Scribd
Upload
101 views19 pages

Lab 2 Recover Deleted Files From Drive

1) The document describes how to create a virtual hard drive (VHD) on a Windows 10 VM, take an image of the VHD using FTK Imager, and recover deleted files from the imaged VHD using Autopsy. 2) Specific steps include creating a 100MB fixed VHD on the desktop, initializing and formatting it with NTFS, and attaching it as drive E. FTK Imager is used to create a disk image of drive E as evidence. 3) Autopsy is then used to analyze the image and recover a deleted photo from the VHD as a demonstration of file recovery from deleted data.

Uploaded by

Humera Gull
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
101 views19 pages

Lab 2 Recover Deleted Files From Drive

1) The document describes how to create a virtual hard drive (VHD) on a Windows 10 VM, take an image of the VHD using FTK Imager, and recover deleted files from the imaged VHD using Autopsy. 2) Specific steps include creating a 100MB fixed VHD on the desktop, initializing and formatting it with NTFS, and attaching it as drive E. FTK Imager is used to create a disk image of drive E as evidence. 3) Autopsy is then used to analyze the image and recover a deleted photo from the VHD as a demonstration of file recovery from deleted data.

Uploaded by

Humera Gull
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Lab 2: Creating Virtual Hard Drive (VHD), Dump a copy of the drive and Recover deleted

files

Introduction:
The first step in a digital forensic investigation is to create a forensic image, you can either
create an image of the whole physical drive or an image of a part within the drive.
Physical hard disk stores data and it comes with free spaces without any partitions. We can
create virtual hard disk in theses free spaces, each partition is treated separately, and you
can install a sperate OS on the same physical hard disk [1].

The logical drive is the disk part that interacts with the user and has a name, file system,
and size. You create different logical drives with different sizes, however, they all will
remain part of the same physical disk. Each logical drive can have its own file system.
Software Used:
1- Windows 10 VM.
2- Access FTK Imager
3- Autopsy

Lab Objectives:
1- Understand how to create a virtual hard drive.
2- Make a copy of the created VHD (image).
3- Recover deleted files, even if the file is deleted permanently from the system.

Dr. Sarah Abu Ghazalah


Task 1: Create a Virtual Hard Drive:

1- Right -Click on (This PC) within File Explorer and select the (Manage option).

https://academy.cyber5w.com/courses/take/working-virtual-hard-

Dr. Sarah Abu Ghazalah


2- Choose Disk Management.

3- Right-Click on Disk Management and choose Create VHD option.

Dr. Sarah Abu Ghazalah


4- Click on the Browse button, use the Desktop as storage location, and type
any name (we used vhd1), and then click on the Save button to proceed.

5- For our lab, we will be using a virtual disk size of 100 MB. We are also going
to use both the VHD and Fixed Size (Recommended) options. To proceed
click the OK button.

Dr. Sarah Abu Ghazalah


6- Now, you can see the new virtual disk is created; however, we need to
create a new volume on our newly created VHD. In order to do that, Right-
click on the created disk and choose Initialize Disk.

Dr. Sarah Abu Ghazalah


7- For this lab, choose the MBR partitioning style.

Dr. Sarah Abu Ghazalah


8- The disk created is still unallocated; therefore, we need to create a new
volume. All you need to do is Right-Click and choose New Simple Volume.

9- The next window specifies the size of the volume; keep the default values
as it is and click Next button.
10- We need now to select the volume letter or use other options. In our
exercise we are going to use the letter E to attach the disk on and then click
Next.

Dr. Sarah Abu Ghazalah


11- We chose to use NTFS and keep the size as default. We will assign the
volume a new name; here it is named vhd1. Make sure the option Perform
a quick format is checked. After that, click Next button, then Finish.

Dr. Sarah Abu Ghazalah


12- Now we can see the created virtual disk with the NTFS file system. Also, if
you open your Windows File Browser; you should be able to see the
newly created virtual disk attached to the letter E.

Task 2: Recovering deleted data using Autopsy


The objective of this task is to help students understand and perform data file recovery
using the Autopsy tool.
But first we do not want to work on the original drive, we need to take a copy of the Drive,
so we will use Access FTK Imager to create an image (copy) of the Drive.
1. Download any image on the new drive you created in the previous task such as
(nature.jpg). Then, delete it, and delete it from Recycle bin.
2. Open AccessData FTK Imager.
3. Choose from File >>Create Disk Image

Dr. Sarah Abu Ghazalah


4. You will find the drives on the VM, choose the drive you created.

Dr. Sarah Abu Ghazalah


5. Now you need to choose destination and file type. In my case I put destination as
Documents and type dd:

Dr. Sarah Abu Ghazalah


Dr. Sarah Abu Ghazalah
Dr. Sarah Abu Ghazalah
Dr. Sarah Abu Ghazalah
6. Now, we need to use Autopsy to recover the deleted files. Open Autopsy, choose
New Case, and write any number for case number, and follow the screenshot
below:

Dr. Sarah Abu Ghazalah


Dr. Sarah Abu Ghazalah
Dr. Sarah Abu Ghazalah
After you click on Next, wait till it finishes as shown below:

Dr. Sarah Abu Ghazalah


Then click on Finish.

Wait till the analysis is 100% done at the bottom of the page.
Discover the files in Autopsy such as Deleted Files, and File Type>>By Extension
etc..

Dr. Sarah Abu Ghazalah

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy