Parichay
Data recovery digital forensics ka ek crucial skill hai. Criminals often evidence delete karte hain, lekin proper techniques se deleted files, hidden data, aur fragments recover kiye ja sakte hain. Is part mein hum data recovery ki fundamental concepts aur techniques sikhenge.
Is part ke ant tak, aap deleted files kaise recover hoti hain samjhenge, file carving techniques sikhenge, aur fragmented data handling kar sakenge.
Hataayi Gayi Files (Deleted Files)
Jab ek file "delete" hoti hai, actual data immediately erase nahi hota. File system sirf file ka reference remove karta hai, data tab tak rehta hai jab tak naye data se overwrite na ho jaaye.
Deletion Kaise Kaam Karti Hai
File System Specific Behavior
| File System | Deletion Behavior | Recovery Potential |
|---|---|---|
| FAT32 | First character changed to 0xE5, clusters marked free | High (until overwritten) |
| NTFS | MFT entry marked deleted, clusters deallocated | High (MFT often preserves info) |
| EXT4 | Inode unlinked, blocks freed | Moderate (journal may help) |
| APFS | Object deleted from B-tree | Lower (TRIM on SSD) |
SSD vs HDD Recovery
HDD (Magnetic)
Data physically tab tak rehta hai jab tak overwrite na ho. Recovery chances zyada hain kyunki TRIM nahi hota.
SSD (Flash)
TRIM command deleted data ko quickly erase kar deta hai. Recovery chances kam hain, especially after TRIM execution.
SSDs mein TRIM enabled hone par deleted data recovery bahut mushkil ya impossible ho sakti hai. Isliye live acquisition (device on hone par) SSDs ke liye especially important hai.
Deleted File Recovery Methods
- File System Based: MFT, inode, FAT entries se metadata use karke
- Signature Based (Carving): File headers/footers search karke
- Journal Recovery: File system journal se previous states
- Slack Space Analysis: Cluster slack mein leftover data
File Carving
File carving ek technique hai jismein file system metadata ke bina, raw data se files recover ki jaati hain. Ye file signatures (magic bytes) aur structure par depend karti hai.
File Carving Process
- Header Identification: File type ke unique starting bytes identify karein
- Footer Detection: File end markers dhundhein (jahan applicable)
- Size Calculation: File size header se ya footer distance se determine karein
- Data Extraction: Header se footer tak data extract karein
- Validation: Carved file verify karein ki valid hai
Common File Signatures
| File Type | Header (Hex) | Footer (Hex) |
|---|---|---|
| JPEG | FF D8 FF | FF D9 |
| PNG | 89 50 4E 47 0D 0A 1A 0A | 49 45 4E 44 AE 42 60 82 |
| 25 50 44 46 (%PDF) | 25 25 45 4F 46 (%%EOF) | |
| ZIP | 50 4B 03 04 | 50 4B 05 06 |
| DOCX | 50 4B 03 04 (ZIP) | 50 4B 05 06 |
| MP4 | 00 00 00 xx 66 74 79 70 | Variable |
File Carving Tools
Scalpel
Fast, open-source carver. Configurable signatures. Linux/Windows support.
Foremost
Original carving tool. Header/footer based. Linux-focused.
PhotoRec
Excellent for images, documents. Cross-platform. Free.
Autopsy
Integrated carving in forensic suite. Multiple algorithms support.
# Scalpel configuration example (scalpel.conf)
# Format: extension case-sensitive size header footer
jpg y 20000000 \xff\xd8\xff \xff\xd9
png y 20000000 \x89PNG \x49\x45\x4e\x44\xae\x42\x60\x82
pdf y 50000000 %PDF %%EOF
doc y 20000000 \xd0\xcf\x11\xe0
# Running Scalpel
$ scalpel -c scalpel.conf -o output_dir forensic_image.dd
File Carving Challenges
- Fragmentation: File pieces non-contiguous ho sakte hain
- No Footer: Kuch file types mein clear footer nahi hota
- Embedded Files: Files ke andar files (ZIP mein documents)
- Partial Overwrite: File ka kuch part overwrite ho gaya
- Encrypted Data: Encrypted files carve hone par bhi useless
Khandit Data (Fragmented Data)
Fragmentation tab hoti hai jab file ke parts disk par non-contiguous locations par stored hote hain. Ye normal operation hai lekin recovery ko complicate karti hai.
Fragmentation Types
Sequential Fragmentation
File chunks different locations par but sequence mein. Relatively easy recovery.
In-Order Fragmentation
Chunks sequential order mein but gaps ke saath. Moderate difficulty.
Out-of-Order Fragmentation
Chunks random order mein scattered. Difficult recovery.
Handling Fragmented Files
- File System Metadata: Agar available, cluster chain follow karein
- Content Analysis: File content ke basis par fragments match karein
- Statistical Methods: Byte patterns se adjacent blocks identify karein
- Specialized Tools: Bifragment, smart carvers jo fragmentation handle karein
Ek child exploitation case mein, accused ne photos delete kiye aur partial overwrite hua. Simple carving se incomplete images mili. Advanced carving tools use karke fragments identify kiye - kuch images 3-4 fragments mein thi. Content analysis se fragments correctly assemble kiye aur evidence recover hui.
Slack Space Recovery
Slack space cluster ke end mein unused area hai jo valuable data contain kar sakta hai:
- File Slack: File end aur sector end ke beech
- RAM Slack: Sector end tak memory se filled (old data)
- Cluster Slack: Last sector se cluster end tak (previous file data)
Example: File size = 5000 bytes
Cluster size = 4096 bytes (4KB)
Sectors per cluster = 8 (assuming 512-byte sectors)
File uses: 2 clusters (8192 bytes allocated)
File slack: Bytes 5001-5120 (sector end) - may contain RAM data
Cluster slack: Bytes 5121-8192 - may contain old file data
This 3192 bytes of slack space can contain evidence!
Recovery Tools Overview
Free/Open Source Tools
| Tool | Primary Use | Platform |
|---|---|---|
| TestDisk | Partition recovery, boot sector repair | Cross-platform |
| PhotoRec | File carving (images, docs) | Cross-platform |
| Recuva | User-friendly Windows recovery | Windows |
| Scalpel/Foremost | Raw file carving | Linux |
| extundelete | EXT filesystem recovery | Linux |
Commercial Tools
| Tool | Primary Use | Note |
|---|---|---|
| R-Studio | Comprehensive data recovery | Multiple FS support |
| GetDataBack | NTFS/FAT recovery specialist | User-friendly |
| EnCase | Full forensic recovery suite | Industry standard |
| FTK | Forensic recovery and analysis | Powerful carving |
Best Practices
Do's
- Always work on forensic copy, never on original
- Document everything - tools used, settings, results
- Verify recovered files for integrity
- Use multiple tools for comprehensive recovery
- Check slack space and unallocated areas
- Preserve original timestamps
Don'ts
- Never recover directly to source drive
- Don't assume all files are recoverable
- Don't ignore partial recoveries - fragments can be valuable
- Don't use untrusted recovery software
- Don't skip validation of recovered files
Recovered data ki admissibility ke liye, recovery process documented hona chahiye. Tools, settings, timestamps - sab record karein. Court mein ye documentation critical evidence hai.
- Deleted files actual mein immediately erase nahi hoti - sirf references remove hote hain
- SSD mein TRIM se recovery chances significantly kam ho jaate hain
- File carving raw data se files recover karti hai using file signatures (headers/footers)
- Common signatures: JPEG (FF D8 FF), PDF (%PDF), PNG (89 50 4E 47)
- Fragmentation recovery ko complicate karti hai - advanced tools needed
- Slack space valuable evidence contain kar sakti hai
- Hamesha forensic copy par work karein, original par kabhi nahi
- Multiple tools use karein comprehensive recovery ke liye