Investigative Process RecoverMyFiles Lab

This lab demonstrates, GetData’s data recovery tool RecoverMyFiles, a utility developed by Advanced Data. This tool is excellent for attempting to recover data from an entire hard disc drive or if you need to recover files from a specific file directory. This demonstration of the RecoverMyFiles tool shows you several options for configuring the tool, as well as to use to determine the output based upon the type of search and recovery investigation you need to conduct. You’ll even see how the tool provides added information on specific types of file, such as XML vs. a regular text file which may not have hidden information to reveal. RecoverMyFiles is an excellent introduction and starter tool to use when learning how to conduct a data file recovery investigation. [toggle_content title="Transcript"] Hi, Leo Dregier here. I want to talk to you about a forensics program that I, I typically use called Recover My Files. Ah, I would put this in the category of, kind of like, Freeware, borderline Adware type of programs, but it's a quick sanity check to, uh, try to recover deleted, or lost, or orphaned files. Um, I've got a shortcut that I've stored here on the desktop. It's called Recover My Files. Um, it's actually – you can see that – while I have the icon highlighted, it's actually, um, through GetData, and it's a Recover My Files version 4. So I'm going to open up this program through the shortcut. It's a very, very, very easy install. You can get this by a simple Google Internet search by doing RecoverMyFiles with no spaces. Uh, but it's by Advanced Data Recovery Software. You get little tips here in the beginning. Now that you see this, um, I'm not going to share the tips on start-up anymore, ah, but you could go and get a whole bunch of quick tips if you wanted to learn how to use the software through that mechanism, um, or you can just close it out. So right away, you're presented with two options. You can recover files, recover a drive, or a whole drive. We're going to specifically just do the, the simple version, ah, but you can try to recover a whole drive. Ah, you may want to try this if you have a lost, or deleted, or corrupt drive sitting in your closet somewhere. Um, you know, these are the types of labs where it's like, you know, try to analyze, um, those old drives that you have, and see if you can't get some data off of them, okay? So what we're going to do is recover files, and you notice if you just click on these options here, they change. So at first, you know, you might try double clicking this stuff and think, “Well, it's not working.” Well, it is. It's just because the color has changed. So select Recover Files, select Next, and it'll tell you, you know, C drive, or in this case, I have a USB drive plugged into it. And I'm going to do this to the local C drive of this computer here. What we could do, we could add an image. We could add a RAID drive. We could add a specific folder. You can refresh this if you want, which isn't going to do anything here because I didn't add anything. Um, so just go ahead and grab your local C drive, uh, at first. Click Start. Search for deleted files or search for deleted files then search for lost files, um, types. And the difference between these two options is going to be speed. Um, I'm going to go ahead and do the latter option here. This scans the operating system record to quickly find deleted files and then subsequently scans the drive to find additional lost files, uh, where the operating system record no longer exists by locating unique file structures, the header, the content, and the footer, of your selected file types. Ah, and it is a much, much longer search. Um, ah, ah, actually, what I'll do is, I'll do the recommended version. You can try the, uh, long version. For the sake of the video and time in the video, I'm just going to do the, the fast one. So I'm going to do a start here, and you can see how quickly this utility, uh, runs in the recommended options. It should only take, you know, 10, 15 seconds, ah, at best, okay? So all searches complete. Okay, great. And you can see I found a couple, ah, items of interest. So lost files, I found _shfolder.dll, and if you click on this, it'll tell you where I found it, so in this case, it's actually sitting in lost and found, the date modified, the date created, the date accessed, so it pulls the, um, file, uh, or folder properties, um, gives those to you. Um, and then it tells you the type. It's an executable, the directory if it's in, the record number, and you can kind of move these around a little bit, ah, which is probably what you're going to need to do to actually read them. The versions, so it's a 32 bit DLL, and actual, the file size. And then you could even, you know, right click those and get a message, uh, mp5 sum or something like that if you actually go to this specific file. In, inside this program, there – the right click for, you know, NB5 calculator or something like that's not going to work. But you can copy. You can copy the file, um, or you can clear it from the log. Okay? Um, also, in the root, okay, it'll tell – you can – it gives you the ability to run down and see other files that have been lost. So you can see there's a schedule XML file here. Now, you're only going to get a preview here if it's, like, a picture or something like that, okay? Um, otherwise, you know, anything like XML or .DLL, it's just going to give you the photo, okay? Um, event log – you can kind of see what it does. Okay, so it – um, in, in – what I would recommend here is think about this in terms of forensics analysis and really learning what these programs do, right? So it started the search on C. It started looking at this particular cylinder, the tracks per cylinder. It found out that there're 255. Sectors per track, 63, and we'll probably cover this stuff later when we start getting into the details of hard drives. That's not really the scope of this video here, but I want to show you that, you know, it is listed here, when we come back to it later in other videos. Um, the bytes per sector, searching for files in the C drive, the number of cylinders again, that's the same thing here. Uh, actually, this whole section looks like it's repeated here, so, you know, 1305, 255, 63, 512. Okay, so great. Um, it looks like it starts trying to read the master file table, so – and master file table 16 is incomplete. Okay, 17 through 23, incomplete. Um, it look – found some data here, and it found some other references in the, ah, master file table. Um, the number of known files in the, eh, master file tables, so there's 66,000 files. Number of known folders, number of the known system items, number of deleted, um, files, which it found, basically, two on, ah, uh, uh, the lost and found, and two in the root. The total number of files that were located – and then basically your search is complete. Um, so – and then you can clear the log or copy this stuff to, to the clipboard. Right? Oh, next you can go through file types. Look at executables and XML, so if you want to search by file type, you can certainly do that. If you want to search by date, you can search – you know, do that, as well, okay? So that'll go through, and you can sort this stuff, and get another detailed view in here. Ah, but you'll have to go to preview if you actually want to see those, um, or you can search. You can search for directly in here. You know, what, what's the, uh, uh, size of the file? What is the state of the file? You know, is it deleted? Is it folders? Is it checked? What's the size? You know, do you remember? Do you not remember? Is it, you know, less than 1024, greater than 1024? So you can get pretty specific. When was it changed? Do you have any idea? That helps narrow down the searches because remember, it's looking at, you know, modified, created, and accessed. So if you can – you got a huge, you know, hard drive, or you're – let's just say – in theory, say that you're analyzing a SAN, and you can narrow that down to a particular date or time span, um, to speed up your file, you, you may want to do that. All right – or part of the file name, or words or phrases inside the files. Um, you certainly can do those if you like. Okay? Ah, you have an update to this file, you have some basic options, okay? So in, in the options, you have file types. Okay, you can see that. You know, it'll pick AVI files, executables, and DLLs, or SYS files. Um, your audio files like, you know, M4 p, b, or a, JPEG, uh, and the different extensions, Excels, different extensions, Word, different extensions. You should get the idea by now. Ah, you know, Microsoft Office files versus camera oriented files, you know. And this all helps you narrow down the scope because if you're looking for cameras or pictures, um, you know, you may not need, you know, email files, right, or databases. So it really just depends on, you know, how you want this program to work. Um, you know, my background, specifically, is in, incident response, and, you know, every now and then, we would get a, uh, call to the, uh, SoC, uh, helpdesk and, you know, somebody's browsing porn on the network, or somebody was looking at pornographic material on their computer. And we would go image their, um, hard drive, and we would have to search for specific types of files related to that specific type of investigation. Okay? Um, the pornography category just happens to be an easy one because those are going to be either be picture, ah, videos. Um, I kind of doubt they would be audios, um, just because I guess that would kind of make me scratch my head and go, “Well, okay. Great. That's interesting.” But, um, unless – ah, the – my point is is that you can use the investigation, uh, context to your advantage here and search for just the specific file types. Also, in general, do you want to use the wizard? Do you want the tips on the start-up? Um, logging – I'd recommend you leave this to Verbose, but you can, in theory, turn it off. What do you want it to display? Do you want a properties dialog box, or show unknown, uh, types in Hex view? I actually recommend, uh, you, you select that because I want you to – guys get used to start looking at hexadecimal information. That will help later, especially if you start talking about fragmented files or orphaned files that, uh – where headers are corrupted and things like that. You have, um, search options, you know, set all the lost files to a fixed size, drive recovery, limit the maximum number of partitions to be found. I'd really never change that. Uh, you can save, or do not save, or report issues, or not. You can look at CDs. Um, you have device access here, so you got the default Windows 95, ME, ah, file types, but I would just chalk those up as to the older, uh, CD-ROM type methods, uh, which is ASPI or the newer stuff, which goes pretty much, you know, Windows NT and later, which would be the, uh, SPTI format. And, you know, for right now, you just need to know that there's multiples. You can certainly Google this stuff, uh, if you'd like further information on that. Ah, that's out of scope here, so I'm not going to take the time here to explain it. Um, and then you have some advanced setups, you know, ignore floppy drives, you know, if you still have those laying around. Um, show the MD5 Hash. Notice that's right here, okay. So that's a cool feature that I really like in this program. Um, run a lost file search only, or scan for lost files, ah, across the whole device, um, not only in the free space, so that's kind of another helpful file there, okay? And then next time you do your, um, your, your, your searches, um, you can see that you'll get some additional fields here. So I'm just going to run through this one time quickly here. Uh, it should take a – just about the same amount of time, and it's going to be quick. It probably is going to take a little longer than the first one, ah, but not, not much longer. It depends on the, the relative size of your drive, though. So, we're going to go down, grab our files here, and you can see that it added the MD5 Digest in the, the search results here. Um, I know something for XML, notice that the, the preview information here is now actually showing the XML as well, too. All right? So that may be, may be helpful. All right, but something like a DLL or any sort of, um, compiled file, you're not going to get a preview. And here's your MD5. So that's a really, really great utility Um, it's a – definitely what I would call the starter kit, uh, in, in the worlds of forensics. So, ah, try using this. It – we're building here upon, you know, basics to more advanced, um, and then you can see how a tool like this actually includes some of the other utilities, uh, from before. And eventually, we'll build up to, you know, all-inclusive programs that do most of this, so you just have to run one set of program – or programs rather than all of these individual utilities, right? Because you can see MD5 some, or SHA would be, like, you know, built right into a program like this. So thank you for watching. My name's Leo Dregier. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?