Recovery of Deleted Files from NTFS File System Using Digital Forensics Tools

Asadullah Sharifi,Palaniappan Shamala,Cik Feresa Mohd Foozy,Azham Hussain

Retrieving deleted and lost files/documents from computer hard disk for the purpose of forensics investigation is one of the most important steps in digital forensics. There are many operating systems around the world with different file system formats. Therefore, the objective of this research is to identify the tools that best fits for retrieving data from Windows operating system Filesystem (NTFS) after deleting data by using three different methods separately executed in this study. In-order to retrieve back the deleted files from NTFS filesystem, a validated approach was applied to compare the results through applying five digital forensics tools: Autopsy, OSForeniscs, Magnet AXIOM, PhotoRec and Blade on it. Each one of these tools are examined in a fixed scenario to show the differences and capabilities by retrieving data from three deletion methods: deleted file via Recycle Bin, deleted files via quick format, and overwritten file through passed zero on disk using KillDisk software.

Volume 11 | 08-Special Issue

Pages: 1049-1058