File undeletion from command line?


Nov 19, 2008
6
0
#1
I frequently perform forensic investiagations related to malware/viruses/improper usage and perform many of my investigations remotely on user's Windows machines using a variety of tools, mostly psexec.

Many times I would find it useful to recover a deleted file(s) from a user's machine b/c they either emptied their internet cache or deleted software.

Is there a command line tool (preferably free) that can be run remotely w/out having to install software, and that is small or does not involve copying many files over to the machine?

My experience with data recovery has been limited to performing this on HDDs with Encase and the like. Google hasn't helped me much in finding a tool for this.

Thanks,
PJ
 

Complete

Administrator
Aug 19, 2006
861
0
#2
F-Response isn't free, but is amazing for the price. Check out the Enterprise version.

Basically you can mount a remote drive read-only and use whatever tools you want against it. So, with F-Response you can use EnCase to recover deleted files on a remote machine.

I don't think it's exactly what you're looking for, but it is one solution.
 
Nov 19, 2008
6
0
#4
thanks

<t>I had heard of F-response recently and looked into it briefly, but it appears that 1. It costs money and 2. It requires a Windows service already be installed. The latter issue would most likely not be easy to justify in our environment.<br/>
<br/>
Helix is just a collection of tools that can be run from a CD/USB. Unless there is a specific tool in that collection that I am not aware of, then I don't think it would work. <br/>
<br/>
None of the forensic tools, GUI or otherwise, that I'm familiar with allow you to remotely mount a drive and perform data recovery. Though as I stated, I'd be perfectly happy with one that I can run locally via cmd line (sysinternals psexec) to dump information.<br/>
<br/>
Even our Encase installation is on a FREDDIE machine that is off net.<br/>
<br/>
Thanks,<br/>
PJ</t>
 
Dec 31, 2006
3,405
0
#5
Re: thanks

<r><QUOTE author="pjmcgarvey"><s>
pjmcgarvey said:
</s>I had heard of F-response recently and looked into it briefly, but it appears that 1. It costs money and 2. It requires a Windows service already be installed. The latter issue would most likely not be easy to justify in our environment.<e>
</e></QUOTE>Yes F-Response costs money (a few hundred for the Field kit to several thousand for the Enterprise version). There is no Windows Service. You run a 40K executable on the target machine.<br/>

<QUOTE author="pjmcgarvey"><s>
pjmcgarvey said:
</s>None of the forensic tools, GUI or otherwise, that I'm familiar with allow you to remotely mount a drive and perform data recovery.<e>
</e></QUOTE>F-Response allows you to remotely mount the drive, just as you would a local drive in EnCase (or insert tool of choice here). Once mounted you can recover, image, whatever the drive. With the recently release Beta you can image the RAM remotely as well.</r>
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu