Computer and Hacking Forensics
CHFI Module 02 Part 3 Investigative Process PC Inspector File Recovery Lab.
Leo Dregier here. We’re going to talk about a tool called PCI File Recovery. I’m going to run you through the install real quick. Ah, you can install it through English, okay. Agree to the terms and conditions. It’s – PC Inspector File Recovery is the exact name of it. You can install it wherever you want, realistically, but Program Files will be fine. Ah, please note, it’s in a sub-directory, Convar, okay? Install it. Relatively easy to install. Close it out. Finish the, ah, Setup Wizard. Close that out, okay? And go ahead and open up the program. Simultaneously, I’m going to move this over here to my forensics programs. Um, you’re probably going to want to run this in English, okay? So recover deleted files, uh, find lost data, and find lost drives. This is basically what you get to do with this right away. So, we’re going to, um, look for, ah, recover deleted files. Okay? So select the logical drive, select the, the, the files in the folder deleted, and the, of course, save your files, okay? So, first thing that it does is it checks the bios and few other checks. Um, it looks for your disk’s positions here, so, um, in this case, I’ve got a, a no name drive that it found, the Windows C drive, uh, Windows D, which is other business, uh, another other business, and this one. So if you realistically want a comparison of which one’s which, you can just go to My Computer and see. In this case, I’m going to be looking for Blue USB, which is the F drive, and, ah, that’s going to be this guy right here. So you can, uh, re scan, you can find logical drives, or you can preview that. So in this case, uh, you can notice that you can start at physical sector zero, the total number of sectors on that drive, the sectors per cluster, the FAT type, the OEM name. So it was originally formatted in MS Dos 5, and then the volume label is No Name here. Okay, great. So that would be your logical drives versus your physical drives. In this case, I could do the physical drives, ah, right here, which is the same thing. It’s a 478 Megabyte drive. Either way, however you want to select it, go ahead and select it. Okay. And then, here we go. So what I’m basically looking at here is, uh, just a handful of, of files that have been on this drive in the past. Ah, and then you can see, you know, a bunch of temporary files on here, ah, some ISSEP files that I was working on, you know, some time ago, uh, some IT files, you know, classroom material, healthcare manuals, um, more temporary files, ah, a course, real estate course that I was working on on real estate overages. So that – I pulled that. That’s been deleted from this – some system volume information, and then lost, and then you can search, okay? So it, it’s – if you notice here – whoops. I don’t want that one. I don’t know what they’re for. If you go to the actual drive, you can see that I basically just have the password, uh, document on there, and then some system volume information. So it appears that, you know, basically, nothing’s on this drive. Ah, but look at all of the, the stuff that it finds, um, that’s previously been there. Okay? And then you could go through, and you could see, you know, what is, you know, IT, you know, you know, 001 PDF, or, you know, what did I have in Classroom Material, um, and things like that. You can right click any of these files, and you can save them. You can look at the properties, which really doesn’t tell you much. It just tells you more or less the name and where. Um, ah, view as a hex dump, okay? Uh, so you can do that, as well, so if you want to see the specific hexadecimal of, uh, certain information, you can. We’re going to get into some of the hex editing tools much, much, much later. I just want to point out that that option is built into a program like this. View as text. You just have to – can pull any text, ah, and things like that. So, uh, and the same thing, you know, something like docx, right? If I want to try to see what’, uh, well, you know, what it has in there. See if it can pull anything, and it doesn’t because it’s a doc X format, but if, you know, if I had, like, maybe just a regular text document with some, ah, decent text in it, it’d probably just pull it just fine. okay? So that’s your drive, okay? You can click on the drive up here, ah, and then re scan them, okay? If you have USBs and floppies, you can look there. If you want to search, you can find a specific name, so just search for, you know, password, and search, okay, and it finds, you know, a password, ah, dot X file. And this is the original file, and then this is, um, uh, another file. Ah, in this, in this case, this is – this was another document that I had deleted, but the condition’s for – ah, very, very, very poor on that one, where this one’s good. So this has zero size in it. This, um, um, you know, clearly has some size to it, okay? Um, you can select specific cluster ranges if you want to – if you know that. You may or may not. It depend – now, where you find that