introducing computer forensic and solutions workshopcci.umk.edu.my/v7/images/download/data...
TRANSCRIPT
introducing
COMPUTER FORENSIC
DATA RECOVERY TECHNIQUES
AND SOLUTIONS WORKSHOP
COMPUTER FORENSIC DATA RECOVERY TECHNIQUES AND SOLUTIONS WORKSHOP
CO
MP
UTE
R
FOR
ENSI
C
DAT
A R
ECO
VER
Y TE
CH
NIQ
UES
A
ND
SO
LUTI
ON
S W
OR
KSH
OP
Objectives: • To provide a critical understanding of major types of failure experienced by HDDs.
• To examine the principles and methods used to correctly diagnose HDD failures.
• To explore various methods used to effect repair of different failure scenarios.
• To introduce various data recovery applications and tools.
CO
MP
UTE
R
FOR
ENSI
C
DAT
A R
ECO
VER
Y TE
CH
NIQ
UES
A
ND
SO
LUTI
ON
S W
OR
KSH
OP
Course Objectives
• Gain the overall understanding on Data Recovery
• General File System Overview
• General Hard Disk Overview as a storage device
• File System On- Disk format
• Indexing Methods
• Data Area
• File System Weaknesses
• Scenarios & Data recovery Techniques And Solutions
CO
MP
UTE
R
FOR
ENSI
C
DAT
A R
ECO
VER
Y TE
CH
NIQ
UES
A
ND
SO
LUTI
ON
S W
OR
KSH
OP
Training Course would offer an excellent solution
• File Deletion
• Crash Windows operating system corrupt.
• Accidental Disk Formatted
• Virus Attack
• Partition loss or corruption
• Lost or Missing files and folders
• Email recovery. pst / .wab / .dbx / .mbx
• Password recovery (workstation and Server)
• Re-formatted or re-partitioned drive
• Repair corrupt Files after recover ( word/ excel/ pdf)
What is Data Recovery
Dep
loym
ent
Data Recovery
• Data recovery is the process when the corrupt or inaccessible data is being retrieved from the damaged or in some way corrupted digital media when it cannot be accessed normally
Dep
loym
ent
DATA RECOVERY • It is frequently used when the data needs
to be recovered from such devices as DVDs, CDs, Floppy Disks, Hard Disk Drives, Xboxes, Mobile Phones, Tapes, Memory Cards, Personal Digital Assistants and many other items.
Dep
loym
ent
Causes for Data Loss
• Mechanical failure of the device
• Damage to the device,
• Human error,
• power surges
• software viruses.
Dep
loym
ent
DATA LOSS
There are two categories of data loss :-
• Logical Failures
• Physical Failures
Dep
loym
ent
Logical Failures
• Reasons behind a logical hard drive crash, such as
• File system corruption,
• OS malfunction,
• Severe conflict with recently installed hardware/software
• Virus /malware infection.
Dep
loym
ent
Logical Failures
• Generally, in these situations, data is easier to recover as long as the data has not been overwritten by subsequent usage
Dep
loym
ent
Physical Hard Drive Failure • If BIOS is not showing your hard drive or
there is clicking/clinging sound at start-up or even no sound of disk movement, then may be your hard drive has been physically damaged.
• It can be a mechanical components failure, electrical damage or firmware corruption that is responsible for the failure of the hard drive.
Dep
loym
ent
Physical Hard Drive Failure • With advanced data recovery tools,
techniques, skilled team of engineers and must needed CLASS 100 Clean Room labs, these recovery service providers are able to recover data from any damaged hard drive safely..
Dep
loym
ent
What Is DATA? • In computing, data is information that has
been translated into a form that is more convenient to move or process.
• Relative to today's computer s and transmission media, data is information converted into binary digital form
The
Dat
a R
eco
very
Pro
cess
The Data Recovery Process
The Data Recovery Process
DATA RECOVERY
Repair Disk
Damage to the hard
disk drive, if applicable,
is diagnosed and
repaired. Damaged
components are
replaced. Firmware
failures are identified
and repaired.
Image Disk
The repaired drive is
read and data copied
to another disk,
preserving the state
of the data when the
drive or media was
received.
Restore Data
The retrieved data is
then copied to new
media (for example
a USB drive) and
returned to the client
Retrieve Data
Damage or corruption
to the file system is
diagnosed and repaired
to permit access to the
individual files. Individual
files are checked
for corruption and
repaired if necessary.
