ComputerSecurityStudent (CSS) [Login] [Join Now]




|FORENSICS >> File Recovery >> Recuva >> Current Page |Views: 8669

(Recuva File Recovery: Lesson 2)

{ How to retrieve files deleted from the recycle bin }


Section 0. Background Information
  • What is Recuva?
    • Is free software that allows you to recover deleted files even when they have been deleted from the recycle bin.
    • After personally testing over 20+ file recovery tools, only Autopsy and Recuva have been able to retrieve deleted files from not only physical machines, but also VMware platforms.

     

  • Prerequisite

     

  • Overview 
    • In this lab, we will show you how to do the following:
      1. Recover and restore files that were deleted from the recycle bin.
Section 1. Login to your Windows XP Server
  1. Booting up WindowsVulerable01
    • Instructions:
      1. Start up VMware Player
      2. Select WindowsVulerable01
      3. Play Virtual Machine
    • Note:
      • WindowsVulerable01 is a Windows XP machine running SP2.

     

  2. WindowsVulerable01 Authentication
    • Instructions:
      1. Login as administrator

 

Section 2. Let's create some files
  1. Open Up Notepad
    • Instructions:
      1. Start --> All Programs --> Accessories --> Notepad

     

  2. Notepad Document Contents
    • Instructions:
      1. Type whatever you want on the first line.
      2. On the second line, replace the string "Your Name" with your actually name.
        • E.g., Sign "John Gray"
        • This will be used for the Proof of Lab

     

  3. Save As
    • Instructions:
      1. File --> Save As...

     

  4. Save
    • Instructions:
      1. Navigate to C:\tools\File Deletion
        • Create this directory if it does not exist.
      2. Name the file recuva-me-1.txt
      3. Click on Save.

     

  5. Let's Save Another Copy of this file
    • Instructions:
      1. File --> Save As...

     

  6. Save As
    • Instructions:
      1. Navigate to C:\tools\File Deletion
      2. This time name the file recuva-me-2.txt
        • This will give you two recuva-me-*.txt files.
      3. Click on Save.

 

Section 3. Let's delete the files you just created
  1. Open My Computer
    • Instructions:
      1. Start --> My Computer

     

  2. Delete both recuva-me-*-.txt files
    • Instructions:
      1. Navigate to C:\tools\File Deletion
      2. Highlight both files
      3. Right Click
      4. Click Delete

     

  3. Confirm Multiple File Deletion
    • Instructions:
      1. Click Yes

     

  4. Open Recycle Bin
    • Instructions:
      1. Right Click on Recycle Bin
      2. Click Open

     

  5. Delete Files From Recycle Bin
    • Instructions:
      1. Highlight Both Files
      2. Right Click
      3. Click Delete

     

  6. Confirm Multiple File Deletion
    • Instructions:
      1. Click Yes.

 

Section 4. Let's Recuva the files you just deleted
  1. Run Recuva
    • Instructions:
      1. Right Click on Recuva
      2. Click Open.

     

  2. Recuva Wizard
    • Instructions:
      1. Click Next
    • .

     

  3. Recuva Wizard
    • Instructions:
      1. Select the radio button "Other"
      2. Click Next

     

  4. Recuva Wizard
    • Instructions:
      1. Click the radio button "I'm not sure"
      2. Click Next

     

  5. Recuva Wizard
    • Instructions:
      1. Check "Enable Deep Scan"
      2. Click Start

     

  6. Sort the files
    • Instructions:
      1. Click on the Filename Column to sort alphabetically by filename.

     

  7. Recover the Files
    • Instructions:
      1. Check both recuva-me-1.txt and recuva-me-2.txt
      2. Click the Recover.. button.

     

  8. Browse For Folder
    • Instructions:
      1. Navigate to C:\tools\File Deletion
      2. Click OK.

     

  9. Restore Warning Message
    • Instructions:
      1. Select Yes

     

  10. Operation Completed
    • Instructions:
      1. Click OK

     

  11. Open My Computer
    • Instructions:
      1. Start --> My Computer

     

  12. View Files
    • Instructions:
      1. Navigate to C:\tools\File Deletion

 

Section 5. Let's take a look at the "Advanced mode"
  1. View Advanced Mode
    • Instructions:
      1. Click the Switch to advanced mode button

     

  2. File Information
    • Instructions:
      1. Check and highlight recover-me-1.txt
      2. Click the Info Tab
      3. Notice the state of the file is excellent.
      4. Notice the comment that no overwritten clusters detected.

     

  3. Header Information
    • Instructions:
      1. Check and highlight recover-me-1.txt
      2. Click the Header Tab
      3. Notice that there is both Hexadecimal and ASCII representation for the file contents.

 

Section 6. Proof of Lab
  1. Open a Command Prompt
    • Instructions:
      1. Start --> All Programs --> Accessories --> Command Prompt
      2. dir "C:\tools\File Deletion"
      3. dir
      4. type recuva-me-1.txt
      5. date
      6. Press <Enter> Twice
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document.
      3. Upload to Moodle.

 



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth