Recovering and Deleting Files

[toggle_content title="Transcript"] Hi, Leo Dregier here with Cybrary.IT. I want to talk to you about deleting files and recovering deleted files. All right, so let's go ahead and take a closer look. Uh, one of the major considerations that you have to, to think about at first is what level are you, are you recovering the deleted files. Is it an actual file, is it a partition, or is it the whole drive, okay? So when you're working at the partition level, you can use tools like Disk Part, or Disk Internals has a variety of tools. There's other – there's others that are out there, but I would say definitely start here when you're working with recovering deleted files – partitions. Next let's talk about deleting files. So, uh, one of the obvious components in Windows is the Confirmation Delete. You can go to the Recycle Bin, right click, go to Properties, and you can actually turn off the, um, confirmation. I personally turn it off just because I – you know, I don't need the extra click. I – if I'm deleting something I know that I'm deleting it, but for the average user they like to have that on as like an insurance policy just in case they inadvertently delete something. Uh, so that's one consideration. The next thing is the Master File Table. Within a Master File Table, you basically have a map of all of the files and the partitions that are on the drive. And when you delete a file you're actually just deleting a little record or a [inaudible 01:32] in the file table that links to the actual file, but it still resides on your – the hard drive or the partition until you actually override it multiple times. That's why we have standards that exist that you must override a hard drive or a partition, you know, like, seven times before the file is completely wiped, and that's how a tool like Wipe Drive works, okay. But nonetheless, you've got to think, well one let's be – well one, I want you to be able to, uh, look at a master file table, duplicate it, look inside of it and actually see the special characters that denote hey, this file has been deleted; so that's another thing. Also, there's another component here which is, um, the Recycle Bin in itself because everybody's going in, right click, right click the Recycle Bin and say Empty Recycle Bin. But let's say, you know, an hour later or a week later you go, "Oh, there's something in there that I didn't want to delete for whatever reason, or I need something that I, that I didn't think that I needed." Well, you can actually use tools to go in and actually, um, basically undelete what you've permanently deleted, okay. So there's considerations there that you, that you should be fluent with. Second is a variety of recovery tools. It seems that inadvertently deleting files is a very, very popular subject, period. Um, if you go to Google and you just do a, uh, a search for deleted files, or undelete, or recover my files, there's literally no shortage of tools that will come up. So in the world of forensics, you have commercial tools and you have free to try tools and then you have paid tools. Some of the free to try tools are actually not that bad, especially if you're just – you're starting out in this field because you can at least evaluate, like, a hard drive or a partition and actually see the files that were deleted, and then before you purchase the tool, you know, is the tool actually going to work. Um, so these free to try tools that you can get from and things like that are in many cases worth a try. Um, most of the time the tools work pretty consistently in the same; however, not every tool is created equal. Sometimes you have tools that, uh, don't see anything that you've deleted, and other times you have tools that you think that they're not going to recover anything and they give you everything that you've deleted back, so it really depends. The more popular tools that I would recommend starting out with are tools like Restorator 2000 or BADcopy Pro, PC Inspector, or ISO Buster's a nice one for looking at ISO files or File Recover and literally hundreds and hundreds and hundreds of more files. These tools will thin out relatively quickly. You do not need to evaluate a hundred or a thousand different tools to get the idea. Um, you could – I recommend starting a virtual machine and then just installing each tool in its trial version inside the virtual machine, and then just keep installing them and then practice using those tools. Uh, that way one, you can leave your, your regular PC alone, but two, you have an environment in which you can basically just blow away if you don't want to use it anymore. So working that virtual environment, and actually, uh, installing programs, and then put something like a USB drive with some deleted files on it, stick it into your computer, and try to recover the files. Um, or recover the Recycle Bin inside of the virtual machine, that works just as well. So that's the beginning and the intro to basically recovering deleted files. So let's go ahead and take a look at some hands-on examples. [/toggle_content] Welcome to Module 10 of the Computer Hacking and Forensics course. This module introduces and discusses Recovering and Deleting Files, and begins discussing the differences target sources where files live and the how to recover data files from each of them and what key tools should be used for each of your targeted sources. You’ll learn the benefits of configuring the computing environment with a particularly discussion on the Master File Table (MFT), what it entails and how it works.  We discuss in details the inner workings of the MFT, what content it holds, how to manage files within it and how to recover links to files emptied from the recycle bin. You’ll learn the differences in the variety of free and paid recovery tools, validating their use, how they work, and recommendations on what to use. The hands on demonstrations you’ll engage as part of the Recovering and Deleting Files module include the following labs:
  • DDR Professional Recovery Lab
  • File Scavenger Lab
  • Handy Recovery Lab
  • Necleus Kernal Lab
  • testdisk Lab
  • Total Recall Lab
  • WinUndelete Lab
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?