This subject is particularly interesting, because every single time when we delete data, we search for software that can help us to recover it. Let’s not forget that we have PowerShell, which is the powerful tool that also can help us to recover deleted files from the drive. And everybody has it!
I will show you how custom simple forensic module with a couple of simple commands. We’re going to be able to get this file back!
We’ve got a certain VHDX. I have already attached this, so this is as an X drive. In order to recover the file that has been deleted from the disk, we will, at the very beginning, Import-Module PowerForensics, and we’re going to see what kind of different types of cmdlet we’ve got for that PowerShell Forensics.
Since we’re going to be using different types of tools for file recovery, we are going to try, for example, to use PowerShell, since PowerShell is so widely available.
As you can see, there’s are many different types of Gets, but this Get is enough for us to grab some information that will allow us to recover the file from the drive. At the very beginning, what we’re going to do is to display for ourselves any information about all the deleted objects.
For example, we can see the file that has been deleted, which is p.exe. Well, that’s perfect, so what are we going to get there?
Here we can see that this is a record number. Record number is like an inode. We want to display for now a little bit more information about that particular record number. For us, we can show the attributes of a certain file like the allocated size, the real size, which, as you see, they differ, but that’s standard and this is a little bit of information about what we got over here.
What is interesting for us is the data run and from that perspective, we will be able to see, of course, a bunch of things related to the data run, which is information about the file itself. Let’s find out what kind of type of data we’re able to extract over here.
Data run shows us what the starting cluster is and we can see that that’s 8267. We can also know what the cluster length which tells us how big the file is. This one is 130 clusters long.
Well, the good news is that this particular file is actually kept on a disk in one piece. It’s not really split into multiple fragments which, from our demo perspective, also works fantastic. With fragmented files, it’s not really much complicated, but it requires more PowerShell commands, which makes the whole process more error-prone.
Let’s have a look at the other information we can get about the drive. For example, how big is the cluster? Because if we’ve got here information that is 130 clusters long, then maybe we can get a little bit of information how big the cluster is, then we will be able to see just how we are able to recover this file. As you see over here, we’ve got bytes per cluster. Perfect.
Now we are able to run Invoke-ForensicDD. We will use Offset, where we start from that particular identifier, and that’s the size of a cluster. We will get the block size, 130, and multiply it by the size of the cluster. Then, we will save the whole thing into test.exe in the “Analysis” folder. Let’s do that. Let’s select it and F8. Perfect.
We’ve got the recovered file. This is quite nice.
Checking the Usability Of Recovered Files
Now, the question is if this file really works? We can get into our folder and we can try to run test.exe and find out what that is. We can see that this is nothing but PuTTy.
Well, that’s really nice, but taking that into consideration, is it possible, for example, to extract from PuTTy the real size of the file? In a worst case, we can always shorten it because we have only extracted the whole block of data. Executables are forgiving for that kind of activity. We can convert that particular file into the bytes array and, then, we are able to shorten it, and so we save this bunch of data into a new file called test2.exe.
Of course, in this particular case, we can also see that test2 is also PuTTy. It also works fine for us, so that is actually quite nice.
We are able to do in such situation, in the case of test2, verify if we’ve got a signature and also get the signature out of here. While test.exe one didn’t have that, then test2.exe, in this case, did.
At this stage, we are able to, of course, compare particular file. Let’s do that. We can run our Explorer and here, we can take the test properties. We are able to see over here that, in this case, there is no signature and, in this case, if we go into properties, we’ve got a signature and that signature is valid.
The reason why it’s valid is that we have at this stage, just shortened a file and thanks to that, we were able to get the signature out.
Also, let’s get into forensics here. This is my favorite part. What we’re going to do on that particular X drive is to create over here a bunch of files with wipeme.txt and with the name cqure inside.
Now, what we’re going to do is to wipe the free space on the X drive. Before we do it, we will delete all the files. We can get into our Explorer, into analysis and let’s get into our X. We’ve got these files, so I’m just going to select them and, then, Shift + Delete. Are you sure you want to permanently delete them? Absolutely. We did that. That’s fine
Now, the question is, are we able to recover these files? Well, technically, yes, but let’s wipe the whole free space, just to make sure that it’s not possible. Let’s do it in case of a X drive. This is exactly what we are doing right now.
Right now, we have wiped all the free space. When we deleted the files on X, all the single unused byte should be written with zeroes and, then, with FF, and then with some kind of random value.
File recovery matters but it isn’t all you need. If you want to get even deeper dive into forensics, check out Forensics & Prevention Mastery Course FREE TRIAL.
Let’s recover deleted files from the drive
Do we still have some kind of files on the disk? Let’s find out. Get-ForensicFileRecord and, then, we can see Index 5 that shows we’ve got a root. This is actually quite interesting. If we, for example, change it to 0 and, then, we run the command, then we still are able to see that there is something on a disk, which is actually MFT, which is Master File Table. Master File Table contains information about all the different types of files that have to be on this disk.
Why are we getting to this point? Well, actually, I want to show you something interesting. We can get the content of the Master File Table and save it in a particular chosen text file.
At this stage, we can find out what is inside that particular file. In this case, of course, we’ve got a lot of mess, but we are able to see the content of the previously deleted files.
Now, the question is why? Well, the answer to that is actually quite straightforward. The small files, which are up to approximately 700 bytes, fit entirely into the MFT record, and sometimes we can basically describe them as resident data. If we, for example, delete such a small file and, then, even though we wipe the unused space, that particular file, because it’s small, stays in the MFT. This is a pretty nice setup if you are thinking about the recovery of the small file, especially if you are doing the forensics so that you are always able to get these little files back.
Don’t forget to download PowerForensics Module. It’s free and it allows you to make the first step into forensics and PowerShell. Are you in high need of another tool?
*co-author Grzegorz Tworek
Check what we’ve got in the Free CQURE Toolkit