Chapter 8: Data Recovery in NTFS

Data Recovery Overview: Field of digital forensics focused on recovering lost or deleted data.
- Causes of Data Loss:
- Accidental deletion (e.g., important company documents).
- Hardware failures (e.g., malfunctioning hard drives).
- Software failures.
- Malicious actions (e.g., hacking activities where files are deleted to cover tracks or damage).
Role of Digital Forensics Experts: Skilled in recovering potential data or files using various techniques.
Data Recovery Techniques:
- Special software utilized for data extraction from operational hard drives.
- Complications arise when physical drives are not functioning or are undetectable, necessitating hardware intervention.
- Physical Drives: Different types of drives can complicate data recovery:
- Mounted Flash Drives: Function similarly to magnetic storage in terms of data presentation but differ in physical storage methods.
  - Difficulty in recovery due to internal chip configuration.
- Magnetic Storage Devices: Easier to analyze due to physical disassembly capabilities.
  - Often, only the read/write technology is damaged, allowing for potential data recovery.
- Flash Memory Detection Issues: Contained within a circuit board; chips may need to be soldered out for recovery.
TRIM Command in SSDs: Updates memory cells frequently to prepare blocks for new data.
- Old data is cleared, preparing sectors for reuse.

Introduction to NTFS:
- Adoption: Default file system for Microsoft Windows since 1993.
- First version released with Windows NT 3.1.
- Comparison with exFAT and Older FAT Systems:
- exFAT addresses issues found in FAT, FAT12, FAT16, and FAT32 (e.g., FAT32 max file size of 4GB).
- exFAT is not a journaling file system; often used on SD cards and USB sticks.
Attributes of NTFS:
- NTFS is a journaling file system which provides protection against errors or corruption:
- Tracks writing processes, allowing recovery to a previous file state after failures (e.g., power outages).
- Open Source Capability: NTFS is not open-source; knowledge comes from reverse-engineering its functionality.

Inspection of Existing Files:
- Right-click in Windows Explorer allows for a detailed view of file attributes (e.g., write protection, encryption).
- Deletion Process: Deleted files still retain metadata in the master file table (MFT).
- Access Control Lists (ACL): Support for specifying file access permissions.

Function of MFT:
- Contains metadata for every file (e.g., name, last edited date, size, first cluster address).
- Each record has a fixed size of 1024 bytes.
Key Information for Recovery:
- Allocation Flag: Located at offsets 22 and 23 in each record indicating the status of a file (e.g., allocated or deleted).
- Deleted files are marked as unallocated, making them recoverable unless overwritten.
Hex Editor Usage:
- Can search for master file entries manually, starting with the signature "FILE0" in ASCII.
- First 16 entries are system reservations:
- 1st entry: $MFT (Master File Table)
- 2nd entry: $MFTMir (Mirror for recovery purposes).
- Each record starts with a 48-byte header.

Recuva:
- Free data recovery software written in C++, designed primarily for NTFS.
- Features a graphical user interface, supported on Windows only.
- Users can specify file types, locations, and choose between normal and deep scan modes:
- Normal Scan: Checks MFT for deleted/corrupted files quickly.
- Deep Scan: Uses file carving; slower and does not recover file names.
Supported File Types for Deep Scan:
- Graphics: BMP, JPG, JPEG, PNG, GIF, TIFF
- Microsoft Office (2007): DOCX, XLSX, PPTX
- Microsoft Office (Pre-2007): DOC, XLS, PPT, VSD
- OpenOffice: ODT, ODP, ODS, ODG, ODF
- Audio: MP3, MP2, MP1, AIF, WMA, OGG, WAV, AAC, M4A
- Video: MOV, MPG, MP4, 3GP, FLV, WMV, AVI
- Archives: RAR, ZIP, CAB
- Other file types: PDF, RTF, VXD, URL
Other Recovery Tools:
- Testdisk: Command line tool, designed for partition recovery, assists in recovering damaged boot drives.
- Diskdigger: Free, private-use tool capable of scanning DD-formatted images without installation.
- Glary Undelete: Offers extensive file type support with various filtering options but lacks carving capabilities and includes adware.

Definition of Slack Space:
- Hard drives typically use 512-byte sectors.
- Cluster size varies; standard on NTFS is 4096 bytes (8 sectors combined).
- Smaller files still occupy the entire cluster, leaving unused space (slack).
Types of Slack Space:
- RAM-slack: Occurs when the last bytes of a sector are filled with null bytes due to incomplete file usage.
- Drive Slack: Data remnants from previous file contents in sectors that have been overwritten.
Forensic Implications:
- Understanding and analyzing slack space is essential for digital investigations.
- Drive slack data is generally not permissible in court but may aid investigations (e.g., password keys).
- Criminals might exploit slack space to conceal data, making detection challenging.

Introduction of Alternate Data Streams: Introduced in Windows XP; allows for storing metadata in the $MFT header.
- Each file typically has one unnamed data stream.
- Alternate streams are not visible in standard directory listings and do not affect the file’s size.
Manipulation of Alternate Data Streams:
- Data can be hidden, and it offers methods for creating and reading streams using command line interfaces (CLI).
- Example:
- Creating a file and writing a hidden message in an alternate data stream.
- Viewing the stream does not increase allocated file size or free space on the drive.
Security Tools Compatibility: Many antivirus programs, like Malwarebytes, scan alternate data streams for hidden threats (e.g., Rootkit.ADS).
Windows 8+ PowerShell Usage: Using Set-Content and Get-Content to manage streams; example command:
- Get-Content -Path {path to the file} -Stream {name of the stream}

Links for further reading on data recovery and forensic techniques:
- https://blogs.technet.microsoft.com
- https://www.ccleaner.com/docs/
- http://www.file-recovery.com/
- https://blog.malwarebytes.com/