Transcript Data Recovery Discovery - Southern Oregon University

Data Recovery/Discovery
•
•
•
•
•
•
Files
Deleted Files
Text Searches
Slack Space
Free Space
Lab
Files on the Drive
•
•
•
•
List all the files on the drive
WinHex can show only one folder at a time
Import file list into Excel
Sort by file extension
Open Floppy Image
Interpret Image File as Disk
“Crtl A” Select All Files and
Folders
Export File List
Choose the
Fields to Export
To choose the fields that
you want hold the “Ctrl”
key down and click on the
desired fields
Pertinent Data
•
•
•
•
•
•
Name
Description
Extension (file type)
Path
Size
MAC date/times
Save in your Case Folder
Open it in Excel
• It may open it automatically
• If not
–
–
–
–
–
–
Go to your case folder
Start Excel
File -> Open
Find your Case Folder
Select All files
Open the .txt file
All Files
Run through formatting options
Run through formatting options
Run through formatting options
Make it Pretty
•
•
•
•
Landscape format
Smaller font
Expand columns to show full date time
Etc.
Pretty
Description Column
•
•
•
•
Note an assessment of recoverability
Find the file in WinHex
“Recover/Copy”
A deleted file has been recovered
Deleted Files
• With your spreadsheet you know what
deleted files you can recover
• Recover them
Text Searches
• Search the entire disk/image for varioous
words
• WinHex returns a list of hits
• You have look for the context on the words
and determine if it is of probative value
• Select all hits and delete to clear the search
list
Simultaneous Search
Enter Search Terms
High light a search hit
Lab Assignment
• List of files organized by file extension
• Highlight recoverable deleted files
• Recover the files and comment on their relevance to
charges of cat porn
• Select keywords and search for them.