data recovery: how to recover a deleted document?
DESCRIPTION
The project entails recovering crucial documents that an unsatisfied employee, Jonathan deleted before leaving the company. Jonathan’s crime was evaluated and analyzed to determine how he committed the crime in order to craft proficient ways of recovering the lost file. Proper planning was done before conducting the investigation in order to ensure strict adherence to investigation procedure.Finally the investigation evidence proved that Jonathan did delete the important documents which the investigation team managed to recover.TRANSCRIPT
2011
YUSUPH KILEO
DATA RECOVERY
10/4/2011
DATA RECOVERY: TO RECOVER DELETED DATA FROM A COMPUTER
DATA RECOVERY
YUSUPH KILEO Page 1
Contents ABSTRACT ...................................................................................................................................................... 2
CHAPTER ONE: INTRODUCTION TO THE PROJECT ........................................................................................ 3
1.1 PROJECT OVERVIEW ...................................................................................................................... 3
1.2 PROJECT AIMS AND OBJECTIVES ................................................................................................... 3
1.3 ASSUMPTIONS .............................................................................................................................. 4
1.4 EVALUATION OF JONATHAN’S COMPUTER CRIME ....................................................................... 5
CHAPTER TWO: THE INVESTIGATION PROCESS ............................................................................................ 6
2.1 OVERVIEW OF THE FORENSIC INVESTIGATION PROCESS ................................................................... 6
2.2 AUTHORIZATION AND PREPARATION ................................................................................................. 7
2.2.1 AUTHORIZATION .......................................................................................................................... 7
2.2.2 PREPARATION .............................................................................................................................. 8
2.3 IDENTIFICATION .................................................................................................................................. 9
2.4 COLLECTION AND PRESERVATION .................................................................................................... 10
2.5 EXAMINATION AND ANALYSIS .......................................................................................................... 18
2.5.1 RECOVERING ANY DELETED MATERIALS .................................................................................... 19
2.5.2 RECOVERED MATERIALS ............................................................................................................ 21
2.5.3 EXTRACTION OF THE MATERIAL FOUND .................................................................................... 21
2.6 RECONSTRACT ................................................................................................................................... 22
2.7 REPORT .............................................................................................................................................. 24
FORENSICS REPORT ............................................................................................................................. 24
INVESTIGATION FINDINGS .................................................................................................................. 24
EXAMINATION SUMMARY .................................................................................................................. 24
CONCLUSION ....................................................................................................................................... 25
3.0 EXECUTIVE SUMMARY .......................................................................................................................... 25
4.0 Appendix. .............................................................................................................................................. 26
5.0 REFERENCES .......................................................................................................................................... 28
DATA RECOVERY
YUSUPH KILEO Page 2
ABSTRACT
The project entails recovering crucial documents that an unsatisfied employee, Jonathan deleted
before leaving the company. Jonathan’s crime was evaluated and analyzed to determine how he
committed the crime in order to craft proficient ways of recovering the lost file. Proper planning
was done before conducting the investigation in order to ensure strict adherence to investigation
procedure.
Finally the investigation evidence proved that Jonathan did delete the important documents
which the investigation team managed to recover.
DATA RECOVERY
YUSUPH KILEO Page 3
CHAPTER ONE: INTRODUCTION TO THE PROJECT
1.1 PROJECT OVERVIEW
This project is segregated into three main chapters which are the introduction, Investigation
process and conclusion. The introduction highlights the main aspects of the thesis; the
investigation process describes in detail the steps that the investigation team would take in
investigating the above highlighted case and the forensic tools used. It must be noted that
different tools would be used at different phases of the investigation process; therefore for clarity
usable tools for specific phases would be explained when describing activities of that particular
phase.
The conclusion as the name suggests would summarize the main contents of the project as well
as briefly outline the deducted lessons from the project and the challenges faced and how they
were mitigated.
1.2 PROJECT AIMS AND OBJECTIVES
AIMS
This project is aimed at evaluating, analyzing Jonathan’s crime and procedurally recovering all
the lost crucial files to save Bukit Enterprises from immense loss.
OBJECTIVES
In order to achieve the set aim the investigator has formulated the following objectives:
Strictly adhere to the procedures of forensic investigation.
Prepare a time management schedule and strictly abide to it so as to timely recover the
crucial files.
Encourage team work amongst case investigators.
Be flexible such that any emerging technologies that may be useful to the investigation
would be tried in order to acquire accurate evidence.
Ensure the authenticity and accuracy of all tools to be used in the investigation.
DATA RECOVERY
YUSUPH KILEO Page 4
1.3 ASSUMPTIONS
Bukit Enterprises is a company located in the United Kingdom.
Investigators found Jonathan’s computer on.
Jonathan was using win XP as an operating system.
Jonathan has installed WinRAR software to his computer (Encryption tool).
Jonathan has no personal data left in the computer.
Jonathan saved the research documents using word pad.
Jonathan encrypted the documents before deleted them.
Jonathan protected the documents with password using his name.
Jonathan did not first enquire about reasons for management escalating Steven over him.
DATA RECOVERY
YUSUPH KILEO Page 5
1.4 EVALUATION OF JONATHAN’S COMPUTER CRIME
Jonathan was actively involved in the research for years, but that doesn’t allow him to delete the
research documents when he left the job. The research documents he deleted were not his
property but rather Bukit Enterprises’ property. It is apparent that Jonathan did not enquire with
the management reasons as to why Steven was promoted over him. Jonathan rather decided to
take the law into his hands and delete the Company’s documents which as stated if not recovered
would endure the company a massive loss.
The question remains, does Jonathan’s involvement in the research give him the right to delete
the documents. According to the company regulations and rules the company’s document should
be returned when employee resigned, Like wise on (Akerman, 2011), it highlights a case where
an employee deleted company files. The court ruling was that an employee should return all
company documents before resignation.
Furthermore on (McCullagh.D, 2007) highlights that Jonathan would be found guilty in a court
of law for as long as the evidence obtained is authentic and accurate. This is due to the fact that
with the obtained evidence, Jonathan would be prosecuted for violating the Computer Fraud and
Abuse Act which finds guilty whoever knowingly acquires information from q computer without
obtain authorization or whoever who exceeds their authorization level to illegally access data and
causes damage or loss to it. Jonathan had authorized access to the documents, but he exceeded
his authority scope by deleting the documents.
Conclusively, (Radcliffe, 2010) further proves that Jonathan would be proven guilty, according
to the United Kingdom copyright laws, any research or discovery that an employee makes or
achieves within their scope of employment belongs to the employer. Therefore Jonathan illegally
deleted Bukit Enterprises’ crucial documents and hence would be accordingly prosecuted.
DATA RECOVERY
YUSUPH KILEO Page 6
CHAPTER TWO: THE INVESTIGATION PROCESS
2.1 OVERVIEW OF THE FORENSIC INVESTIGATION PROCESS
Forensic investigation is to collect evidence that would prove a crime in a court of law. Same as
all other projects it has steps to be followed while undergoing the forensic investigations. This is
to ensure that the gathered evidence is authentic and accurate. Moreover some practices are
expected of forensic investigators by courts of law.
In that respect, the steps of forensic investigation would be properly followed and adherence to
the laws of forensic investigation would be ensured at every phase before proceeding to another.
The aforementioned phases of investigation are namely:
1. Authorization and preparation
2. Identification
3. Collection and Preservation
4. Examination
5. Analysis
6. Reconstruct
7. Reporting
DATA RECOVERY
YUSUPH KILEO Page 7
2.2 AUTHORIZATION AND PREPARATION
2.2.1 AUTHORIZATION
The focus of forensic investigation is to acquire evidence that would be used in a legal
proceeding, forensic investigators must have authorization to carry out the investigation
otherwise the evidence would as aforementioned not be admissible (Kleiman et al, 2007 P.8 of
939).
The forensic investigator has been appointed by the Company’s IT department as the head of the
investigation team to search and recover deleted materials from the computer that Jonathan used
while still working for Bukit Enterprises. For formalization, the investigator should request from
the company a written permission that’s allow the investigator to search Jonathan’s computer
which would outline reasons as to why Jonathan’s previously used computer is searched and
investigated.
It is also common knowledge that before any forensic investigation, investigators must foremost
obtain a judicial permission, search warrant that gives them a go ahead with the investigation.
For example if forensic investigators are investigating a case where someone is suspected of
selling drugs, a search warrant must be obtained from the authority concerned to allow the
investigator to procedure with the searching and investigating the case.
Since Jonathan was no longer a part of the company there was no reasons for search warrantee
and instead the investigator would request for a formal written authorization from the Company
management to carry out the investigation. The letter must entail that the investigator is hired to
search Jonathan’s computer and justification as to why the search must be conducted must also
be provided. To further validate the investigation procedure, the investigator should have a third
party present for example an attorney to certify that the investigators have been hired by Bukit
Enterprises to conduct a search on Jonathan’s former computer while still with the Company.
DATA RECOVERY
YUSUPH KILEO Page 8
2.2.2 PREPARATION
The preparation phase is where the investigator finalizes on the formation of the investigation
team. The team would be divided into the phases of investigation so as to have an investigator
responsible for a specific phase of investigation. Though the appointed investigators would be
working with the team, they would be in charge of those phases to ensure that proper procedures
are followed throughout the investigation process.
A chain of custody would also be created at this stage, not all investigation team members will
be in the chain custody, this is because the fewer people to handle the investigation’s crucial
documents the better; it increases accountability. The chain of custody would be documented
outlining all handlers of important investigation documents including the evidence.
ELECTRONIC EVIDENCE CHAIN OF CUSTODY FORM
COLLECTED EVIDENCE CATEGORY NAME TRACKING
NUMBER
COLLECTED FROM
CHAIN OF CUSTODY TRACKING
NUMBER
FROM(Location) DATE AND
TIME
REASON TO(Location)
Case No: Page: Of:
Fig. 01 shows the chain of custody for the case.
DATA RECOVERY
YUSUPH KILEO Page 9
The preparation phase also entails highlighting the investigation team on the case and what is
expected to them during the investigation, this is to enable the investigation team to
psychologically prepare for the case as well as to be familiar with the laws of the United
Kingdom where the forensic investigation is taken place.
The investigation team would also prepare any materials that may be useful in the case, hardware
and software. Even though, the investigation team have not assessed Jonathan’s computer, due to
their experiences in the field, the investigation team would prepare materials that are likely to be
required in the investigation such as necessary software application and hardware that might be
helpful during the investigation process.
2.3 IDENTIFICATION
The identification phase is the phase that will allow investigators to spot any materials that may
be suspicious and may contain evidence. This materials may be hardware such as compact discs,
floppy disks hard disks etc. or it may be fragile data in digital form such as emails, log files,
images etc.
The investigation team would check the log files of the computer which was used by Jonathan
where they would recognize that he has deleted some files just a few hours before he left the
Company. They would also find digital images in his computer and due to their experience in the
field; the team would suspect them of being steganography images.
The last phase of the identification team is whereby the investigation team identifies the
investigation requirements. This pertains to tools or software that would be useful in the
investigation process. This is because having identified this items the team would have an idea of
what Jonathan actually did and hence would know what forensic tools to prepare which will
allow the investigation process to be carried out smoothly.
DATA RECOVERY
YUSUPH KILEO Page 10
2.4 COLLECTION AND PRESERVATION
COLLECTION
Having identified items that may contain the evidence of Jonathan’s crime, the investigation
team would proceed to collecting the evidence. Conducting forensic investigations procedurally
is aimed at acquiring accurate evidence. Therefore, investigators would ensure that the collected
evidence is not tampered with. Digital data is very fragile, it can be easily altered therefore the
following principles would be employed to insure that the collected evidence is rather accurate:
Investigators should wear the gloves during the entire collection process to avoid
biometric tempering of the evidence.
Jonathan’s computer should not be switched off. This will allow the investigators’ to
carry out investigation without tempering with the state that the computer was found at.
There would be no installation of forensic software on the machine. (Vacca, 2005 P. 18
of 832) mentions that care must be taken that no malicious software is launched into the
subject machine. Installing any software may introduce some malicious software hence
tampering with the evidence.
TOOL THAT WOULD BE USED TO COLLECT THE EVIDENCE
Investigator has to select an appropriate tool that would assist to collect the evidence. In this case
the selected tool happens to be The Forensic Toolkit (FTK). FTK is the perfect tool for complete
and thorough forensic examinations. It has full text indexing, advanced searching, deleted file
recovery, data-carving, and email and graphics analysis. Full text indexing powered by
dtSearch® yields instant text search results. FTK also has advance searches for JPEG images and
Internet text. It locates binary patterns using Live Search and it can automatically recover deleted
files and partitions.
The FTK that the investigators would use is the which as opposed to other forensic tools, the
Imager lite does not require installation and hence would help the investigators achieve one of
the aims outlined above which is to collect evidence accurately, avoiding tampering with the
subject machine or rather tampering with the evidence itself. The FTK Imager lite can capture
images of both logical and physical drives.
DATA RECOVERY
YUSUPH KILEO Page 11
The investigator has to take the image of the PC that was used by Jonathan this is due to the
reasons the investigator should not temper with the evidence as shown on the (Vacca, 2005 P. 18
of 832) it is very crucial for forensic investigators to preserve the original evidence, they could
easily perform all the operations in Jonathan’s computer but it is best practice for investigators to
preserve the original evidence and an image is created as a copy of the original evidence and
hence would be the one investigated.
CREATING THE IMAGE OF JONATHAN’S COMPUTER
The above figure shows how Jonathan Computer was seen before the investigation process began.
From Jonathan Computer the image will be takes to allow the forensic investigation process to
take place.
DATA RECOVERY
YUSUPH KILEO Page 12
The above screen would appear after launching the FTK Imager lite. It must be noted that the aforementioned forensic tool runs from an external hard drive rather than from the subject machine. Rom The File Create the image will be pressed ready to create Jonathan Computer’s Image with FTK.
Here is where the forensic investigator would chose the drive that image is to be created.
DATA RECOVERY
YUSUPH KILEO Page 13
The above figure is where the image is added to the required drive that will be stored ready for
the investigation. And the below figure is where an appropriate selection of the image time
would be selected.
DATA RECOVERY
YUSUPH KILEO Page 14
DATA RECOVERY
YUSUPH KILEO Page 15
The Image Is started to be created to the destination. This process takes some time, it depends with the speed that data is transferred.
The above screen shows the MD5 and SHA1 files of the image.
DATA RECOVERY
YUSUPH KILEO Page 16
DATA RECOVERY
YUSUPH KILEO Page 17
The above screen shot shows the systems’ unallocated space.
DATA RECOVERY
YUSUPH KILEO Page 18
The image files would then be exported to an external media, where all the investigation would
be carried out.
2.5 EXAMINATION AND ANALYSIS
After collecting the evidence it has to be examined. This is where the subject computer would be
examined; the prior identified evidence would be examined for any hidden data or any clues.
This is because it would not have been logical for Jonathan to delete the files as simple as that,
he must have hid those using technological help.
These two stages entails filtering and breaking down any collected items, filter the evidence
which means that the forensic investigators would remove any materials collected that are not
useful to the case.
The evidence would be classified into categories for easy reference, for example in a legal
proceeding the evidence would be required and it would be easier if the investigation team
categorized it.
DATA RECOVERY
YUSUPH KILEO Page 19
2.5.1 RECOVERING ANY DELETED MATERIALS
For analysis and examination the forensic team would use the Active@ Undelete program which
checks the system for any deleted materials and then recovers them. In this case, it is already
known that Jonathan already deleted the materials which make it easier for the forensics team.
