Digital Forensics with DiskDigger and PhotoRec

BLOGSHACKS

Winston.I

9/3/20246 min read

Picture this: A crucial file is deleted—whether accidentally or intentionally—and it seems like it’s lost forever. However, seasoned forensic experts know that deletion isn’t the end. The data might still be recoverable. This is where the magic of digital forensics comes in. With the right tools and techniques, even files thought to be long gone can be revived, bringing vital information back to life.

In this blog, I’ll walk you through the intricate process of recovering deleted data using two essential forensic tools: DiskDigger for live Windows systems and PhotoRec for recovering files from corrupted Linux drives. By the end, you'll see how experts use these tools to not only restore files but also piece together critical evidence in digital investigations.

The Hidden Truth About Deleted Files

When you delete a file, whether on purpose or by mistake, it doesn’t vanish into thin air. Instead, the file system simply marks the space it occupies as "available" for new data. The original file remains there, lurking in the shadows, until it’s overwritten by something else. This is what gives digital forensics its power—there’s always a window of opportunity to recover the file before it’s permanently overwritten.

Today, deleted files can often hold the key to a forensic investigation. Whether it’s recovering a deleted patent file from a company laptop or pulling critical documents from a corrupted server, the art of file recovery is vital. But what happens when the system is live and constantly in use, or worse, the file system is corrupted beyond recognition?

Enter DiskDigger and PhotoRec—two tools with the power to extract valuable data from the most challenging situations.

Step 1: Recovering Deleted Files on a Live Windows System with DiskDigger

Imagine this scenario: A patent file is crucial to a case, but it’s been deleted, and the Recycle Bin has been emptied. Panic might set in, but for forensic experts armed with DiskDigger, this is just another challenge to overcome.

The Power of DiskDigger in Live Recovery

DiskDigger is a highly efficient tool designed to recover deleted files from live systems. Whether you're racing against time to recover a document before it's overwritten or retrieving data directly from a running Windows machine, DiskDigger makes the process seamless.

  1. The Deletion Dilemma: In our case, a patent file that was previously recovered during an investigation is now deliberately deleted from the system. To simulate a real-world scenario, we empty the Recycle Bin as well, making it look as though the file is gone forever. The game of cat and mouse begins here.

Launching DiskDigger: Now, it’s time to deploy our tool of choice. Upon launching DiskDigger on the investigator’s Windows workstation, the user is prompted to choose the drive where the file was stored. The tool offers two scanning modes: Dig Deep and Dig Deeper. For our purpose, Dig Deep works wonders, as it quickly scans the drive for recently deleted files.

The Scanning Process: As DiskDigger scours through the digital remnants, it locates the recently deleted patent file. Not only does the tool identify the file, but it also retrieves essential metadata, including the file’s original location, creation date, and size. It’s as if the file never left.

Recovery Complete: Once DiskDigger successfully recovers the file, it’s saved back to the system, ready for review. What’s remarkable about DiskDigger is its simplicity—within minutes, the deleted file is back, revealing that even after deletion, evidence can still be traced and recovered.

Step 2: Rescuing Deleted Files from a Corrupted Linux File System with PhotoRec

But what happens when you’re not dealing with a live Windows system but a corrupted Linux file system? Recovering data from a corrupted drive is a much more complex task. It requires forensic expertise and specialized tools that can carve out files from the raw data, bypassing damaged file structures. This is where PhotoRec comes into play.

PhotoRec: The Art of Data Carving

Data carving is the process of recovering files based on their content, not the file system’s structure. When a file system is damaged or corrupted, data carving tools like PhotoRec scan the disk for file signatures—unique patterns that identify specific file types, like documents, images, or compressed archives. This allows forensic experts to recover data even when the file system is beyond repair.

Simulating File System Corruption: First, we mount a Linux partition containing important files. Among them is a RAR archive filled with critical company information—backups, 2FA recovery keys, and server snapshots. However, to simulate a real-world forensic scenario, these files are deleted, and the partition itself is corrupted with random data. The system is now inaccessible, and traditional recovery methods won’t work.

PhotoRec to the Rescue: When all seems lost, PhotoRec steps in. Launched on the corrupted partition, the tool ignores the broken file system and instead scans the raw data directly. Using its powerful signature-based search, PhotoRec locates file patterns for specific types—like RAR and ZIP files—in the disk’s unallocated space.

Carving Out the Data: After a thorough scan, PhotoRec uncovers multiple files, including several compressed archives that match the original data. While the file names are lost (a common side effect of file system corruption), the content is fully intact, ready to be analyzed.

Verifying Recovered Data: To confirm that the recovery is successful, the RAR archive is extracted. All critical information is present—recovery keys, backup data, and server snapshots—demonstrating how even in the face of severe file system corruption, data carving can still rescue essential files.

With PhotoRec, even the most corrupted systems still have a fighting chance. Its ability to recover data from raw disk space makes it indispensable in forensic investigations where the file system itself has failed.

The Significance of Live System Recovery and Data Carving

Both DiskDigger and PhotoRec offer a glimpse into the power of modern digital forensics. These tools allow forensic investigators to recover data in situations where most would assume it’s gone forever—whether from live systems that are actively being used or corrupted disks that no longer function properly.

Why DiskDigger and PhotoRec Are Essential:

  • DiskDigger’s Real-Time Recovery: The ability to recover deleted files from live Windows systems is critical, especially in fast-moving investigations where data may be overwritten at any moment.

  • PhotoRec’s Data Carving: By focusing on file signatures rather than the file system, PhotoRec can pull valuable data from corrupted drives, ensuring that no piece of evidence is left behind.

In digital forensics, time is often of the essence. The faster an investigator can recover crucial data, the better the chances of solving the case.

Conclusion: Mastering the Art of Data Recovery in Digital Forensics

Recovering deleted files is more than just a technical challenge—it’s a race against time. Whether it’s a live Windows system or a corrupted Linux partition, tools like DiskDigger and PhotoRec provide forensic experts with the tools they need to recover lost or hidden data. From quick recoveries of recently deleted files to complex data carving from raw disk space, these tools offer a powerful arsenal in the world of digital investigations.

The ability to recover deleted files is crucial in modern forensics. With these techniques, investigators can bring critical evidence to light, even in the most challenging circumstances.