Forensic Analysis of Deleted Files (Windows/Linux) - Technical & Engineering Guide
1. Introduction
1.1 Purpose
This guide provides a comprehensive approach to perform forensic analysis on deleted files in Windows and Linux operating systems. The tool enables retrieval and examination of deleted files to assist in investigations.
1.2 Scope
The project is intended for forensic experts and investigators to recover and analyze deleted files for evidence collection and security audits.
1.3 Definitions & Acronyms
Acronym |
Definition |
NTFS |
New Technology File System, used in Windows |
EXT |
Extended File System, used in Linux |
MFT |
Master File Table, used by NTFS for file management |
Inode |
Index node, used in EXT file systems for metadata |
2. System Architecture
The architecture of the Forensic Analysis Tool includes:
- **Input Module**: Accepts disk images or live system scans.
- **File Recovery Engine**: Recovers deleted files using file system metadata.
- **Analysis Module**: Analyzes recovered files for relevant evidence.
- **Reporting Module**: Generates detailed forensic reports.
3. Key Features
3.1 File Recovery
Recovers deleted files from NTFS and EXT file systems by analyzing file system metadata.
3.2 Metadata Analysis
Retrieves metadata such as timestamps and access history for forensic analysis.
3.3 File Integrity Check
Ensures the integrity of recovered files using hash-based validation.
4. Implementation Steps
1. **Setup Environment**: Install required libraries and
forensic tools such as TSK (The Sleuth Kit).
2. **File System Analysis**: Implement modules to read NTFS and EXT file system
structures.
3. **File Recovery**: Develop algorithms to recover deleted files from MFT and
inode metadata.
4. **Metadata Parsing**: Extract and analyze metadata for forensic
significance.
5. **File Validation**: Integrate hash-based verification for recovered files.
6. **Reporting**: Create detailed and structured forensic reports.
7. **Testing**: Validate functionality with various file systems and deletion
scenarios.
5. Security Considerations
1. Prevent unauthorized access to recovered files and
metadata.
2. Ensure that no modifications are made to the original disk or file image.
3. Maintain a log of all recovery and analysis actions for audit purposes.
6. Tools and Technologies
- **Programming Language**: Python
- **Libraries**: PyTSK3 (for Sleuth Kit integration), hashlib
- **Operating Systems**: Windows and Linux
- **Forensic Tools**: The Sleuth Kit, Autopsy
- **File Systems Supported**: NTFS, EXT3/4
7. Testing and Validation
1. Validate the recovery process for various file types
(documents, images, videos).
2. Test accuracy of metadata retrieval on both NTFS and EXT file systems.
3. Ensure the tool performs reliably under different disk usage scenarios.