I have a homework assignment to do in which I need state possible ways we can recover deleted files from a computer using NTFS. The assignment asks me to think of any pieces of information that may be vital for forensics. However, I don't know how NTFS saves, deletes, and overwrites files in the first place!
When you delete a file from the Recycle Bin, you don’t delete it permanently, you just set the data or the space as unallocated, which means that new data can be written on the same space. File analysis with Autopsy view of all files. File recovery is pretty easy with Autopsy, if you know where to search for them that is, but sometime. I have a homework assignment to do in which I need state possible ways we can recover deleted files from a computer using NTFS. The assignment asks me to think of any pieces of information that may be vital for forensics. However, I don't know how NTFS saves, deletes, and overwrites files in the first place!
Here is something similar we learned in class:
In class we learned that FAT32 saves files in clusters of blocks. When we save a file, it uses up sectors in a cluster, but the file may not use all of the sectors in a cluster, or even all the space in a block.
When a file is 'deleted,' the file name in the directory has it's first letter changed to a sigma, and then the location of the stored file is considered unallocated (aka may be overwritten). So we can still search for this file (using certain techniques) and recover it! Even if a new file is written in that address, the new file may be smaller than the previous file. In such a case, the remnants of the previous file that was stored there remains because they were not overwritten. We can recover this as well, assuming its not fragmented.
Well, that's what we learned in class. I have to write up a similar piece for the NTFS, but I can't find a simple site that specifically explains how files are saved and deleted in NTFS in the first place. Can anyone give me a link with some valuable reading material?
EDIT: I've found the perfect site that explains exactly what I need. I will post it here for future readers:http://wiki.sleuthkit.org/index.php?title=NTFS_File_Recovery
Brian Tompsett - 汤莱恩4,3721414 gold badges4040 silver badges106106 bronze badges
Dre ShDre Sh
closed as off-topic by Brian Tompsett - 汤莱恩, Gytis Tenovimas, SparkAndShine, mpromonet, Mike BrindSep 12 '16 at 19:05
This question appears to be off-topic. The users who voted to close gave these specific reasons:
- 'Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.' – Brian Tompsett - 汤莱恩, Mike Brind
- 'Questions about general computing hardware and software are off-topic for Stack Overflow unless they directly involve tools used primarily for programming. You may be able to get help on Super User.' – Gytis Tenovimas, SparkAndShine, mpromonet
1 Answer
Probably the best place to start is with Microsoft Technet. Check out the following article on how NTFS works.
The things you most likely want to dig further into are the master file table, journaling, and possibly some topics on deleted data recovery.
You may learn a good amount my looking at document for forensics tools such as sleuthkit.
You may also want to check out the NIST Publication SP 800-86: Guide to Integrating Forensic Techniques into Incident Response.
Lastly, something which is pretty cool about 'hiding' data in NTFS is alternative data streams. Alternative Data streams are typically not visible to Windows operating systems, but still take up disk space. They come from the Mac world. IronGeek's Guide is a good place to start understanding ADS.
Eric GEric G