A File's Life - File Deletion and Recovery

In this episode, we'll look at exactly what happens when you delete a file from an NTFS file system. Then, we'll talk about file "undeletion" versus file carving, and use PhotoRec to perform file carving against a mounted disk image. Lastly, we'll explore techniques to search through that recovered data using an Ubuntu WSL 2 instance.

** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **

📖 Chapters

00:00 - Intro
13:12 - PhotoRec Demo
19:03 - Searching Recovered Data

🛠 Resources

PhotoRec:
https://www.cgsecurity.org/wiki/PhotoRec

Recycle Bin Forensics:
   • Recycle Bin Forensics  

Let's Talk About NTFS Index Attributes:
   • Let's Talk About NTFS Index Attributes  

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics