Investigative Process PC Inspector File Recovery Lab

FacebookTwitterGoogle+LinkedInEmail
Description
This lab demonstrates the PC Inspector File Recovery utility. You’ll learn how and where to find the utility and then configure it for use. The PC Inspector File Recovery is a very easy and thorough utility to inspect logical drives in order to inspect all the drives that have previously lived on that drive in the past. This is an excellent tool for determining what system, data and even temp files have been on the targeted drive in question, that have appeared to have been deleted or are otherwise no longer available to be viewed/access and you can do so virtually right away. [toggle_content title="Transcript"] Leo Dregier here. We’re going to talk about a tool called PCI File Recovery. I’m going to run you through the install real quick. Ah, you can install it through English, okay. Agree to the terms and conditions. It’s – PC Inspector File Recovery is the exact name of it. You can install it wherever you want, realistically, but Program Files will be fine. Ah, please note, it’s in a sub-directory, Convar, okay? Install it. Relatively easy to install. Close it out. Finish the, ah, Setup Wizard. Close that out, okay? And go ahead and open up the program. Simultaneously, I’m going to move this over here to my forensics programs. Um, you’re probably going to want to run this in English, okay? So recover deleted files, uh, find lost data, and find lost drives. This is basically what you get to do with this right away. So, we’re going to, um, look for, ah, recover deleted files. Okay? So select the logical drive, select the, the, the files in the folder deleted, and the, of course, save your files, okay? So, first thing that it does is it checks the bios and few other checks. Um, it looks for your disk’s positions here, so, um, in this case, I’ve got a, a no name drive that it found, the Windows C drive, uh, Windows D, which is other business, uh, another other business, and this one. So if you realistically want a comparison of which one’s which, you can just go to My Computer and see. In this case, I’m going to be looking for Blue USB, which is the F drive, and, ah, that’s going to be this guy right here. So you can, uh, re scan, you can find logical drives, or you can preview that. So in this case, uh, you can notice that you can start at physical sector zero, the total number of sectors on that drive, the sectors per cluster, the FAT type, the OEM name. So it was originally formatted in MS Dos 5, and then the volume label is No Name here. Okay, great. So that would be your logical drives versus your physical drives. In this case, I could do the physical drives, ah, right here, which is the same thing. It’s a 478 Megabyte drive. Either way, however you want to select it, go ahead and select it. Okay. And then, here we go. So what I’m basically looking at here is, uh, just a handful of, of files that have been on this drive in the past. Ah, and then you can see, you know, a bunch of temporary files on here, ah, some ISSEP files that I was working on, you know, some time ago, uh, some IT files, you know, classroom material, healthcare manuals, um, more temporary files, ah, a course, real estate course that I was working on on real estate overages. So that – I pulled that. That’s been deleted from this – some system volume information, and then lost, and then you can search, okay? So it, it’s – if you notice here – whoops. I don’t want that one. I don’t know what they’re for. If you go to the actual drive, you can see that I basically just have the password, uh, document on there, and then some system volume information. So it appears that, you know, basically, nothing’s on this drive. Ah, but look at all of the, the stuff that it finds, um, that’s previously been there. Okay? And then you could go through, and you could see, you know, what is, you know, IT, you know, you know, 001 PDF, or, you know, what did I have in Classroom Material, um, and things like that. You can right click any of these files, and you can save them. You can look at the properties, which really doesn’t tell you much. It just tells you more or less the name and where. Um, ah, view as a hex dump, okay? Uh, so you can do that, as well, so if you want to see the specific hexadecimal of, uh, certain information, you can. We’re going to get into some of the hex editing tools much, much, much later. I just want to point out that that option is built into a program like this. View as text. You just have to – can pull any text, ah, and things like that. So, uh, and the same thing, you know, something like docx, right? If I want to try to see what’, uh, well, you know, what it has in there. See if it can pull anything, and it doesn’t because it’s a doc X format, but if, you know, if I had, like, maybe just a regular text document with some, ah, decent text in it, it’d probably just pull it just fine. okay? So that’s your drive, okay? You can click on the drive up here, ah, and then re scan them, okay? If you have USBs and floppies, you can look there. If you want to search, you can find a specific name, so just search for, you know, password, and search, okay, and it finds, you know, a password, ah, dot X file. And this is the original file, and then this is, um, uh, another file. Ah, in this, in this case, this is – this was another document that I had deleted, but the condition’s for – ah, very, very, very poor on that one, where this one’s good. So this has zero size in it. This, um, um, you know, clearly has some size to it, okay? Um, you can select specific cluster ranges if you want to – if you know that. You may or may not. It depend – now, where you find that information is if you’re running, you know, like, ah, a program like Check This, and it starts, uh, giving you cluster errors at a particular file location, then you would probably know something like that, but right off the bat, you’re, you’re probably not going to know that. You can find lost data if you like, okay? So you can just scan it for lost data, and this’ll take some time to run, but it – you can see that it is finding files right away. Um, and you’d have to let something like this run. Now, ah, this is going to take about a minute or two, but it’s worth doing on this portable USB drive because you can see all the things that I’ve basically deleted, or it’s lost, or orphaned, file fragments, and things like that, um, over the years of using this. So, uh, let’s just back up here for one second. Let’s say that you find a USB drive in the parking lot, and you plug it into your computer, and there’s nothing on it. Okay, great, right? Free USB drive. Good to use. Wrong. You would actually want to use it with some sort of, um, partition, uh, extraction tool, or data recovery tool, or a file inspection tool, like PC Inspector because there absolutely could be alternative data streams, and especially if it’s formatted at NTFS. There could be hidden stuff on there, ah, as in just right click hidden. Um, there, there could be deleted; there could be orphaned; there could be all sorts of stuff, and low level formats, um, and what I mean by low level format is when you just right click this drive, and you select format, all it basically does is basically delete all of the pointer records to the, to the drive. It doesn’t actually remove the data, and a program like this clearly points that out, ah, because it will go in, and it will, you know, start looking at, you know, the different items that are on there. Okay? And you can see that I’ve used this, this drive for quite some time, and it’s already up to, uh, lost files found, you know, over 1000, and it’s just a, you know, a 481 Megabyte drive that appears to have nothing but a password file on it. Um, but what I’d like to show is is that you can actually get all of the, the, the deleted, and, and unconventional stuff that doesn’t appear to be there – you can actually get that more or less right away with a, with a program like this, and then save it to another place. So just because you find a USB drive in the parking lot, and there appears to be nothing on it, chances are, there is. Um, not to say that you shouldn’t just, you know, try to find, you know, the, the original owner and maybe return it to that person. But let’s say that you can’t. Well, if you can’t, well then, there you go. So in this case, I’m going to sort by, ah, type over here, and you can see there’s a whole bunch of Acrobat files, uh, that I recovered from this drive. There’s a whole bunch of JPEG files, PNG files, right, ah, WordPad, um, XLS spreadsheets, right? So it finds quite a considerable amount of information, and if you right click these, you can save them. You can view ‘em as a hex dump or text, uh, drive again. Okay? So before you stick any drive into your computer that you, you know, found in the parking lot, you may want to use a drive like, ah – or, or a program like PC Inspector to inspect that drive and see if you can’t recover some of the, the deleted, orphaned, or lost information from that drive. Very, very easy program to use. Um, it’s definitely one of my, my favorite more – my go-to programs for a quick forensic inspection of hey, what’s on that drive? So try it out. Give yourself a little practice. Build your hands-on. Um, it’s PC Inspector File Recovery. Hope you enjoyed it. My name’s Leo Dregier, and don’t forget to check us out on Facebook, LinkedIn, YouTube, and Twitter. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel