Upon receiving a call from the distressed employee, the first thing would be to calm them down before looking at the various options. Next would be to obtain some information from them to formulate the best recovery strategy. Recovering files depends on a number of factors including the operating system type and version being used, the hard drive types, and the type of data that have been deleted accidentally. For instance, if the documents were in MS Office application such as MS Word; the best option would be to start MS Word and then navigate to the backup version of the file; that is assuming the file had been accessed recently. If not, the employee should provide more information on the type of hardware and software they are using; specifically the type of operating system and its version and the hard drive type. Magnetic hard drives can allow for easy deleted file recovery because when a file is deleted, it is not fully erased from the drive. What happens is that files in magnetic drives have pointers to the actual data, which disappear when the files are deleted, but the data can be recovered if they have not been overwritten (Kishore, 2014). The best strategy in such a case would be to stop any work on the drive, shut down the computer and remove the hard drive.
The hard drive can then be attached as a slave (secondary drive) in another computer and a data recovery software such as ‘Easy recovery professional’ be used to recover the accidentally deleted files. Software’s to use include Testdisk and Recuva which are third party. Also, a third party Linux based file recovery thumb drive or CD can be used to recover the files upon rebooting the computer using the undelete function in Linux. Alternatively, for a Windows computer, one can navigate to the folder that used to contain the deleted files and then right clicking. The feature ‘Restore Previous versions’ is selected and it will show the folder’s previous versions before a restore point; the data can then be restored (Vermaat et al., 2014). If the information is not recovered, the employee would be advised to let technical support handle the issue and would require using the services of a professional data recovery service to recover and restore the deleted files. If the drive is a solid state drive, then recovery would be difficult particularly with newer versions of Windows (from Windows 7) as they have the RMIT feature that fully erases a file once it is deleted. In such a case, professional data recovery services would suffice (Phillips and Enfinger, 2009).
Task 2
For carrying out digital forensics, the procedure to follow is;
Verification: This entails verifying the occurrence of an incident, its breadth and scope, and the situation. The case should be assessed systematically to determine the incident characteristics and define the best approach to employ.
Describe the system: Involves data collection about the specific incident including outlining the operating system and configuration, including the disk format and device location.
Acquire evidence: Possible data sources are identified and define and acquire both volatile and non volatile data whose integrity should be verified
Time line analysis: This is done in the forensics lab to know when files were modified, changed, or accessed in a format humans can read (MAC time evidence). The data is extracted from the meta data (Casey, 2011)
Media and artifact analysis: Involves establishing programs used, downloaded and uploaded files and their types, opened directories, and files that were clicked. This step requires separating good from bad files using hash comparisons using a tool such as hfind.
Byte/ String search: This involves searching low level raw images by looking at byte signatures and use regular expressions for string searches.
Recovering data: Involves recovering data from file systems using tools like the Sleuth kit.
Result reporting: Entails reporting results from the forensics exercise (More, 2017).
The integrity of the files is checked and verified using the HSA-1 (secure hashing algorithm-1); the SHA-1 hashing principle is used to validate and check the integrity of files and data by employing the check sum principle. The hash value is numeric and of a fixed length used for identifying data. For instance, using the Unicoded encoding to convert strings into an array, SHA-1 hashes can be generated in C# as shown below;
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
class Class1
{
static void Main (string [] args)
byte [] HashValue;
string MessageString = “This file is the original one”
UnicodeEncoding UE = new UnicodeEncoding ();
byte [] MessageBytes = UE.GetBytes;
SHA1Managed Shhash = new SHA1Managed();
foreevery (byte b in HashValue)
{
Console.Write (“{0}”, b);
}
}
}
Refernces
Casey, E. (2011). Digital evidence and computer crime. 1st ed. Waltham: Academic Press.
Ho, A. and Li, S. (2015). Handbook of digital forensics of multimedia data and devices, enhanced e-book. 1st ed. [Place of publication not identified]: Wiley-IEEE Press.
More, R. (2017). How to Recover Accidentally Deleted Files. [online] Online Tech Tips. Available at: https://www.online-tech-tips.com/software-reviews/how-to-recover-accidentally-deleted-files/ [Accessed 30 Mar. 2017].
Phillips, N. and Enfinger, S. (2009). Guide to computer forensics and investigations. 1st ed. Clifton Park, N.Y.: Delmar.
Vermaat, M., Sebok, S., Freund, S., Campbell, J. and Frydenberg, M. (n.d.). Enhanced Discovering Computers 2017. 1st ed. Boston: Cengage lerning.
