The Coroner's Toolkit–How The FBI Recovers Deleted Files Using Free Software

The FBI recovers deleted files to help with investigations and prosecution. Bad guys will never stop trying to cover their tracks by deleting files–so the good guys developed a suite of free tools that let anyone recover deleted files. The tools presented in this article were used in FBI investigations that processed 1,756 terrabytes of data as part of over 4,500 cases in 2009, the most recent year for which data is available.

Recovering Deleted Files Basics: What Happens When A File Gets Deleted

For whatever reason, you decide to delete the file foo.docx from your computer. You open Windows Explorer, go to the directory holding foo.docx, highlight the file, and press the delete key on your keyboard. Sometime later–maybe minutes later, maybe weeks later–you clear out your Trash folder. As far as Windows is concerned, this means you want to permanently delete foo.docx, so Windows gets to work:

  1. Windows checks to see if the file appears in multiple directories, a feature borrowed from Unix and Linux called hard links. If the file exists in multiple locations, Windows doesn’t delete the file–it just removes its entry from your Trash directory.
  2. Windows puts a note in its journal that foo.docx should be deleted. It may sound silly for an operating system to have a journal, but the journal ensures that the computer can quickly recover if there’s a sudden crash or power loss.
  3. Windows opens up the Master File Table (MFT), finds foo.docx, and removes its entry. Note: this does not delete the file, it just makes it impossible for Windows to find it anymore.
  4. Windows removes the note it put in its journal earlier. Windows is done deleting foo.docx.

After the file is deleted, all of its data still exist on your disk drive. There’s just no record of where the file is on your disk drive, so standard programs can’t find it.

The Four Secrets To Recovering Deleted Files

Secret One: The sooner you try to recover a file after its been deleted, the greater your chance of success. That’s because Windows will write new files on top of old, deleted files. Once a new file gets written on top of the deleted file, there’s no way to recover the whole deleted file.

If you just deleted a file that you really need, you can almost guarantee it won’t be overwritten by immediately unplugging your computer from the wall. Of course, this means none of the other open files on your computer will be saved.

Secret Two: Smaller files are easier to recover than bigger files. That’s because the Window’s filesystem (NTFS) uses fragmentation to maximize the amount of space you can use on your disk drive. Smaller files have fewer fragments, making it easier to find all the parts of the file. The ideal number of fragments is one.

A useful corollary is that you’ll have better success retrieving deleted files if you regularly defragment your drive. After defragmenting, almost every file will have only one fragment.

Secret Three: You need to know the type of file in order to recover it. The only place the filename is stored on Windows is the Master File Table (MFT), so you can’t search for files by filename after the file is removed from the MFT. You need to know what type of file it is in order to find it–in our example, we assume foo.docx was a Microsoft Word 2007 or 2010 file.

Secret Four: You need to ensure the disk drive runs as read-only before you attempt to recover files. This is to prevent Windows from overwriting the file you want to recover. Many USB drives and some USB disk drive enclosures have a read-only switch–this works great: safely remove the drive or unplug the USB cord like usual, toggle the switch, and reinsert the drive or cord.

Some internal disk drives have a read-only switch, although you may need to mess with electric jumpers to toggle it. Unfortunately most internal disks don’t have a read-only switch and, what’s worse, Windows doesn’t like to boot from a read-only disk. We’ll deal with this problem in the next section.

How the FBI Recovers Deleted Files

The original set of programs for low-level file recovery is called The Coroner’s Toolkit (TCT). TCT was incorporated into other more advanced toolkits which will be described here called The Sleuth Kit (TSK) and Autopsy.

Despite their morbid names, TSK and Autopsy are vibrant tools capable of assorted tasks. They don’t run on Windows directly–you need to run them from a Linux live DVD or virtualization program like VMWare. This won’t remove or damage your Windows installation and it can lets you access your drive in read-only mode.

