We're on Course 9 talking about the NTFS file system. In this module, Module 6, we're going to talk about NTFS file recovery. As we saw in our last module, when we delete a file and NTFS, the data will remain intact until it is overwritten. Its MFT file record will also remain intact until this is reused by another file. Data that is non-resident remains until it is overwritten by new a file. If the data is resident, it will remain until the MFT file record is re-used. How do we find these unallocated files? Well, we can search for file records using the word file. In a keyword search, we could do a grep search using a regular expression for deleted file records as we see up here on the screen, that would be the expression. We will be looking for /x46/x49/x4C4.5, which is file. Then we'd be going to an offset {18} and looking for a [/x00/x02] to either indicate a deleted file or deleted directory. Our forensic tools are able to search for deleted file records. We could examine the recycle bin if the file which just set to the recycle bin they're not permanently deleted. We could use keyword searches if we know the name of the file or some data that was contained in the file. We can search for the data using grep, but we could carve for files and using file headers and then we'll talk about that would cover file carbon. But those are some ways we can recover deleted files in the NTFS file system. A. We're going to do another walk-through. The items you're going to need for this walk-through, we're going to need active disk editor. We're going to need our NTFS VHD, and we're going to need our regular expression documents. The first thing we're going to need to do for a module is mount our NTFS VHD. We're going to go to disk management. We're going to go to Actions, attach VHD. We're going to navigate out to where the VHD say they're not computer. Mine is on my desktop. We're going to select the NTFS VHD. We're going to click Open, and then you're going to say, okay. Once you attach your VHD, note the disk number and the volume you're going to be working with, this the second volume in our first NTFS volume. It should be 200 megabytes in size and the volume should be labeled NTFS. Once you've done that, we're going to go ahead and open up active disk editor. Once active disk editor opens, select open disk. Now, we're going to select volumes from a selection bar on the top. Then we're going to select our disk. My unmounted is B. There is maybe a different drive letter and we're going to click Open, and it's going to open up to our volume boot record. Now, let's go to our browser file records right underneath the Edit next to Unicode. We're going to look for that file, deleteme. TXT. We see it is not here. Now, we do know the sector, but let's find it without using that. We're going to use the find function. Go to Find, and I want you to go ahead and paste that regular expression in from your regular expression document. Highlight it, Right-click, Copy, then Left-click here and select Paste. Once you've done that, it should look like the one up here on the screen. You should have /x46/x49/x4C/x45. {18} [/x00/x02]. Make sure you check the box for use regular expression. Then go ahead and select, Find All. This will take a minute to run through as it goes. It does go pretty quickly. You can see and our find results paint. If this is not showing, just go to View, go to Windows and make sure you have the checkmark in find results, this will show up. Let's look at our results. Well, it appears that is not the file record we're looking for. That looks like it's a directory. Still looks like a directory. It's still a directory. Here we are. We found our file record. Well, let's take a look at it. We know it's an NTFS file record because we have the ASCII file, and we can see our sequence number is still two. The file is deleted. Originally it was a 01 when we first created it, and now it's a 02, and we can see our flag is 00, which indicate an unallocated file, deleted file. But, what's important too to remember is our attributes are still here. We still have all our dates and times created, modified, record change, last access time. We still have our flags, our file permissions. We still have our filename with the filename, dates, and times. We still have all our filename, dates, and times down here. We still know the parent directory. Now, this parent directory may be deleted, but we still do know where the parent directory is. It's MFT record number 5 and we can look at that. You can see our record change, and you see our allocated size, our real size, and because it's deleted you're getting zeros here. We can see the length of the file name. We can see the filename, Delete Me.txt. We can still see our object ID. We still have our globally unique identifier in our data attribute. We still have the data that we wrote into our file. That is one way to search for deleted master file table records. Well, let's try another way. Let's try and ask the file search using the word delete me, and see what we come up with. We'll go ahead and click on our ''Find window'' and we'll remove all so we clear that up. We'll go back to the start of our MFT record. Go ahead and click on ''Dollar MFT'' just to bring it back to the start. We'll go back to our find. Now, in NTFS, we use Unicode. Click Restore Defaults on this, but in NTFS we use Unicode. Don't use ANS up here, or you will not get a hit. In Unicode, we're going to write, Delete Me. Now, icon space, you may not have this. The other thing we want to check is Ignore Case. We want to ignore case on this. Most of the time unless you're sure when you're doing a keyword search like this, you want to ignore case. Then, I'm going to select Find all. We'll take a minute to run through here. Once it's finished, we'll look in our Find Pane again. Again, If you don't have this, use the View button, Windows, and make sure you have the final results checked. Let's take a look at our results. That doesn't look right. No, no. This one does. Let's try putting our template manager. Yes, this is our NTFS file record for the file to deleteme.txt. We can see where it hit in the dark yellow. But, we needed to search in Unicode. Remember, NTFS writes data in Unicode. Very important to remember that. We still have all the information like we had before when we looked at it and we searched with our regular expression. This is one way we can recover a file or two ways you could recover a file in NTFS by searching for the file record. We could use a regular expression, or if we did know the name of the file, we could use the name of the file, but just remember to search in Unicode.
