Standard, you can perform any formatting of your drives and also get data back alive to you.
Scenarios & Da
ta r
ec
ov
er
y
Why can I still get data back from formatted drive?
• The truth is by formatting a drive, it only erased the file address table. The data are still on the drives sound and not touched after you performed quick formatting or full formatting, ie regular & complete formatting.
Warning
• You should immediately stop work to avoid further data damage. Do not install any program or data on the
LAB 6
• Download EaseUS Data
Recovery Wizard, install it and
launch it.
LAB 6
• Click the "Complete Recovery"
button on the main window of
Data Recovery Wizard.
LAB 6
• Select the file types you want to recover. Tick 'Search all lost files
automatically' to find all lost file types. Tick
'Ignore bad sectors' to skip bad sectors when scanning.
LAB 6
• The second screen on the "Complete Recovery"
tool will display a list of volumes found on the drives found in your system. If the volume does not have a drive letter, then the volume will be listed at the
hindmost and the drive letter will be instead by
LAB 6
• The Intelligent Searching module will scan on the selected volume, collect and analyze every byte on the volume, then show you a list of volumes which are possible on it.
LAB 6
• After this scanning is finished, Data Recovery Wizard will permit you choosing 4 volumes at best to recover the data. And then, press "NEXT" button.
• The Data Recovery Wizard will launch the "Building directory"
procedure to searching the files. You will see
LAB 6
• Select the file or directory that you want to recover and press the "Next" button.
Scenarios & Data recovery
of the following
Scenarios & Da
ta r
ec
ov
er
y
Recover Data from Missing Partition or corruption
• A hard drive can be divided into multiple storage units referred as partitions. The idea for creating partitions in your hard drive is to have separation between OS and program files from user files,
• To have multi-boot setup, to have multiple file systems, to reduce the access time which in turn increases the system performance, to protect files by making it easier to recover a corrupt file system (if one partition is
corrupt, other file system will not be affected) and many other benefits.
Scenarios & Da
ta r
ec
ov
er
y
How data loss or corruption occurs in a hard drive
partition?
• Due to conversion of a partition from one file system to another i.e. FAT16 or FAT32 to NTFS. These file system conversions causes the data or files to lose their EFS (encryption details) and file system permissions which holds entries regarding which users or system processes are granted access or which operation is allowed to a particular file.
Scenarios & Da
ta r
ec
ov
er
y
Recover Data from Missing Partition or corruption
• Using third party tools for creating new partition or re-size the existing partition can cause deletion of
partitions or data while trying to locate free disk space in those partitions
• Virus infection is another main reason for data loss due to missing or corrupt partition. That is if the master boot record(MBR) which holds the partition table is damaged or corrupt due to virus attack then you will not able to see partitions. Hence, leading to heavy data loss
LAB 7
• Download EaseUS Data
Recovery Wizard, install it and
launch it.
• Recover data from loss or
corruption occurs in a hard
drive partition
Scenarios & Data recovery
of the following
Crash Windows operating
system corrupt.
Scenarios & Da
ta r
ec
ov
er
y
Crash Windows operating system corrupt
Microsoft Windows 7 Crashes, Restarts or a Blue Screen Appears
What Is a Blue Screen Error?
• When Windows encounters certain situations, it halts and the resulting diagnostic information is displayed in white text on a blue screen. The appearance of these errors is where the term “Blue Screen” or "Blue Screen of Death" has come from. Blue Screen errors occur
when:
– Windows detects an error it cannot recover from without losing data
– Windows detects that critical OS data has become corrupted – Windows detects that hardware has failed in a non-recoverable
Scenarios & Da
ta r
ec
ov
er
y
Crash Windows operating system corrupt
• Almost every person must have witnessed a serious problem when his/her computer’s operating system crashes, since it is almost inevitable that this will not occur in the entire life of a system. The most frustrating part about this is that about the data we lose. We try to come up with an easy and possible solution to this very common system menace.
• By using a Linux / Windows Live Boot Disk
LAB 9
• By using a Linux / Windows Live
Boot Disk
• BY using your Hard Disk Drive
as an external drive
Scenarios & Data recovery
of the following
Email Recovery
Scenarios & Da
ta r
ec
ov
er
y
How to Recover Deleted Email files
Outlook PST Files
• Recover My Files will search and locate deleted
Microsoft Outlook PST and WAB (Windows address
book) and PAB (Personal Address Book) files which have been emptied from or bypassed the Windows Recycle Bin.
• PST files are very complex and in some instances
recovered PST files will not function until they have also been repaired. This is done by running a program called 'scanpst.exe' (also known as the 'Inbox Repair Tool')
which is installed by default on all Windows computer systems. Use Recover My Files to find your deleted PST file. If errors occur when you try to access it, use the Inbox Repair Tool to fix it. Once you have recovered and repaired the file you will once again be able to open the file in Microsoft Outlook.
Scenarios & Da
ta r
ec
ov
er
y
How to Recover Deleted Email files
• Use Recover My Files to find your deleted PST file. If errors occur when you try to access it, use the Inbox Repair Tool to fix it. Once you have recovered and
repaired the file you will once again be able to open the file in Microsoft Outlook.
Scenarios & Da
ta r
ec
ov
er
y
How to Recover Deleted Email files
• Outlook Express DBX Files
• Recover My Files will search for and locate deleted Microsoft Outlook Express DBX files which have been emptied from or bypassed the Windows Recycle Bin.
• The download version of Recover My Files will allow you to see the contents of the recovered DBX file, including the number of messages, the 'to' and 'from' address fields, the subject and the date each message was sent and received.
LAB 6
• Click the "Complete Recovery"
button on the main window of
Data Recovery Wizard.
LAB 6
• Select the file types you want to recover. Tick 'Search all lost files
automatically' to find all lost file types. Tick
'Ignore bad sectors' to skip bad sectors when scanning.
LAB 6
• The second screen on the "Complete Recovery"
tool will display a list of volumes found on the drives found in your system. If the volume does not have a drive letter, then the volume will be listed at the
hindmost and the drive letter will be instead by
LAB 6
• The Intelligent Searching module will scan on the selected volume, collect and analyze every byte on the volume, then show you a list of volumes which are possible on it.
LAB 6
• After this scanning is finished, Data Recovery Wizard will permit you choosing 4 volumes at best to recover the data. And then, press "NEXT" button.
• The Data Recovery Wizard will launch the "Building directory"
procedure to searching the files. You will see
LAB 6
Scenarios & Data recovery
of the following
Password recovery
Scenarios & Da
ta r
ec
ov
er
y
PASSWORD
• A secret series of characters that enables a user to access a file, computer, or program. On multi-user systems, each user must enter his or her password before the computer will respond to commands.
• The password helps ensure that unauthorized users do not access the computer. In addition, data files and
programs may require a password.
• Ideally, the password should be something that nobody could guess. In practice, most people choose a password that is easy to remember, such as their name or their
initials. This is one reason it is relatively easy to break into most computer systems.
Scenarios & Da
ta r
ec
ov
er
y
Where are Windows 7 Passwords Stored?
• Windows account details are stored in the SAM registry hive . It stores passwords using a one-way-hash (either LM Hash, which is old and weak, or NTLM hash which is newer and stronger.)
• The SAM hive file is located at
%WinDir%\system32\config\sam. This directory, and it parents, are by default inaccessible to
non-administrative users. However it is vulnerable to offline attacks (e.g. booting a LiveCD and manually modifying the binary data. For example with the ONTPRE tool.)
