I have a homework assignment to do in which I need state possible ways we can recover deleted files from a computer using NTFS. The assignment asks me to think of any pieces of information that may be vital for forensics. However, I don't know how NTFS saves, deletes, and overwrites files in the first place!
Here is something similar we learned in class:
Deleted File Cluster View. OSForensics also provides a graphical view of the allocation of the deleted file clusters on the physical disk. The table displays the fragmentation information of the deleted file. For smaller files, the deleted file may be resident in the MFT (NTFS only). The map provides a graphical representation of the location. Metasploit Forensics: Recovery deleted files (NTFS) As the files are shown, it will add an ID associated with that file, which represent the offset of the MFT entry of that file on disk (the number of logical bytes from which that entry is located). If you want to retrieve a particular file you have to specify the variable FILES with that ID.
In class we learned that FAT32 saves files in clusters of blocks. When we save a file, it uses up sectors in a cluster, but the file may not use all of the sectors in a cluster, or even all the space in a block.
When a file is 'deleted,' the file name in the directory has it's first letter changed to a sigma, and then the location of the stored file is considered unallocated (aka may be overwritten). So we can still search for this file (using certain techniques) and recover it! Even if a new file is written in that address, the new file may be smaller than the previous file. In such a case, the remnants of the previous file that was stored there remains because they were not overwritten. We can recover this as well, assuming its not fragmented.
Well, that's what we learned in class. I have to write up a similar piece for the NTFS, but I can't find a simple site that specifically explains how files are saved and deleted in NTFS in the first place. Can anyone give me a link with some valuable reading material?
EDIT: I've found the perfect site that explains exactly what I need. I will post it here for future readers:http://wiki.sleuthkit.org/index.php?title=NTFS_File_Recovery
![Ntfs disk recovery Ntfs disk recovery](http://www.datarecoveryspecialists.co.uk/ckfinder/userfiles/images/recuva.png)
4,37214 gold badges40 silver badges106 bronze badges
Dre ShDre Sh
closed as off-topic by Brian Tompsett - 汤莱恩, Gytis Tenovimas, SparkAndShine, mpromonet, Mike BrindSep 12 '16 at 19:05
This question appears to be off-topic. The users who voted to close gave these specific reasons:
- 'Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.' – Brian Tompsett - 汤莱恩, Mike Brind
- 'Questions about general computing hardware and software are off-topic for Stack Overflow unless they directly involve tools used primarily for programming. You may be able to get help on Super User.' – Gytis Tenovimas, SparkAndShine, mpromonet
1 Answer
Probably the best place to start is with Microsoft Technet. Check out the following article on how NTFS works.
The things you most likely want to dig further into are the master file table, journaling, and possibly some topics on deleted data recovery.
You may learn a good amount my looking at document for forensics tools such as sleuthkit.
You may also want to check out the NIST Publication SP 800-86: Guide to Integrating Forensic Techniques into Incident Response.
Lastly, something which is pretty cool about 'hiding' data in NTFS is alternative data streams. Alternative Data streams are typically not visible to Windows operating systems, but still take up disk space. They come from the Mac world. IronGeek's Guide is a good place to start understanding ADS.
Eric GEric G
Not the answer you're looking for? Browse other questions tagged saventfsrecoverdelete-file or ask your own question.
Recently I reinstalled my system and installed a new SATA hard disk. And I have encrypted some valuable picture files on the old NTFS hard drive. However, under the new installation, I cannot access or copy these files to the SATA drive as it claims Access is denied. How can I get my pictures back and view them as before? Any way to recover encrypted files on NTFS drive?
Basic knowledge about encrypting the file system
Encrypting File System (EFS) provides the core file encryption technology used to store encrypted files on NTFS file system volumes. Using EFS is similar to using permissions on files and folders. Both methods can be used to restrict access to data. However, intruders who gain unauthorized physical access to your encrypted files will receive an access denied message when trying to open or copy the file. While permissions on files and folders do not protect against unauthorized physical attacks.
Steps to recover encrypted files on NTFS drive
The efficient and easy-to-use EFS Recovery Tool - EaseUS Data Recovery Wizard offers you a simple encrypted file recovery solution to recover encrypted files from NTFS drive and external hard drive. But the prediction is that the encryption password must be known or SAM database must be present (Windows 2000, XP, 2003, Vista, 2008, Windows 7, 8). The user must have administrator privileges. The green 'sample2.txt' is an encrypted file of NTFS drive.
STEP 1. Select the location
![Files Files](http://www.techtalk.gfi.com/wp-content/uploads/2014/07/Recuva.jpg)
Launch EaseUS data recovery software, select the lost NTFS partition and click 'Scan' to look for all the lost and existing files on this NTFS partition.
STEP 2. Scan the NTFS drive or partition
After clicking the 'Scan' button, the software will be able to scan the NTFS partition on its own. Just wait patiently until the scanning process ends.
STEP 3. Recover data from NTFS drive
After the scan, choose the lost data and click the 'Recover' button to get them back from the NTFS partition.
(Please Note: DO NOT save the files to the NTFS partition where you lost the data.)
(Please Note: DO NOT save the files to the NTFS partition where you lost the data.)
Note:
- It does not work with FAT partitions. All recovered encrypted files must be copied to NTFS partition.
- It must work on the present Windows system.