This subject is particularly interesting, because every single time when we delete data, we search for software that can help us to recover it. Let’s not forget that we have PowerShell, which is the powerful tool that also can help us to recover deleted files from the drive. And everybody has it!
I will show you how custom simple forensic module with a couple of simple commands. We’re going to be able to get this file back!
Above is what my screen looks like right now. We’re going to do a little bit of forensics here.
Anyway, let’s move on.
We’ve got a certain VHDX. I have already attached this, so this is as an X drive. In order to recover the file that has been deleted from the disk, we will, at the very beginning, Import-Module PowerForensics, and we’re going to see what kind of different types of cmdlet we’ve got for that PowerShell Forensics.
Since we’re going to be using different types of tools for file recovery, we are going to try, for example, to use PowerShell, since PowerShell is so widely available.
As you can see, there’s are many different types of Gets, but this Get is enough for us to grab some information that will allow us to recover the file from the drive. At the very beginning, what we’re going to be doing is to display for ourselves any information about all the deleted objects.
For example, we can see the file that has been deleted, which is p.exe. Well, that’s perfect, so what are we going to get there?
Here we can see that this is a record number. Record number is like an inode. We want to display for now a little bit more information about that particular record number. For us, we can show the attributes of a certain file like the allocated size, the real size, which, as you see, they differ, but that’s standard and this is a little bit of information about what we got over here.
What is interesting for us is data run and from that perspective, we will be able to see, of course, a bunch of things related to the data run, which is an information about the file itself. Let’s find out what kind of type of data we’re able to extract over here.
Data run shows us what the starting cluster is and we can see that that’s 8267. We can also know what the cluster length which tells us how big the file is. This one is 130 clusters long.
Well, the good news is that this particular file is actually kept on a disk in one piece. It’s not really split into multiple fragments which, from our demo perspective, also works fantastic. With fragmented files, it’s not really much complicated, but it requires a little bit of more PowerShell commands, which makes the whole process a little bit more error-prone.
Let’s have a look at the other information we can get about the drive. For example, how big is the cluster? Because if we’ve got here information that is 130 clusters long, then maybe we can get a little bit of information how big the cluster is, then we will be able to see just how we are able to recover this file. As you see over here, we’ve got bytes per cluster. Perfect.
Now we are able to run Invoke-ForensicDD. We will use Offset, where we start from that particular identifier, and that’s the size of a cluster. We will get the block size, 130, and multiply it by the size of the cluster. Then, we will save the whole thing into test.exe in the “Analysis” folder. Let’s do that. Let’s select it and F8. Perfect.
We’ve got the recovered file. This is quite nice.
Checking the Usability Of Recovered Files
Now, the question is if this file really works? We can get into our folder and we can try to run test.exe and find out what that is. We can see that this is nothing but PuTTy.
Well, that’s really nice, but taking that into consideration, is it possible, for example, to extract from PuTTy the real size of the file? In a worst case, we can always shorten it because we have only extracted the whole block of data. Executables are forgiving for that kind of activity. We can convert that particular file into the bytes array and, then, we are able to shorten it and so we save this whole bunch of data into new file called test2.exe.
Of course, in this particular case, we can also see that test2 is also PuTTy. It also works fine for us, so that is actually quite nice.
We are able to do in such situation, in the case of test2, verify if we’ve got a signature and also get the signature out of here. While test.exe one didn’t have that, then test2.exe, in this case, did.
At this stage, we are able to, of course, compare this particular file. Let’s do that. We can run our Explorer and here, we can take the test properties. We are able to see over here that, in this case, there is no signature and, in this case, if we go into properties, we’ve got a signature and that signature is valid.
The reason why it’s valid is because we have at this stage, just shortened a file and thanks to that, we were able to get the signature out.
Also, let’s get into a little bit of Forensics here. This is my favorite part. What we’re going to do on that particular X drive is to create over here a bunch of files with wipeme.txt and with the name cqure inside.
Now, what we’re going to do is to wipe the free space on the X drive. Before we do it, we will delete all of the files. We can get into our Explorer, into analysis and let’s get into our X. We’ve got these files, so I’m just going to select them and, then, Shift + Delete. Are you sure you want to permanently delete them? Absolutely. We did that. That’s fine
Now, the question is, are we able to recover these files? Well, technically, yes, but let’s wipe the whole free space, just to make sure that it’s not possible. Let’s do it in case of a X drive. This is exactly what we are doing right now.
Right now, we have wiped all the free space. When we deleted the files on X, all the single unused byte should be written with zeroes and, then, with FF, and then with some kind of a random value.
Let’s recover deleted files from the drive
Do we still have some kind of files on the disk? Let’s find out. Get-ForensicFileRecord and, then, we can see Index 5 that shows we’ve got a root. This is actually quite interesting. If we, for example, change it to 0 and, then, we run the command, then we still are able to see that there is something on a disk, which is actually MFT, which is Master File Table. Master File Table contains information about all the different types of files that have being on this disk.
Why are we getting to this point? Well, actually, I want to show you something interesting. We can get the content of the Master File Table and save it in a particular chosen text file.
At this stage, we can find out what is inside that particular file. In this case, of course, we’ve got a lot of mess, but long story short, we are able to see the content of the previously deleted files.
Now, the question is why? Well, the answer to that is actually quite straightforward. It’s very easy to explain that. The small files, which are up to approximately 700 bytes, fit entirely into the MFT record and sometimes we can basically describe them as resident data. If we, for example, delete such a small file and, then, even though we wipe the unused space, that particular file, because it’s small, stays in the MFT. This is a pretty nice setup if you are thinking about the recovery of the small file, especially if you are doing the forensics so that you are able to always get these little files back.
Now, are we able, for example, to get these files out? Absolutely. This is the result of the whole architecture. These particular files, when we create them like this, are just very small and long story short, they are all in the MFT. This is what I wanted to show you within the Forensics with the PowerShell. As you see, it is actually quite exciting.
Don’t forget to download PowerForensics Module. It’s free and it allows you to make the first step into the forensics of the disks and with PowerShell, which makes it pretty awesome because, at the same time, we learn a little bit of a PowerShell.
This is what I wanted to show you. Now, we are able to not only recover files from the disk by using PowerShell, but also recover small files, even though they could have been overwritten, but they were not because they were in MFT.