The selection of Active@ Undelete program is based due to the reason that Active@
UNDELETE is powerful data recovery software that helps you to recover deleted files and
restore deleted partitions. The software can support windows XP, Windows Vista, Windows 7
and Windows 2003 server Operating systems. With the software these can be done:-
Recover deleted files and folders
Restore deleted partitions
Create a Disk Image for safe data restoration
Perform an Advanced Scan and organize the result using Document View and Recovery
Toolkit
Write recovered data directly to a CD/DVD avoiding dangerous hard drive activity
Perform batch file recovery
Virtually reconstruct broken or disassembled RAID arrays
Restore data from damaged RAID arrays
Edit disk content with Hex Editor
Preview deleted files before restoring
DATA RECOVERY
YUSUPH KILEO Page 20
DATA RECOVERY
YUSUPH KILEO Page 21
2.5.2 RECOVERED MATERIALS
The recovered materials would be filtered and the RAR file will be extracted as the file founded
was encrypted with RAR software which an investigator suspected the file would be the one with
the required materials that Bukit Enterprises claimed to be deleted by Jonathan Before quitting
the company. In addition to that the file found to be protected with password which an
investigator would need to crack the password so that the material inside could be seen.
2.5.3 EXTRACTION OF THE MATERIAL FOUND
Since the material found happen to be encrypted with password using the WinRAR software the
extraction of the material would be required the Win RAR software which has ability to decrypt
the encrypted files. At the same time the file required the password which an investigator would
use Jonathan (name of the person who deleted the documents) to open the documents.
Then after the password has been entered to allow the encrypted documents to be seen, the
reconstruction is to be done as the documents has to be examined who committed and how and
why the crime was committed.
DATA RECOVERY
YUSUPH KILEO Page 22
2.6 RECONSTRACT The investigative reconstruction leads to a more complete picture of a crime this is the phase
where by the determination of what happened to the crime who committed the crime how and
why the crime was committed is founded. It normally involves three things namely functional
analysis, Relational analysis and temporal analysis which will eventual provide a clear picture of
the crime.
For this particular case what happened is that the sensitive files of Bukit enterprises where
deleted from Jonathan’s computer before he left the company due to the reasons that he was not
promoted as he was expecting. It is also crystal clear that Jonathan was the one deleted the files
as the files were under his supervision before quitting the company.
The deleted the files were founded to be encrypted and password protected which brings a clear
picture that Jonathan used RAR archive to encrypt and hide before deleting the files. He did this
with an aim of ensuring that the files would not be recovered easily as he believed the decryption
might be difficult if there could be any chance to recover them.
DATA RECOVERY
YUSUPH KILEO Page 23
Functional Analysis: Jonathan’s computer found to be installed software like RAR archive that
can perform encryption. This lead to the suspect of the deleted file to be hidden before deleted.
Relational Analysis: The Computer which founded the deleted file was used by Jonathan. He
quite the company without handing over the files that was required and it was clearly seen that
Jonathan was unsatisfied with the decision of not being promoted. All these together made an
easy conclusion that he would be the one whom deleted the files before he quit the job.
Temporal Analysis: Most operating systems keep track of the creation, last modification and
access times of files and folders.Below is the time line to show the sequence of events.
Date Event
21 – 02 - 2006 Jonathan started to work with Bukit Enterprises.(Base on ussumption)
He worked with other deffernt projects which were delivered succecifully.
17 – 01 - 2010 He started working with the project which he didnt deliver as he was
expected to.
19 – 01 - 2011 He resiged from the company. And he deleted the project that he was
working on from the computer that he was using.
20 – 01 - 2011 IT manager wrote an authorization letter to an investigator to investigates
the computer for the deleted files and recover them.
21 – 01 - 2011 An Investigator started to work on investigating the crime and recovering
the deleted files as required.
29 – 01 - 2011 The deleted files was succesifuly recovered from Jonathan’s Computer
from the image that was taken from it.
30 – 01 - 2011 The report was generated for futher forensic action towards Jonathan and
submited to the IT maneger.
DATA RECOVERY
YUSUPH KILEO Page 24
2.7 REPORT
FORENSICS REPORT
CASE: BUKIT ENTERPRISES VS JONATHAN
CASE NUMBER: C0001
INTRODUCTION
This report was requested by the IT department of Bukit Enterprises to confirm the alleged claim
against Jonathan that he intentionally deleted crucial company document just before his
volunteered resignation.
INVESTIGATION FINDINGS
From the investigation process, the investigation team recovered encrypted files. The files was
encrypted with RAR file which requested for a password to open the contained document as the
RAR file was protected with password before deleted.
