Understanding Data Deletion and Data Recovery in Windows

Izazi Mubarok SST, MSc, CHFI, CEH, ACE, OFCE, CISA, CDSS
Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1 1
About me
1 Professional Experiences
1. Chairman of AFDI
Outline
2. Chief of Tax Forensics at DGT
3. Digital Forensics Investigator (±10 years)
4. Founder of Forensor.com
5. Assessor of Digital Forensics Labs at KAN, BSN Understanding Type of Data
2 Education
Master in Forensic Computing and Cybercrime Investigation, Deletion in Windows
University College Dublin, Ireland (First Class Honours)
3 Professional Certification
1. Computer Hacking Forensic Investigator (CHFI)
2. Certified Ethical Hacker (CEH)
3. AccessData Certified Examiner (ACE)
Understanding Type of Data
4. Oxygen Forensic Certified Examiner (OFCE) Recovery in Windows
5. Certified Information System Auditor (CISA)
6. Certified Data Science Specialist (CDSS)
4 Overseas training
1. Benchmarking Study on Digital Forensics, USA • Recovering file from $Recycle.bin
2. Counterpart Training on Criminal Investigation, JAPAN
3. Digital Economy, Turkey
• Recovering file from exploring raw data on NTFS
5 Teaching/Sharing Experiences • Creating your own scripts to data carving
1. Government: BSSN, TNI AD, Polda Jatim, PPATK, KPK, OJK,
Itjen DKI, Itjen Kemenag RI, DJP, etc.
2. Private Sec: Banks, Insurance, etc.
3. University: UI, UNDIP, UMP, Gunadharma, etc.
Forensic Computing and Cybercrime Investigation
Data &
Computer Mobile Phone Live Data
Database
Forensics Forensics Forensics
Forensics
Money
Network VoIP & Wireless Malware
Laundering
Investigation Investigation Investigation
Investigation
Programming Advanced
Linux For Advanced
for Investigators Computer
Investigators Scripting [Linux]
[Python] Forensics
The Role of Digital Forensics
Digital Digital Digital

Digital Era
Crime Forensics Evidence
• Technology • Cyber incident • Principles (ISO 27037; ACPO) • Rules of evidence

• Individuals, • Cyber crime or • Standard/best practices (ISO (ISO 27037; UU ITE)
businesses and Cyber-related 27037/27042; ACPO; NIJ; NIST, • In the form of a file
organizations crime SWGDE, etc.) or a collection of
• Benefit or loss; • Internal fraud • Resources (personnel, tools, files
opportunities or facility, methodology/ process) • File Signature
threats • Aims: 1) preserve 2) recovery • Digital Fingerprint
3) reconstruct • Metadata
• Content
File is so meaningful as it has at least four!
File Signature
Digital Fingerprint
Metadata
Content
What do we look for?
File Signature
Digital Fingerprint
Metadata
Content
File is organized by File system
File Signature File System • Allocates space on

Manages disk for files and
file maintains this space
storage so that it may not be
Digital Fingerprint overwritten
Metadata Stores • Time: Modified;

Metadata Accessed; Created
a set of structures that about the • Size; Permissions;
Content is used to control how file Attributes, etc.
information is stored
on a disk
Windows File system
NTFS
special
files
How to delete a file in Windows?
1. Drag and drop file into Recycle Bin
2. Select file, press “Delete” key
3. Select file, right-click, select
“Delete” option
Send to Recycle Bin
4. Select file, press “Shift” and
“Delete” keys
5. Select file, right-click, press “Shift”
key and select “Delete” option
6. Delete file from command line
Moved Permanently from

the Filesystem
Copyright © Izazi Mubarok – Understanding Data Deletion and Data Recovery in Windows | FORKRIPT TALKS 1 BSSN 2021 www.forensor.com 1010
Send to • Drag and drop file into Recycle Bin

• Select file, press “Delete” key
Recycle Bin • Select file, right-click, select “Delete” option
Delete file • Select file, press “Shift” and “Delete” keys

• Select file, right-click, press “Shift” key and select “Delete”
from the file option
system • Delete file from command line
How to recover a file deleted in Windows?
Send to • Drag and drop file into Recycle Bin

File system Recovery make use of the file system
• Select file, press “Delete” key information that remains after
(Restore)
Recycle Bin deletion of a file
• Select file, right-click, select “Delete” option
Delete file • Select file, press “Shift” and “Delete” keys

deals with the raw data on the
• Select file, right-click, press “Shift” keyand
anddoesn’t
selectuse“Delete”
from the file option Data Carving media the file
system structure during its process
system • Delete file from command line
Recovering file from $Recycle.bin
File Recycling Recycle Bin on NTFS drives SID Named Folder
Not permanently deleted
Renamed and moved to a hidden folder
Can be restored to its original name and

location
Each logical drive has hidden recycle bin

folder for files recycled from that drive
Recycle Bin folder structure is different on $I = metadata

FAT and on NTFS drives
$R = actual recovery data
$IYB6LR4.txt Have fixed size of 544 bytes
Date & time of recycling

Size of $R… file in bytes
(Windows 64-bit timestamp)
Original name and location of $R… file in Unicode
Case study: Forensics Analysis of a File $IYB6LR4.txt
Name : $IYB6LR4.txt
File Size : 544 bytes
Physical Size : 544 bytes
Date Accessed : 4/25/2020 1:49:13 AM
Date Created : 4/25/2020 1:49:13 AM
Date Modified : 4/25/2020 1:49:13 AM
Size of $RYB6LR4.txt file in bytes
64-bit LE Value A6 01 00 00 00 00 00 00
01 A6 = 422 bytes
Date & Time of Recycling
Decode Hex Value 40 EA 9A B8 A3 1A D6 01
Sat, 25 April 2020 01:49:13 UTC
Convert Hex Value to Unicode
E:\Folder B\Select file, press “Delete” key.txt

Case study: Forensics Analysis of a File $RYB6LR4.txt
Name : $RYB6LR4.txt
File Size : 422 bytes
Physical Size : 422 bytes
Date Accessed : 4/25/2020 12:15:08 AM
Date Created : 4/25/2020 12:15:08 AM
Date Modified : 4/25/2020 12:15:08 AM
Original name :
Select file, press “Delete” key.txt
Path :
E:\Folder B\Select file, press “Delete” key.txt
Size : 422 bytes
Date & Time of Recycling :
Sat, 25 April 2020 01:49:13 UTC
Deleted by Owner SID :
S-1-5-21-2869703517-4213650454-
673425579-1001 (forensor)
Recover file from exploring raw data on NTFS
Disk Structure Size on disk Number system Raw Data
• Master Boot • Bits • Binary; Dec; Hex • Hex Dump

Record (MBR) • Byte • Convert Hex to • Locate bytes in
• Partition • Sector Decimal Hex
• Cluster • Negative value • Little/Big Endian
Logical disk structure

Partition table is located in the MBR
Gives start and size of each partition
Four primary partitions can be created
Partitions are area than can be used to store a file system
Information storage

Bits (Binary Digits) is (0;1)s as data stored on computer
Bytes consist of 8 bits
Sector is the basic disk unit, usually contains 512 data bytes
A cluster is composed of a number of sectors (basic unit to store a file)
Number system

Binary Digits: 0, 1
Decimal Digits: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Hex Digits: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F
Representing textual-information

Locate a byte at offset 0x1E?
Convert to Decimal
Interpret to ASCII/Unicode
SK
Multi-bytes value in little endian

Locate
Disk2Structure
bytes, little-endianSize
at offset
on disk0x1A? Number system Raw Data

Convert multi-bytes value of hex
Convert the multi-bytes value
Disk Structure Sizeof
on0x0080
disk to decimal?
Number system Raw Data

SK
Recovering Files & Gathering Metadata
Interpreting Master Boot Record
Interpreting $BOOT Structure
Analyzing $MFT File Record Entries
Extracting files from $DATA attribute
Extracting metadata from $STANDARD_INFORMATION
Search all file signature (hex) of $MFT. Check each of $MFT from
the last result
Search for filenames that start with “$I” in $FILE_NAME
Open image using HXD attribute (3000 000)
Read MBR (sector 0 on image/disk, size 512b) Get the original filename in $DATA attribute (8000 000)
Search for filenames that start with “$R” in $FILE_NAME

Find Partition Table (offset 0x1BE, size 64b) attribute (3000 000)
Copy/Save as Partition Table Find $DATA attribute (8000 000) and save the attribute
Get 64 bytes of partition table Find $STANDAR_INFORMATION attribute (1000 000) and save the
attribute
Check offset 0x04, find the ID type NTFS (07)
If Non-Resident (0x08 value 0x01), check value 0x20 for the offset
Find the starting sector of Partition (4 bytes offset 0x08)
of the Run List
Get the number of sector (4 bytes offset 0x0C)
Interpret the Run List to get starting cluster of file and get the
Go to the starting sector of NTFS, add number of sectors & save NTFS number of cluster used
Extract data (hex) from the starting cluster (Run List) and add
Get the size of sector (2 bytes offset 0x0B) Logical Size (8 bytes offset 0x30)
Get the number sectors per cluster (1 byte offset 0x0D)
Find the size (4 bytes offset 0x10) and offset to the attribute
Calculate size per cluster (in bytes) stream (2 bytes offset 0x14)
Find metadata (Creation; Modification, $MFT Modification; Last
Get the starting cluster for $MFT (8 bytes offset 0x30) Access and each 8 bytes) and decode using Dcode
Create your own scripts to data carving
Use Data Recovery apps

(commercial, free, open source)
or
Write a script to carve a file from a
raw dd image, particularly from
unallocated space
Summary
Digital Forensics help us to preserve and recovery Digital Evidence, and
reconstruct any Digital Crime.
Understanding several types of data deletion in windows is good for us

to know what really happens with the files deleted in windows and
then to select the best method to recover the files.
As the Digital Forensics is a science, understanding several types of

data deletion in windows is also important for us to develop our own
methods or even apps.
izazi@forensor.com
izazi.mubarok@afdi.or.id
+62 852 8647 0009
Contribute to developing our nation 🇮🇩


Understanding Data Deletion and Data Recovery in Windows

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Understanding Data Deletion and Data Recovery in Windows

Uploaded by

Copyright:

Available Formats

Izazi Mubarok SST, MSc, CHFI, CEH, ACE, OFCE, CISA, CDSS

Digital Digital Digital

• Technology • Cyber incident • Principles (ISO 27037; ACPO) • Rules of evidence

File Signature File System • Allocates space on

Metadata Stores • Time: Modified;

Send to Recycle Bin

Moved Permanently from

Send to • Drag and drop file into Recycle Bin

Delete file • Select file, press “Shift” and “Delete” keys

Send to • Drag and drop file into Recycle Bin

Delete file • Select file, press “Shift” and “Delete” keys

Not permanently deleted

Renamed and moved to a hidden folder

Can be restored to its original name and

Each logical drive has hidden recycle bin

Recycle Bin folder structure is different on $I = metadata

Date & time of recycling

Original name and location of $R… file in Unicode

E:\Folder B\Select file, press “Delete” key.txt

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump

Partition table is located in the MBR

Gives start and size of each partition

Four primary partitions can be created

Partitions are area than can be used to store a file system

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump

Bits (Binary Digits) is (0;1)s as data stored on computer

Bytes consist of 8 bits

A cluster is composed of a number of sectors (basic unit to store a file)

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump

Multi-bytes value in little endian

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump

• Master Boot • Bits • Binary; Dec; Hex • Hex Dump

Recovering Files & Gathering Metadata

Interpreting Master Boot Record

Interpreting $BOOT Structure

Analyzing $MFT File Record Entries

Extracting files from $DATA attribute

Extracting metadata from $STANDARD_INFORMATION

Search for filenames that start with “$R” in $FILE_NAME

Use Data Recovery apps

Understanding several types of data deletion in windows is good for us

As the Digital Forensics is a science, understanding several types of

Contribute to developing our nation 🇮🇩

You might also like