When I discuss my job with my detective friends or even people outside of work, they automatically assume my job solely consists of finding deleted files. While it is true my work may consist of recovering deleted files, it is but a small part. In addition to that, I don’t actually do that, my tools do. And thank goodness! But it is important as an examiner, we understand what and how our tools accomplish this. If we don’t, then we’re merely monkeys pushing buttons.
So what does happen? I like to use the analogy of a book. Deleting a file is akin to removing the entry of a table of contents. If the reader were to try and find something in the table of contents that was deleted it wouldn’t be there, yet, the information is still somewhere in the book. It didn’t go anywhere.
So then, what steps take place when you “delete” a file?
First, let’s look at a file as it exists. We have a physical drive with NTFS and a volume labeled “Deleted?”. Within that volume we have a folder labeled “Test_Files”:
Within the folder “Test_Files”, we have three files, with “Test_2.txt” being the object of our scorn:
Next, we can see the directory of the “Test_Files” folder. This is an entry in the $MFT, or Master File Table. Highlighted is the signature (FILE) showing it is in fact a file record, the name of the “file”, the index record ($I30), and the files in the index:
Next we can look at the file record of “Test_2.txt”:
There’s a lot of information packed in there. For the purposes of this post, we need to take note of two things specifically. The first is the “Sequence Number”. This is found at offset (from the beginning of the file) 0x10 for two bytes. “0x10” is hexadecimal and actually means “16” in decimal. Hexawut? We’ll get into that at a later time.
The “Sequence Number” shows as “01 00”. But, we would actually read this as “00 01” because it’s stored as Little Endian. In other words, the least significant bytes are stored first. Just put that in the back of your mind for now.
Next, we look at the “Flags” within the file record. These indicate its allocationnnessss.
This flag is located at offset 0x16, or the 22nd byte from the beginning of the file. We see that it is “01 00”. This would be read as “00 01”. In binary this would read as 00000000 00000001. The first bit isn’t referred to as the “1st” bit, but as the “0th” bit. In computers, we always start at 0, not 1. So, the “0th” bit is turned “on”. To get real technical, it’s a positive charge on a platter (HDD) or open gate (SSD). So, this “0th” bit is the flag for allocated or unallocated. In this instance, the “0th” bit is turned on, displayed as “1”, indicating is currently allocated, or in use. The “1st” bit, or second from the right, is turned off, indicating it is a file. Were it turned on, or displayed as a “1”, it would indicate this file entry represented a folder. Thus, we have an allocated file.
This allocated file contains resident data. This means, the data in the file takes up less space then is allocated for the file entry, which is 1024 bytes for NTFS. In this instance, the data is then stored in the actual $MFT entry. This is important, as were the data non-resident and resided elsewhere on the disk, there would more to discuss as it relates to the $Bitmap.
Now lets rid ourselves of this uncouth file who refers to itself as “Test_2.txt” and see the changes.
First, let’s look at $MFT entry for the folder in which the file was stored, “Test_Files”:
We can see here that the entry in the index record no longer exists. It has been overwritten. Next let’s look at the file itself:
As you can see, it’s still there. In addition, I didn’t just delete the file, I completed wiped it, created another “Test_2.txt” and then deleted it. Let’s see the differences now:
We can see the Sequence Number has been updated to “03 00” or 0x0003 because of my additional step. Had I just deleted the file as it were, it would have shown 0x0002. Also, we see the flags are set to 0x0000. This indicates the file is now unallocated. Eventually, this unallocated space will be filled with another file entry. But for the time being, the data is still there for us to recover.
So what didn’t I cover? Well, if the data was not resident in the $MFT entry, the $Bitmap would be updated. That can be a bit complicated. Thank goodness for tools.
I jumped ahead a bit in case you’re reading this and don’t even know what hexadecimal is. But, I wanted to get the whole “is it really deleted deleted” out of the way. I’ll dial it back next time and we can start with the basics.
Until next time!
I started law enforcement on September 11th, 2000. I started where everyone else did, patrol. In those 19 years, I spent time as a Tactical Flight Officer on our aviation unit, as a school resource officer, and as a property crimes detective.