Basic File system explanation
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy File System
• A file system is a means to organize data expected to be retained after a program terminates by providing procedures to store, retrieve and update data, as well as manage the available space on the device(s) which contain it
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy File System
• File systems are used on data storage devices, such as hard disk drives, floppy disks, optical discs, or flash memory storage devices, to maintain the physical locations of the computer files
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy File System
• Organizes data in an efficient manner and is tuned to the specific characteristics of the device
• There is usually a tight coupling between the operating system and the file system
• To control access to the data and Metadata.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy File System
• Without a filesystem programs would not
be able to access data by file name or directory and would need to be able to directly access data regions on a storage device.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy METADATA
• Metadata /Metacontent data providing information about one or more aspects of the data, such as:
• Means of creation of the data
• Purpose of the data
• Time and date of creation
• Creator or author of data
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy In Windows, what file system should I use?
• NTFS and FAT32 are two file systems used
in Windows operating systems
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy NTFS
• NTFS, short for NT File System, is the most secure and robust file system for Windows 7, Vista, and XP.
• It provides security by supporting access control and ownership privileges, meaning you can set permission for groups or individual users to access certain files.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy NTFS
• NTFS supports compression of individual files and folders which can be read and written to while they are compressed.
• NTFS is a recoverable file system, meaning it has the ability to undo or redo operations that failed due to such problems as system failure or power loss.
• Disk quotas: Administrators can limit the amount of disk space users can consume on a per-volume basis.
• Encryption: The NTFS 5.0 file system can automatically encrypt and decrypt file data as it is read and written to the disk.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy FAT32
• FAT32 is the file system used in some older versions of Microsoft Windows. You can also install the FAT32 files system on Windows XP (all versions), and even Windows Server 2003.
Advantages of FAT32
• FAT32 supports disk partitions as large as 2 TB. FAT16 supports partitions up to only 2 GB.
• FAT32 wastes much less disk space on large partitions, since the minimum cluster size is a mere 4 KB for partitions under 8 GB.
Disadvantages of FAT32
• FAT32 does not allow compression using DriveSpace.
• FAT32 is not compatible with older disk management software, motherboards, and BIOSes.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy File Attributes
• One of the characteristics stored for each file is a set of file attributes that give the operating system and application software more information about the file and how it is intended to be used. – Read – Only
– Hidden
– System
– Volume Label
– Directory
– Archive
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy Read-Only
• Read-Only: Most software, when seeing a file marked read-only, will refuse to delete or modify it.
• This is pretty straight-forward. For example, DOS will say "Access denied" if you try to delete a read-only file. On the other hand, Windows Explorer will happily munch it. Some will choose the middle ground: they will let you modify or delete the file, but only after asking for confirmation.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy Hidden
• Hidden: This one is pretty self-explanatory as well; if the file is marked hidden then under normal circumstances it is hidden from view.
• DOS will not display the file when you type "DIR" unless a special flag is used, as shown in the earlier example.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy System
• System: This flag is used to tag important files that are used by the system and should not be altered or removed from the disk.
• In essence, this is like a "more serious" read-only flag and is for the most part treated in this manner..
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy Volume Label
• Volume Label: Every disk volume can be assigned an identifying label, either when it is formatted, or later through various tools such as the DOS command "LABEL". The volume label is stored in the root directory as a file entry with the label attribute set.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy Directory
• Directory: This is the bit that differentiates between entries that describe files and those that describe subdirectories within the current directory.
• In theory you can convert a file to a directory by changing this bit. Of course in practice, trying to do this would result in a mess--the entry for a directory has to be in a specific format.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy DOS – attrib /?
ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [+I | -I]
[drive:][path][filename] [/S [/D] [/L]]
+ Sets an attribute.
- Clears an attribute.
R Read-only file attribute.
A Archive file attribute.
S System file attribute.
H Hidden file attribute.
I Not content indexed file attribute.
[drive:][path][filename]
Specifies a file or files for attrib to process.
/S Processes matching files in the current folder
and all subfolders.
/D Processes folders as well.
/L Work on the attributes of the Symbolic Link
versus
the target of the Symbolic Link
LAB 1 • CMD
• Type attrib /?
• View attribute via explorer
LAB 2
• How to view a computer file extension
Viewing the file extension of a single file
1 Right-click the file.
2 Click Properties.
3 In the Properties window, similar to what is
shown below you should see the "Type of
file:" this is the file type and extension. As
can be seen in the below example this file
is a TXT file with a .txt file extension and in
this case opens with the Text Pad program.
LAB 3
• How to view a computer file system
How hard disks work
Gen
eral
Har
d D
isk
Ove
rvie
w a
s a
sto
rage
dev
ice
How hard disks work
• If you are to dismantle the hard disk drive by opening the top casing (after removing all the necessary screws), the first thing you'll see is a spindle holding one or a number of mirror-like hard rotating platters (commonly called data platter).
• The platters could be made to spin at an extremely high speed, technically between 5,400 to 10,000 revolutions per minute (RPM).
• An extremely thin magnetic coating is
layered onto the surface of the platter that
is polished to mirror-type smoothness.
Gen
eral
Har
d D
isk
Ove
rvie
w a
s a
sto
rage
dev
ice
A platter
• The platter is usually made of glass or ceramic (modern platter may use titanium). Commonly a hard disk contains 1 to 10 identical platters that are stacked in parallel to form a cylinder. There is usually one Read Write (RW) head designated per platter face, and each head is attached to a single actuator shaft which moves all heads in unison and performs a uniform synchronous motion during reading or writing of data.
Gen
eral
Har
d D
isk
Ove
rvie
w a
s a
sto
rage
dev
ice
Read Write Head
• The RW head is the key component that performs the reading and writing functions. It is placed on a slider which is in term connected to an actuator arm which allow the RW head to access various parts of the platter during data IO functions by sliding across the spinning platter.
Gen
eral
Har
d D
isk
Ove
rvie
w a
s a
sto
rage
dev
ice
Flying Height
• To write a piece of information to the disk, an electromagnetic flux is transmitted through the head which hovers very closely to the platter.
• The RW head suspends on a thin cushion of air which the spinning platter induces.
• This designed distance between the head and platter is called the flying height. It can literally measure to a few millionths of an inch.
Gen
eral
Har
d D
isk
Ove
rvie
w a
s a
sto
rage
dev
ice
Read Write Function of Disk
• As the head writes data onto the disk, it changes its magnetic polarization to induce either a one or zero value.
• During a read request, data is interpreted when the magnetic fields on the platter brings about an electrical change (as a result of change in electrical resistance of some special material property) in the read-head that passes over it.
• These electrical fields are then encoded and transmitted to the CPU to be processed and read by the system.
Gen
eral
Har
d D
isk
Ove
rvie
w a
s a
sto
rage
dev
ice
Parking of RW Head
• When the computer is switched off, the head is usually pulled to a safe parking zone to prevent the head from scratching against the data zone on platter when the air bearing subsides.
• This process is called a parking and different techniques have been implemented in various hard disks to handle the take offs and landings.
• In a Ramp load/unload design, a lifting mechanism parks the head outside of the platter onto a "parking bay" prior to a shutdown. It then automatically unparks and relocates itself above the disk platter when the platter spins up to appropriate rotational speed.
Gen
eral
Har
d D
isk
Ove
rvie
w a
s a
sto
rage
dev
ice
Hard Disk Controller PCB Board
• A hard disk also contains a pcb controller circuit board that regulates data traffic.
• It ensures massive data to be streamed in and out of the disk smoothly. A logic board that sits under the drive controls and connects the spindle, head actuator, and various disk functions of the disk.
• Embedded with a micro-controller, it executes self-diagnostics test and cleans up data working area in the memory and all internal chip bus in the hard drive when it powers up.
Gen
eral
Har
d D
isk
Ove
rvie
w a
s a
sto
rage
dev
ice
Hard Disk Parts Overview
Gen
eral
Har
d D
isk
Ove
rvie
w a
s a
sto
rage
dev
ice
S.M.A.R.T
• Majority of all hard disk today support a technology known as S.M.A.R.T. (Self-Monitoring, Analysis, and Reporting Technology) which helps to predict imminent disk failures so that users can be alerted to take preventive actions before the disk fails completely.
Gen
eral
Har
d D
isk
Ove
rvie
w a
s a
sto
rage
dev
ice
Hard Disk Parts Overview
Hard Disk Crash
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy What is a head crash in a hard disk drive?
• In a nutshell, a head crash is a physical damage of a hard disk when the faulty electronic or mechanism causes the read-write head to land on the rotating platter instead of retracting to its safe zone, hence by damaging and grinding away the magnetic film on the disk surface.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy How does a head crash occur?
• When the platter is rotating at rates between 5,400 to 15,000 revolutions per minute, a thin firm of air suspends the read/write head extremely closely above the disk surface.
• This distance, called the head gap is typically measured in millionths of an inch. So, it is possible that heads can make contact with the media on the hard disk when there is faulty disk mechanism.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy How does a head crash occur?
A Bad Parking
• While the platter is idle, the head typically rests on the surface of the disk or on parking bay. When the disk powers up and the platter starts to spin, the head rubs along the surface of the platter briefly before a cushion of air is strong enough to hover the head above its surface.
• During a power down, the process is reversed till the platter finally stalls. Damage can likely set in after a prolonged period of wear and tear. Hence, a landing zone or an empty track was developed to set aside for the head to take-off and land. This safety process is known as the parking technology.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy How does a head crash occur?
• Most modern disk that uses the voice-coil or giant magneto-resistive head, supports auto-parking. In an event of power loss to the disk, a retract mechanism moves and secures the head to its landing zone without the use of external power. It then automatically unparks itself when the disk powers up again.
• Another similar technique is the load/unload technology which uses a ramp-like mechanism to lift the head from the disk surface and park it outside of the platter. Older drives that do not support auto-parking use software utilities that execute head parking procedures before the computer shuts down.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy How does a head crash occur?
Dust Debris
• A hard disk is never 100% seal. If it is, then it is not possible to create the necessary air flow for the disk working mechanism. When dust enters and contaminates the hard disk, it can obstruct the movement of the head, resulting in a crash as the clearance between the the head and platter is by far smaller than the size of a smoke particle.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy How does a head crash occur?
Mechanical Shock
• A shock applied to a disk while it is in active state may cause the head to bounce and slide against the platter henceforth scratching it.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy How does a head crash occur?
Power Surge
• Another reason is the effect of using poor power supply which has the same problem as power surges and power cuts, resulting in unpredictable movement of read write head mechanism causing the crash.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy How does a head crash occur?
Dust Debris
• A hard disk is never 100% seal. If it is, then it is not possible to create the necessary air flow for the disk working mechanism. When dust enters and contaminates the hard disk, it can obstruct the movement of the head, resulting in a crash as the clearance between the the head and platter is by far smaller than the size of a smoke particle.
Master Boot Record (MBR) & Partition
Mas
ter
Bo
ot
Rec
ord
(M
BR
)
Master Boot Record (MBR)
• Short for Master Boot Record, MBR is also sometimes referred to as the master boot block, master partition boot sector, and sector 0.
• The MBR is the first sector of the computer hard drive that tells the computer how to load the operating system, how the hard drive is partitioned, and how to load the operating system.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy Master Boot Record (MBR)
• The MBR is also susceptible to boot sector viruses that can corrupt or remove the MBR, which can leave the hard drive unusable and prevent the computer from booting up. For example, the Stone Empire Monkey Virus is an example of a MBR virus.
Dep
loy
a M
SI o
n m
ult
iple
m
ach
ines
by
usi
ng
Gro
up
Po
licy Partition
• In personal computers, a partition is a logical division of a hard disk created so that you can have different operating systems on the same hard disk
• A partition is created when you format the hard disk
LAB 4
• View Partition
• Create Partition
• Format FAT 32
• Format NTFS
• Convert Partition
• convert drive_letter: /fs:ntfs
Chkdsk /f
Summary Recycle Bin
Rec
ycle
Bin
Recycle Bin
• When you delete a file in Windows Explorer or My Computer, the file appears in the Recycle Bin.
• The file remains in the Recycle Bin until you empty the Recycle Bin or restore the file
Wh
ere
the
Win
do
ws
Rec
ycle
B
in is
Lo
cate
d?
Where the Windows Recycle Bin is Located?
• When you delete a file, the complete path and file name is stored in a hidden file called Info or Info2 in the Recycled folder. The deleted file is renamed, using the following syntax:
• D<original drive letter of file><#>.<original extension>
LAB 5 • Recycle Bin
• Delete key
• Shift + Delete
• Delete Fails
• Delete Folder
• Delete Words /Excel / PDF / JPG
LAB • Install Recuva
Wh
ere
the
Win
do
ws
Rec
ycle
B
in is
Lo
cate
d?
RECUVA
• Recuva is a freeware data recovery program, developed by Piriform, and runs under Microsoft Windows 7, Vista, XP, 2003, and 2000.
• It is able to recover files that have been "permanently" deleted and marked by the operating system as free space. The program can also be used to recover files deleted from USB flash drives, memory cards, or MP3 players.
• Supports FAT12, FAT16, FAT32, exFAT, NTFS, NTFS5 , NTFS + EFS file systems
Scenarios & Data recovery of the following Accidental Disk Formatted
Scen
ario
s &
Dat
a re
cove
ry
What is format?
• Prepare a storage medium, usually a disk, for reading and writing
• When you format a disk, the operating system erases all bookkeeping information on the disk, tests the disk to make sure all sectors are reliable, marks bad sectors (that is, those that are scratched), and creates internal address tables that it later uses to locate information. You must format a disk before you can use it.
• Note that reformatting a disk does not erase the data on the disk, only the data on the address tables.
Scen
ario
s &
Dat
a re
cove
ry
How to Recover Data from Formatted Drive
• "Opps, I accidently performed format on my hard disk partition. I have many important documents and photos there. Help!" Did you run into the similiar situation?
• Wow, it must be hard to accept the data loss since drives were formatted. Well, don't worry! Data Recovery Standard, you can perform any formatting of your drives and also get data back alive to you.
Scen
ario
s &
Dat
a re
cove
ry
Why can I still get data back from formatted drive?
• The truth is by formatting a drive, it only erased the file address table. The data are still on the drives sound and not touched after you performed quick formatting or full formatting, ie regular & complete formatting.
Warning
• You should immediately stop work to avoid further data damage. Do not install any program or data on the formatted drive as this will cause permanent data loss.
LAB 6 • Download EaseUS Data
Recovery Wizard, install it and launch it.
LAB 6
• Click the "Complete Recovery" button on the main window of Data Recovery Wizard.
LAB 6 • Select the file types you
want to recover. Tick 'Search all lost files automatically' to find all lost file types. Tick 'Ignore bad sectors' to skip bad sectors when scanning.
LAB 6 • The second screen on the
"Complete Recovery" tool will display a list of volumes found on the drives found in your system. If the volume does not have a drive letter, then the volume will be listed at the hindmost and the drive letter will be instead by
LAB 6 • The Intelligent Searching
module will scan on the selected volume, collect and analyze every byte on the volume, then show you a list of volumes which are possible on it.
LAB 6
LAB 6 • After this scanning is
finished, Data Recovery Wizard will permit you choosing 4 volumes at best to recover the data. And then, press "NEXT" button.
• The Data Recovery Wizard will launch the "Building directory" procedure to searching the files. You will see file/folder tree very soon
LAB 6 • Select the file or
directory that you want to recover and press the "Next" button.
Scenarios & Data recovery of the following Partition loss or corruption
Scen
ario
s &
Dat
a re
cove
ry
Recover Data from Missing Partition or corruption
• A hard drive can be divided into multiple storage units referred as partitions. The idea for creating partitions in your hard drive is to have separation between OS and program files from user files,
• To have multi-boot setup, to have multiple file systems, to reduce the access time which in turn increases the system performance, to protect files by making it easier to recover a corrupt file system (if one partition is corrupt, other file system will not be affected) and many other benefits.
Scen
ario
s &
Dat
a re
cove
ry
How data loss or corruption occurs in a hard drive partition?
• Due to conversion of a partition from one file system to another i.e. FAT16 or FAT32 to NTFS. These file system conversions causes the data or files to lose their EFS (encryption details) and file system permissions which holds entries regarding which users or system processes are granted access or which operation is allowed to a particular file.
Scen
ario
s &
Dat
a re
cove
ry
Recover Data from Missing Partition or corruption
• Using third party tools for creating new partition or re-size the existing partition can cause deletion of partitions or data while trying to locate free disk space in those partitions
• Virus infection is another main reason for data loss due to missing or corrupt partition. That is if the master boot record(MBR) which holds the partition table is damaged or corrupt due to virus attack then you will not able to see partitions. Hence, leading to heavy data loss
LAB 7 • Download EaseUS Data
Recovery Wizard, install it and launch it.
• Recover data from loss or corruption occurs in a hard drive partition
Scenarios & Data recovery of the following Crash Windows operating system corrupt.
Scen
ario
s &
Dat
a re
cove
ry
Crash Windows operating system corrupt
Microsoft Windows 7 Crashes, Restarts or a Blue Screen Appears
What Is a Blue Screen Error?
