Introduction

As mentioned in the introductory section, Windows machines run on NTFS (New Technology File System).

Using the tools that we will discuss in this chapter, you will be able to uncover information not only about the files, but also about the layout of the disk itself, including deleted files and unallocated space. This can be of the utmost importance in a forensic investigation, particularly in cases where a user may have tried to cover up their actions using anti-forensic methods.

Some tools allow you to undelete files as well, thus restoring them, in whole or in part, to how they looked before they were deleted. This does, of course, depend on the extent to which a file has been overwritten, however it can be a useful way to find out about things a suspect doesn't want you to see.

In cases where the metadata about the files has been deleted, file carving is employed as a method of trying to recover the data within the files. This requires several steps, most of which will be performed by your investigative tool set of choice. Generally, it will begin by working out what type of file the item was (usually by looking at the headers), and then building up fragments of the file to form a more accurate picture of what used to be stored on the machine.

There are several solutions which deal with file system analysis, file carving, and the undeleting of files. In this chapter, we will be looking specifically at Autopsy, The Sleuth Kit, ReclaiMe, and PhotoRec.