Although there are many Linux live DVDs and virtual environments that contain TSK and Autopsy, we suggest BackTrack Linux available at backtrack-linux.org. Unless you’re familiar with VMWare, you should download the DVD ISO image and burn it to a DVD. Then place the DVD in the computer with the deleted file and reboot.

After BackTrack finishes loading, you’ll find a stylized K where the Start menu usually appears in Windows. Click the K, go to the BackTrack menu, Go do the Digital Forensics menu, and choose Launch Autopsy. Then open the Web Browser (a globe icon next to the K icon) and browse to http://localhost:9999/autopsy.

Autopsy is an easy-to-use HTML-based frontend to the dozens of commands in TSK. On the main screen of Autopsy, you want to create a New Case, then follow the menus. When you get to the File Analysis screen, choose “Show All Deleted Files”. It will take a long time for all of the files to appear–TSK must scan every unused bit of your disk drive to see if it contains a deleted file. You can expect the process to take about 1 minute for every 10 GBs on your disk drive.

After TSK finds all the deleted files, you can sort through them to find the file you need. Then all you need to do to recover the deleted file is click on its link and save it.

To use these tools, sometimes you need to fix failed hard disks before proceeding to get your files back like the FBI recovers deleted files.

Comments

  1. Scott

    The TSK is awesome! Great article and very well written David. That is a great application for our toolkit.

    Have a great one!
    Scott

  2. Mahesh

    This is a great article I have ever read. But, I have a confusion that, some of the file recovery programs do not ask for the file extensions, so do I really need to remember the file extensions, e.g., .docx ?

  3. Stephen

    I am really careful about what files I delete and I always double to check to see if it’s something important.
    However I know many users that are new to operating a computer are likely to delete an important file. Unfortunately they have no idea if or how they can recover these files.
    Stephen.

  4. Erica

    Thanks for the explanation! I didn’t know that deleted files can still be recovered.. But what if the disk has been formatted? Would there still be chance to recover files?

  5. Another great article about file recovery.
    But what if you use a program to really delete files?
    I assume all the program does is delete the file and then overwrite the space with something blank.
    Then the fbi can’t recover the files? Or do I have to disolve the hdd in acid to be sure?
    Not that I have anything to hide from the fbi of course, it is just hypothetical. 🙂 *whistles innocently*

    • Mitz

      Pretty much writing over the space where the file was does the job. Especially a few times over. There is no need to soak it in acid.

      • qsabe

        Overwriting data is only good if the heads on the machine used to recover are the same heads used on the machine to recover, but old dos programmers know that heads don’t align perfectly on all machines, so the data can be recovered by reading from a slightly offset head on both sides of the disk track. Best to use a hammer followed by a fire, then placing under an electron magnet at the local junk yard. Or you could just not create anything incriminating to start with.

  6. zolar1

    This is quite nice IF you are looking at simple WIndows stuff.

    The best way is to encrypt the hard drive under Linux, encrypt any files via double encryption, and use a RAMDRIVE if at all possible.

    You *could* use an encrypted Linux file system, run VMWARE with XP installed and then encrypt both that virtual hard drive and the file.

    If necessary, you can use PAQ8 to compress the file further. File compression can make things hard to extract information.

    Just remember, the more encryption you have the SLOWER it will be to both encrypt and decrypt the information.

    Win7 has bitlocker and from what I read it is a highly encrypted system.

    But you *could* look here as well:
    htp://albanianwizard.org/gnupg-create-keys-over-4096-bit-stronger-encryption.albanianwizard

    • zolar1

      PS I forgot you can use a program like evidence eliminator for regular hard drives. it uses magnetic underwriting technology to ensure permanent and unrecoverable erasure.

      It takes *FOREVER* to wipe a whole hard drive. Best is to put sensitive things on a flash drive and if things turn sour, you could always burn it on the stove…

      Also, I do not know if this works on flash memory or not.

  7. Dennis

    David,
    Many people still think once files are deleted from the recycle bin its over. That explains why there are so many businesses in the neighborhoods offering data recovery services, but really anyone can recover their data with the right tools and knowledge which you have generously shared here 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *