 Welcome back everyone. Today we're going to be talking about data recovery. So you might remember last time we talked about data acquisition or acquiring data from a suspect system, and we had a, essentially a suspect hard drive that we connected into a write blocker to make sure that we're not writing any extra data or changing any data on the suspect device, and we connect the write blocker into our forensic workstation. Well, we're back inside our Windows 10 forensic workstation here, and we are going today to be doing some data recovery. And we're just going to get a little bit into data recovery in terms of recovering, kind of, well, normal file recovery, essentially, so we can recover images, we can recover programs, basically any data that's stored on the system, we can attempt to recover. Now, more common file types will be better recovered because more people have tried to do this recovery before. So today, we're going to be using the program Photoreck in Windows to do our data recovery. So I have the website here, I will put a link next to this video for all of the tools that I'm using today. Our main recovery program that we're going to be using today is called Photoreck, and it's quite a good file recovery tool. It says Photoreck as in recover photos, but we can use it for a lot of other data types as well. So I've already downloaded this. And whenever you download Photoreck, you get, let me show you here, you get a zip file called test disk 7.0. In this case, test is 7.0 win 64. If you open that up, then you'll have this folder. And there's no real installer here, I can just access these, this program, basically directly from this folder. So what we need to do, because there is no kind of easy to use installer, I am going to open up on this computer, C drive programs file. So basically, I open up, explore, click on local disk, go into program files. And then I'm just going to drag and drop this folder directly into the program files folder. And I've already done that. I even renamed it test, test disk. So that will basically install test disk or Photoreck into our program files folder. And now we need to do one more thing to make this usable, or easily usable, we can, we can use it already. But to make it easily usable, we need to add this to our path, if we want to be able to run the program. So the only reason I'm talking about this is because we often need to add new programs, especially standalone programs like this to our path to make sure that we can run them easily. So to add test disk to our path, I'm going to click on the address bar at the top and it says C drive program files. I'm going to go inside the test disk folder. And this is the folder that actually contains the program that I want called Photoreck underscore win. This is the program that I want to use. And I'm going to select everything and copy, you can either do control C or right click and copy the location of my program or this folder. Okay, next, we want to right click on the Windows start menu bar, and go to system. Okay, and then you'll get this kind of system menu that comes up here. Then I want to click on on the left hand side advanced system settings. And we will have this advanced tab selected. And then I want to click at the bottom on environment variables. Okay, and you'll notice that there's basically variables for test, which is my user here, variables for the user test or variables for the system. And both of them have a variable called path. Okay, so we are just now going to edit to the variables for this particular user. So in variable, click path, and then click edit. And then you should have a list of these different variables. And you see I've already added test disk to my path. You won't have test disk, test disk added here. So then you will click new. And that will add basically a new line. And then you can just paste control V or just right click and paste the test disk location into your path. Okay, and that basically just tells Windows, we are just telling Windows where to look whenever we're running program. So for this user, where should Windows look if we want to run a program? So then, if we have, make sure you don't remove any of these other paths that are already in here, just make a new one. If we have C drive, in my case, C drive program files test disk. In your case, it might be located somewhere else. Once we have that in there, click okay. And then click okay again. And then click okay again. And then we can go ahead and close the system panel. Okay, so what that did now is Windows knows where these programs are located. So then we can run them basically from the command line. Okay, and that will be important in a second. So now we want to run test disk against an image that I acquired last time. The image that I acquired last time on my Windows system using FTK imager was this 001-216-001-002-003. So a multi part disk image. Okay. So now I want to open a command line type C on your basically run menu, type CMD, and that will open a command prompt for Windows. Then we click hit enter. And then we get this black box. And this is our command prompt. It's very good to know how to use basic commands in the command prompt, just so you can get around and run different programs. If you're doing digital investigations, we use command prompt at least a little bit. So it's good to be familiar with it in both Windows and Linux. Okay, so right now I'm in the folder in my command prompt C drive users test. And what I actually want to be is in the folder, this folder with my disk image, and it's a C drive users test desktop cases 001 images 001. Okay, so I'm going to go ahead and copy this. We can either control C, or we can just right click and click copy. I'll go back to my command prompt. And then I want to change the directory to the