The evidence was found on the 30th
January 2011 from the image of Mr. Jonathan’s computer
which was acquired on the 28 January 2011. The evidence is in good condition and there are no
signs of it being tampered with.
EXAMINATION SUMMARY
The tools that have been used during the entire investigation proses were Forensic Toolkit
IMAGER Lite (The software that does not need installation when used) this was due to the
investigation process which does not allow tempering to the evidence. The software was
involved on collection of image from Jonathan’s computer.
Active Undelete and Win RAR were the other tools used to during the investigation process
which was effectively used to provide the recovery of the files and decrypt them as they were
encrypted before deletion.
All these tools were very helpful in collecting accurate and precise evidence as shown in the
preservation stage.
DATA RECOVERY
YUSUPH KILEO Page 25
CONCLUSION
From the evidence it is evident that Jonathan is guilty of the alleged offence.
3.0 EXECUTIVE SUMMARY Jonathan’s crime was analyzed and lastly, the deleted materials were recovered.
At several stages of my assignment I faced some serious problems due to the unawareness
of some forensic tools. But with the help of different resources we gradually understood the
concepts. Among them was data recovery concept. The second important part which we learnt
from this assignment is to be able to perform the creation of a virtual machine and imaging of the
computer for forensic investigation.
In conclusion, this assignment was easy to work it and has given me a clearer view and
understanding for present and future purposes. In addition to that the assignment was very
helpful in increasing Data recovery tracing and evidence gathering in computer system skills and
knowledge.
DATA RECOVERY
YUSUPH KILEO Page 26
4.0 Appendix. Chain of Custody Form
ELECTRONIC EVIDENCE CHAIN OF CUSTODY FORM
COLLECTED EVIDENCE CATEGORY NAME TRACKING
NUMBER
COLLECTED FROM
Forensic
investigation.
Computer
Image
001 Jonathan’s Computer
CHAIN OF CUSTODY TRACKING
NUMBER
FROM(Location) DATE AND
TIME
REASON TO(Location)
001 Bukit Jalil
Enterprises
Company LTD
28 – January
– 2011 [At
13: 25 HRS]
To Investigate and
recover suspected
deleted documents
from the Computer
user’s Documents.
Investigation
Department.
Case No: 01 Page: 01 Of:01
DATA RECOVERY
YUSUPH KILEO Page 27
Letter of authorization
Bukit Enterprises LTD,
Kingston Block 3,
London.
U.K
Date: 20 -01 - 2011
Yusuph A. Kileo ,
Kingston Block 3,
London.
U.K
Dear Sir,
I hereby authorize you to lead the investigation team to investigate and recover suspected deleted files
from Mr Jonathan’s Computer on behalf of Bukit enterprises, in order to enable father Forensic procedure
to be taken over him.
I kindly Allow you to work on the matter as soon as you can so that to allow the job to be done as it will
be required to be completed as soon as possible.
Petro Peres,
Head of IT department.
Thank you.
DATA RECOVERY
YUSUPH KILEO Page 28
5.0 REFERENCES
1. Kleiman .D.Cardwell. K., Clinton T.,Cross M., Gregg M.,Versalone J., Wright
C.,(2007) The Official CHFI Exam 312-49 Syngress Punlishing, Burlington
2. Varcca.J.,(2005) Computer Forensics Computer Crime Scene Investigation, Syngress
Punlishing, Charles River Media
3. Standard Guide for the Recovery of Trace Evidence, Technical Working Group for
Materials, Quantico, VA, 1998
4. Walker.C., (ND) Computer Forensics: Bringing The Evidence to Court [online]
Accessed 28th
January 2011 02:29 Available from
http://www.infosecwriters.com/text_resources/pdf/Computer_Forensics_to_Court.pdf
5. Radclife.M., (2010) Ownership of copyrights Court [online] Accessed 29th
January
2011 07:34 Available from http://library.findlaw.com/1999/Jan/1/241478.html
6. McCullagh.D., (2007) Police Blotter [online] Accessed 30th
January 2011 02:39
Available from http://news.cnet.com/Police-blotter-Ex-employee-sued-for-deleting-
files/2100-7348_3-6171274.html