Then, in 2016, I was presented with an opportunity to work as a digital forensics examiner. I didn’t know what that was at the time. My only idea of what our previous examiners did was find disturbing images of children being victimized on computers. I wasn’t alone. That’s what everyone thought. They also thought I was crazy for wanting to do that. But, we place ourselves in physical danger to provide justice for our victims, why shouldn’t we place ourselves in mental danger?
So, I interviewed for the position. I took a bunch of free online law enforcement classes related to cyber crimes in order to bolster my chances. It didn’t matter. I was selected, I was told, because it didn’t require any paperwork as I was already in the division, unlike the others who interviewed. Was it fair? Probably not. But such is the way of government.
Having learned of my success, I spoke with the previous examiner whom I was to replace with pen and paper in hand. I asked him what training he received so that I may as well take it. He replied, “Youtube and Google.” Something told me the position required a bit more knowledge than what Youtube and Google could provide. I was given a book titled “EnCase Certified Examiner Study Guide” and told to read it. I couldn’t keep my eyes open.
I then decided to reach out to other examiners. I spoke on the phone with the supervisors of digital forensic units amongst some of the larger agencies in the country. They were very receptive to my plight and exceedingly helpful.
I discovered the National White Collar Crime Center (NW3C) and signed up for their Basic Data Recovery and Analysis. It was an eye opener as to what digital forensics really entailed. Seven months later I took their Intermediate Data Recovery and Analysis.
That was as far as my Google Fu could take me concerning free training, until I discovered the Federal Law Enforcement Training Center (FLETC). I have no qualms about asking for discounted or free training. I was able to garner a free seat in the Digital Evidence Acquisition Specialist Training Program (DEASTP). It was a two week class. Lodging and food were provided. They even have a bar on the post. Yes, it is a “post”. Much like the military.
DEASTP was an incredible class. There were two instructors, both very knowledgeable about the subject matter. One was retired Army CID and the other retired New York State Police. After taking this class, I felt confident I could extract data from a rock.
After this class, I was at a dead end as far as free training was concerned. I was an EnCase user, as this is what I inherited. I explained to my sergeant at the time, if I was ever called to testify, I could not point to any training I’ve had in the use of EnCase. And that would not look good. He understood my plight, but said there was no money. Fast forward less than a year, my sergeant retired, and we got both a new lieutenant and captain. I was a direct report to my lieutenant, who asked me exactly what I did. I started to explain in detail, to which he told me to stop talking. I am often accused of “baffling with bull****”. Some time later, my partner (I”ll get to him later) and I were called into the captain’s office. This is normally never good.
It was the captain, our lieutenant, my partner, and I. The door was shut. Never a good sign. They asked us how much money we needed. I was momentarily stunned. I had explained the need for quality training, albeit expensive, to what I thought were deaf ears. But they were listening.
Let us segway to my partner. We both transferred at the same time to replace the two previous examiners. He previously did Internet Crimes Against Children (ICAC) investigations and immediately preceding his transfer, he was the detective over our county’s sex offender registry. He had already his certifications relating to Cellebrite. On our first day together, I asked him if he knew how to examine a computer, to which he replied a big “NO”. I told him he needs to shut down his ICAC investigations in the time being until we can get spun up with training. Also, they didn’t provide a replacement to oversee our county’s sex offenders, and required him to wear two hats. So, we decided on our own, that he would do cell phone examinations and I would do computer examinations as at the time we understood computer examinations to be a more in depth and time consuming affair. I took up that mantle with a fervor.
Back to the captain’s office. “How much money?” All three looked to me as I was the most vocal about the subject. I told them we needed an EnCase Training Passport and to attend the Basic Computer Forensics Examiner class held by the International Association of Computer Investigative Specialists (IACIS). IACIS is an organization started by and primarily made of law enforcement digital forensic examiners around the world. It is truly an international association.
I had essentially asked for over $20,000. Our captain and lieutenant got the money. I was floored. They told us they knew nothing about our job other than it was both important and the future. We finally had the support we needed.
And thus began our journey.