• When Windows encounters certain situations, it halts and the resulting diagnostic information is displayed in white text on a blue screen. The appearance of these errors is where the term “Blue Screen” or "Blue Screen of Death" has come from. Blue Screen errors occur when: – Windows detects an error it cannot recover from without losing
data
– Windows detects that critical OS data has become corrupted
– Windows detects that hardware has failed in a non-recoverable fashion
Scen
ario
s &
Dat
a re
cove
ry
Crash Windows operating system corrupt
• Almost every person must have witnessed a serious problem when his/her computer’s operating system crashes, since it is almost inevitable that this will not occur in the entire life of a system. The most frustrating part about this is that about the data we lose. We try to come up with an easy and possible solution to this very common system menace.
• By using a Linux / Windows Live Boot Disk
• BY using your Hard Disk Drive as an external drive
LAB 9 • By using a Linux / Windows Live
Boot Disk
• BY using your Hard Disk Drive as an external drive
Scenarios & Data recovery of the following Email Recovery
Scen
ario
s &
Dat
a re
cove
ry
How to Recover Deleted Email files
Outlook PST Files
• Recover My Files will search and locate deleted Microsoft Outlook PST and WAB (Windows address book) and PAB (Personal Address Book) files which have been emptied from or bypassed the Windows Recycle Bin.
• PST files are very complex and in some instances recovered PST files will not function until they have also been repaired. This is done by running a program called 'scanpst.exe' (also known as the 'Inbox Repair Tool') which is installed by default on all Windows computer systems. Use Recover My Files to find your deleted PST file. If errors occur when you try to access it, use the Inbox Repair Tool to fix it. Once you have recovered and repaired the file you will once again be able to open the file in Microsoft Outlook.
Scen
ario
s &
Dat
a re
cove
ry
How to Recover Deleted Email files
• Use Recover My Files to find your deleted PST file. If errors occur when you try to access it, use the Inbox Repair Tool to fix it. Once you have recovered and repaired the file you will once again be able to open the file in Microsoft Outlook.
Scen
ario
s &
Dat
a re
cove
ry
How to Recover Deleted Email files
• Outlook Express DBX Files
• Recover My Files will search for and locate deleted Microsoft Outlook Express DBX files which have been emptied from or bypassed the Windows Recycle Bin.
• The download version of Recover My Files will allow you to see the contents of the recovered DBX file, including the number of messages, the 'to' and 'from' address fields, the subject and the date each message was sent and received.
LAB 6
• Click the "Complete Recovery" button on the main window of Data Recovery Wizard.
LAB 6 • Select the file types you
want to recover. Tick 'Search all lost files automatically' to find all lost file types. Tick 'Ignore bad sectors' to skip bad sectors when scanning.
LAB 6 • The second screen on the
"Complete Recovery" tool will display a list of volumes found on the drives found in your system. If the volume does not have a drive letter, then the volume will be listed at the hindmost and the drive letter will be instead by
LAB 6 • The Intelligent Searching
module will scan on the selected volume, collect and analyze every byte on the volume, then show you a list of volumes which are possible on it.
LAB 6
LAB 6 • After this scanning is
finished, Data Recovery Wizard will permit you choosing 4 volumes at best to recover the data. And then, press "NEXT" button.
• The Data Recovery Wizard will launch the "Building directory" procedure to searching the files. You will see file/folder tree very soon
LAB 6
Scenarios & Data recovery of the following Password recovery (workstation and Server)
Scen
ario
s &
Dat
a re
cove
ry
PASSWORD
• A secret series of characters that enables a user to access a file, computer, or program. On multi-user systems, each user must enter his or her password before the computer will respond to commands.
• The password helps ensure that unauthorized users do not access the computer. In addition, data files and programs may require a password.
• Ideally, the password should be something that nobody could guess. In practice, most people choose a password that is easy to remember, such as their name or their initials. This is one reason it is relatively easy to break into most computer systems.
Scen
ario
s &
Dat
a re
cove
ry
Where are Windows 7 Passwords Stored?
• Windows account details are stored in the SAM registry hive . It stores passwords using a one-way-hash (either LM Hash, which is old and weak, or NTLM hash which is newer and stronger.)
• The SAM hive file is located at %WinDir%\system32\config\sam. This directory, and it parents, are by default inaccessible to non-administrative users. However it is vulnerable to offline attacks (e.g. booting a LiveCD and manually modifying the binary data. For example with the ONTPRE tool.)
LAB 10 • Password for workstation
• Password for Server
• How to get Data
• Change Administrator password