PDA

View Full Version : Recovering deleted files from HDD


Zilot
March 9th, 2008, 06:25
Hi,

I need some hints about next stuff. There is HDD with erased datas, I used active undelete and could find datas I'm interested to be recovered. But the problem is with recovered files, undelete says files are in good condition (are not overwiritten), when recover them and open in hex editor I see only junk of bytes. For example instead of text file (it should be according to .txt extension) it is just some junk of bytes.

So my question, is it practice to use tool for deleting datas, that will first encrypt that datas, and then delete them. Or this is something due to NTFS system or so. HDD is NTFS formated.

Here (in attachment) I have original .txt file, and one recovered with undelete tools (I tried several undelete tool, and same results are with all).

If anyone can see what the issue is here, I'd appreciate.

dELTA
March 9th, 2008, 07:09
First of all, yes, there are a bunch of tools out there for "secure deletion". For example the PGP suite has its "wipe" function, and I think also e.g. the Symantec/Norton System Utils also has one, at least before. They will overwrite all the contents of the file with junk data before finally performing a normal "delete" on the file system level, and this in turn makes it extremely hard to recover the files. There are "rumors" or theories that e.g. NSA etc can recover such files by exploiting inexactnesses in the positioning of the magnetic heads on the harddisks etc, but there are also special NSA developed data writing patterns to counter this type of attack too. At least, "private sector" data recovery professionals like Ibas claim not to be able to recover overwritten data like this at all.

Anyway, file recovery is not an exact science, but rather probabilistic (you can't see any usage history for each sector, only the current status), so even of one file is reported to be in "good" condition, it might still be a chance that it has been subsequently overwritten by something else, and then freed again. So, I'd try to recover a bunch of files and see if they're all similarly garbled before jumping to the conclusion that secure deletion software has been used.

One program I've used for recovering deleted files on NTFS is "File Scavenger", which was pretty good at the time. I'm sure there are many others though.

naides
March 9th, 2008, 07:30
Just a couple of "pointless" observations:

-At least one feature of the file was conserved: The size. If the file sectors were indeed used and then released the job was extraneously neat in that detail.
-The garbage you see in the recovered file does not look like a random pattern ( good encryption should look random): There are definite patterns in it: Alphabetic series, numeric series.

dELTA
March 9th, 2008, 07:39
Securely deleted files are normally not "encrypted", but rather overwritten with just that, special patterns, which might very well be recognizable as such.

Zilot
March 9th, 2008, 10:49
Yes, the file size, and creation date is conserved in recovered file. This is not the only file I have to make comparison, several directories containing various files are treated in same manner, and I have original versions for them (I'm not sure if all of them are 100% same, so I'd like to find way to restore somehow original context of encrypted files).

Probably tool for encryption worked in manner to take file by file from directory and to apply some algo.

If anyone has some hint (buckled with similar stuff sometime) I'd appreciate very much.

OHPen
March 10th, 2008, 03:51
Hi Zilot,

i agree with naides. your files are probably not encrypted, even if they are it looks like a bad encryption.

Can you provide a bit more information:

- Have you raw access to the disc you want to recover data from ? If so dump a bunch of mega bytes and take a visit with your favourite hex editor. if you realy have to deal with encrypted, delete files then there should be junk everywhere. (Searching for some known pattern like the contents of some text files should be sufficient.

- If the files are encrypted to you have a possibility to get the name of the encryption tool (maybe your customer knows it ??) If you haven't the possibility then it will be very difficult to restore the original.(maybe you can have a chance if you have enough "plaintext" to attack the encryption, but pretty difficult).

- Are you sure that the files you provided, especially the recovered one is from the right place on disc. maybe you have adversarial circumstances concering the reconstruction of your data. you should ensure that you are working with correct data before you start intensive recovery.

Regards,

OHPen

Zilot
March 11th, 2008, 03:09
I have full access to that HDD, it is 100% working HDD and my intention is just to try to recover that files.

I tried to find such tool (encryption) but couldnt, I thought it was uninstalled after file deletion and searched through registry for software, but nothing.

Quote:
- Are you sure that the files you provided, especially the recovered one is from the right place on disc. maybe you have adversarial circumstances concering the reconstruction of your data. you should ensure that you are working with correct data before you start intensive recovery.


I dont understand this. Undelete software says than, is there manualy way to find that. I think the method for searching some known pattern is the best, propose me some tool for raw bytes ripping from the HDD.

Tell me next, if external USB hdd was pluged, and one deleted files from it (if recycle bin was turned on) where will the system store deleted files, on that HDD or on some internal. Is there any issue if you delete files from FAT partition to see them as encryptet (or screwed).

dELTA
March 12th, 2008, 04:13
I don't think the standard recycle bin works on USB disks.

And I'm not completely sure about what you mean with you FAT question, but files deleted from a FAT disk are not overwritten/messed up in any way, and are even much easier to restore than files deleted from an NTFS drive, if that's what you meant.

evilcry
March 15th, 2008, 02:24
Hi,

Quote:

I have full access to that HDD, it is 100% working HDD and my intention is just to try to recover that files.


One of the most used tools is WinHex, largely used in Forensics World, it allows you a totally Raw access to every Disk Partition, RAM Mapping and other cool features, as the Live Visualizzation of pagefile.sys (the first objective of a Coroner, because is full of intersting informations )


Tell me next, if external USB hdd was pluged, and one deleted files from it (if recycle bin was turned on) where will the system store deleted files, on that HDD or on some internal.


Deleted files are located into HD, and by mounting the HD externally, after RAW Mapping you can easly navigate into the partitions.

Here you can download freely WinHex

http://www.winhex.com/winhex/

In the worst cases, when the HD is Dead, you need other advanced tools, called of Data Carving.

Have a nice Day,
Evilcry

Zilot
March 18th, 2008, 08:58
Hi

Thanks for the reply, after some examinations of deleted files, I realised that they must be deleted with some tool than overwrites file first, and then delete them.

There is no correlation with some normal deleted files and those I think that are deleted with special tool.

Content is not messed, rather is shaped in some nonsense patterns, so I think there is no way to be encrypted.

evilcry
March 23rd, 2008, 02:29
Usually is used the Gutmann Method, that is an algorithm specificatly designed for Secure Deletion.

Here a link about the Gutmann Method:

http://en.wikipedia.org/wiki/Gutmann_method

Have a nice Day,
Evilcry

dELTA
March 23rd, 2008, 06:39
Yes, but for all practical purposes, you might as well overwrite the entire thing with random data, or all zeroes, or all ones, or whatever else you might come up with, it doesn't matter. Not even the largest professional data recovery companies like Ibas can restore even that.

The methods you mention are rather mostly of theoretical value, triggered by rumors of all-mighty magnetic force microscopes, magic and some vodoo, that organizations like NSA might possibly, hypothetically be able to use, with some luck and some more magic, to recover data from overwritten disks.

For the rest of us, including large and filthy rich companies, you're screwed if the data is overwritten even once, by whatever.