directory that's holding my disk image. So I type CD, and that stands for change directory. And then right click, and it will paste the directory that we had copied. Okay, and then if I hit enter, then we see that the folder that I'm currently in has changed. Now we are inside the folder that contains my disk images. And just to verify that I see the disk images from here, I'm going to type dir, which stands for directory listing, or directory list, basically, or directory. And I typing dr hit enter. And then now we see a couple different things. So basically, a couple directories, but these are kind of system directories that yeah. And then we see the first part of the disk image, we see the log file, right, our log file that was created, the second part of the disk image, third part of the disk image. Okay, so now I want to recover, let's say, all of the images. I want to recover all of the JPEG images from this disk image. Don't be confused by JPEG images and disk image, disk image is a exact copy of a hard drive or a disk. And JPEG images are actual pictures that you would take with a with a camera. Okay, so that's a little bit confusing sometimes. So now we want to run our program called photo rec win, photo rec underscore win. Right, so we type in photo rec underscore win space. And then we want to give it this disk image. Okay, so I type 001 dash 2016.001. Okay, and that will give it my disk image. The first part of my disk image into photo rec. So if I hit enter, and asking for permissions, click yes. Okay, now the very important thing here, we have photo rec has started. So that's good. We know that we've installed it properly. Photo rec was in our path. If photo rec did not run, most likely photo rec was not entered in your path, especially if it says could not find the command photo rec. The next thing we need to look for here is disk 001 2016.001. And then 1572 megabytes or basically one 1.5 gig around. Now, this is a problem, because my entire disk was four gigabytes. If I don't remember how big my disk was, we can go back to the log file, double click on the log file, and see where did it say the size. Source data size, basically 3878 megabytes were copied. Okay, so here, we see that this is actually quite a bit bigger than what we see here. And the reason for that is this only loaded the first part of my disk image, right? So I want to load all of my disk image. So here I can proceed or I can quit. So I'm going to go ahead and choose quit. So just basically hit the arrow, the right arrow key, and hit enter. And then that will quit the program. Okay, so normally in Windows, whenever we're in the directory, and we have these three part disk images, we can type photorec, photorec underscore, photorec underscore win. And then the name of the disk image in my disk image part name is 001 2016.001. And in this case, if I want to add a multi part disk image, instead of typing the extension dot 001, I can just type question mark question mark question mark. And what that should do is basically load up everything that starts with 001 dash 2016 and then then has a number after it. However, in my case today, photorec is having trouble loading this multi part disk image. So I combined this multi part disk image back into a full disk image. And I took a hash value of that. So we can we can check the hash again MD five some full image dot DD. So I've combined this, these three different parts in back into a single disk image that we can see that it's the entire four gigabyte disk image. And the hash value of this, these three parts and the hash value of this whole disk image should be the same. And we look at it and f seven a seven nine, if you remember from last week, that was, that was the the hash value from last time. So we know that the data is exactly the same in both of these. And now I should be able to run photorec photorec win on the full image full image dot DD. So photo rec underscore win full image dot DD press enter. And then now we look at it this disk full image dot DD and four, basically 4,000 megabytes, this is what we were expecting. Okay, so now we can go ahead and proceed just click or hit enter. And then it's saying, okay, disk image, what kind of partition do we want or do we want to look at now has unknown here. And that's basically looking at the whole disk, or we can focus on a fat 32 partition. In this case, I know all of my images are going to be in this fat 32 partition. So I'm going to focus on that. But if we don't know where our data is, or we want to try to look for all data, then I might go with the whole disk option. Yeah, so I would select fat 32 down in the options menu. Right now, if I just type search, it will start searching or I can go into options, or I can go into file options. And we should look into file options first. So if I click hit enter here, these are all of the different, all of the different files, file types that Photorec will attempt to recover through the entire disk. Now, notice this is a lot more than just images, right? It's not only we do have like BMP images, but we also have Blender data, we have zip files, compressed files, all of these different things. And I want to focus only on JPEG images. So in this case, out of all of these things, I want to focus only on JPEG images. So I'm going to press S to disable all the file families. So S and then it removes the X from all of these. And if I scroll down, I should be able to find JPEG images so under J. And then whenever I get to JPEG, I can just hit the space bar and that will select JPEG images only. So that's the only thing that we will look for out of all of these different types. And then I hit B to save, hit enter for okay, and then hit enter to go back to the original page. So those are the file options. If we were doing this for real forensics, we might leave everything in there just to see what what we can carve out, but we can focus on specific file types. Okay, so now I'm going to hit enter, or sorry, I'm going to search, scroll over to search, and then hit enter. And then it's saying, we need to know the file system type where the files were stored. And it has either ex two x three, which is basically Linux file systems or other which is fat, NTFS, HFS, riser FS, that's mostly Windows fat and NTFS, you'll find it in Windows. And that's what we want to focus on here. So we just click other. And then please choose if all space needs to be analyzed. So let's just let's just go with the whole space, right? This is free space. So free space where a file may have been but is no longer there. It will try to just find things in free space, we collect whole, then it will look for the entire disk, the files that are definitely there already, and files that may have been deleted. So we're trying to carve out or recover all of these things. So I'm going to choose whole here. Now it's where do we want to save this data. And if we this basically lets us select where we want to save it right now, we're in this cases 001 images 001 folder. So I'm going to go to this, this two dots. And that basically means these two dots mean go up one directory. So I'm going to go up one directory. And then I'm going to go up one directory again, right now we're in the images folder, I go up one directory again, now we're in the case folder, right. And you guys may remember that I created this temp directory earlier. I created this temp directory specifically for things like file carving, right. So I have this temporary working space that is specific to the case that I'm in. So I'm going to carve all of these files into the temporary folder. If we look up, so we were in this folder, if we go up one, up another, then we get to this temp folder. And I'm going to save all of the carved files inside this temporary folder. So once we've selected the file that we want to save it to, we hit C, C, and then it will start carving. So here we go, JPEG's recovered 15 so far, it's going through everything. It should only take a few minutes to recover everything. But we can already go to our temp folder and we get this recap directory one, it will create several of these, we have a lot of a lot of them. So if I click in the recap directory, we can go in and we're recovering, or we have, we're recovering all these different JPEGs that Photoreck has found. Okay, so actually recovery is already finished, it's actually quite quick. If we click up, yeah, so that's as many images as it found and that looks like that's about all the images that were on the disk actually. Okay, so those are the JPEG images. There are some other file types on the disk that were not recovered. And then it has the report for Photoreck as well. Right, so let's see. So quit, okay, so I'm just going to quit and that will take me back to the original menu. So then I can move over to quit, quit, and then we get out of Photoreck. Okay, so how was this working? Photoreck recovered all of these, all of these different images. And if we open up just fdkimager here just to use its hex viewer, we can see that I've loaded up all of the the images inside the disk and our first one f0015, which we can look at here, f0015, right. So this is an image. And it does hopefully open up. Right, so it is an image and it will open up. Okay, so we've recovered it. And how does Photoreck know what the image is or where the image is. And one way that it does that it has a couple different methods, but basically the most basic way is that it uses the file header. So if we look at the top, this is the raw, we go through here, this is the raw data for these images. And if we look at the top here, this value basically corresponds, or this is the file header, and it corresponds to a JPEG image, right. So we can see here some some XF information. And this is XF information is specific to JPEG images. For example, it shows the type of camera that was used the date, things like that. But before this XF information, which is at the top of the data structure for this file, we have this image, or this file header. And lots of different file types have a file header. And this file header specifically relates to a JPEG image. So we have this file header at the beginning. And if we could scroll all the way down, this is all of the data inside the image or for the image. And we have this header or footer at the bottom, right. So this says basically the end of the image. So the top of the header says the beginning of the image, the bottom says it's the end of the image. And then everything in between is basically image information. So one way that this works is we just find, we look through the entire disk, and we find this header. Once we find this header, then we can just start copying all of the data until we get to a footer, right? In this case, FFD9. So we copy all of the data until we get to this footer value. And then if we just dump all of that into a file, then that should be a valid picture. So one way that we recover data is we go through the entire disk, we look for these file headers and file footers, and copy all of the data in between. And that's one way that we can, that's a very basic way we can recover data. And it works quite well. It doesn't work well whenever the disk is highly fragmented, or parts of a file are located in different sections on the disk. But for most cases, especially with newer file systems, it tends to work quite well. So this is a little bit about data recovery. We've used the tool PhotoRec to be able to recover some data. And then we used FTK imager's hex viewer to look at the file header and the file footer for this disk image. Thank you very much.