information is if you’re running, you know, like, ah, a program like Check This, and it starts, uh, giving you cluster errors at a particular file location, then you would probably know something like that, but right off the bat, you’re, you’re probably not going to know that. You can find lost data if you like, okay? So you can just scan it for lost data, and this’ll take some time to run, but it – you can see that it is finding files right away. Um, and you’d have to let something like this run. Now, ah, this is going to take about a minute or two, but it’s worth doing on this portable USB drive because you can see all the things that I’ve basically deleted, or it’s lost, or orphaned, file fragments, and things like that, um, over the years of using this. So, uh, let’s just back up here for one second. Let’s say that you find a USB drive in the parking lot, and you plug it into your computer, and there’s nothing on it. Okay, great, right? Free USB drive. Good to use. Wrong. You would actually want to use it with some sort of, um, partition, uh, extraction tool, or data recovery tool, or a file inspection tool, like PC Inspector because there absolutely could be alternative data streams, and especially if it’s formatted at NTFS. There could be hidden stuff on there, ah, as in just right click hidden. Um, there, there could be deleted; there could be orphaned; there could be all sorts of stuff, and low level formats, um, and what I mean by low level format is when you just right click this drive, and you select format, all it basically does is basically delete all of the pointer records to the, to the drive. It doesn’t actually remove the data, and a program like this clearly points that out, ah, because it will go in, and it will, you know, start looking at, you know, the different items that are on there. Okay? And you can see that I’ve used this, this drive for quite some time, and it’s already up to, uh, lost files found, you know, over 1000, and it’s just a, you know, a 481 Megabyte drive that appears to have nothing but a password file on it. Um, but what I’d like to show is is that you can actually get all of the, the, the deleted, and, and unconventional stuff that doesn’t appear to be there – you can actually get that more or less right away with a, with a program like this, and then save it to another place. So just because you find a USB drive in the parking lot, and there appears to be nothing on it, chances are, there is. Um, not to say that you shouldn’t just, you know, try to find, you know, the, the original owner and maybe return it to that person. But let’s say that you can’t. Well, if you can’t, well then, there you go. So in this case, I’m going to sort by, ah, type over here, and you can see there’s a whole bunch of Acrobat files, uh, that I recovered from this drive. There’s a whole bunch of JPEG files, PNG files, right, ah, WordPad, um, XLS spreadsheets, right? So it finds quite a considerable amount of information, and if you right click these, you can save them. You can view ‘em as a hex dump or text, uh, drive again. Okay? So before you stick any drive into your computer that you, you know, found in the parking lot, you may want to use a drive like, ah – or, or a program like PC Inspector to inspect that drive and see if you can’t recover some of the, the deleted, orphaned, or lost information from that drive. Very, very easy program to use. Um, it’s definitely one of my, my favorite more – my go-to programs for a quick forensic inspection of hey, what’s on that drive? So try it out. Give yourself a little practice. Build your hands-on. Um, it’s PC Inspector File Recovery. Hope you enjoyed it. My name’s Leo Dregier, and don’t forget to check us out on Facebook, LinkedIn, YouTube, and Twitter.
Congratulations @cycle65! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes received
Click on any badge to view your own Board of Honnor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP
By upvoting this notification, you can help all Steemit users. Learn how here!
thanks for the update
Helpful post
thanks
Source: https://www.cybrary.it/notes/nickneilie/computer-and-hacking-forensics/module-2-investigative-process/
Copying/Pasting full texts is frowned upon by the community.
Some tips to share content and add value:
Repeated copy/paste posts could be considered spam. Spam is discouraged by the community, and may result in action from the cheetah bot.
Creative Commons: If you are posting content under a Creative Commons license, please attribute and link according to the specific license. If you are posting content under CC0 or Public Domain please consider noting that at the end of your post.
If you are actually the original author, please do reply to let us know!
Thank You!
thanks for the update
Congratulations @cycle65! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of comments
Click on any badge to view your own Board of Honnor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP
By upvoting this notification, you can help all Steemit users. Learn how here!
thanks again
Wow!!!! thanks
keep going (y)
thanks