Autopsy 4.19.3 : USB Deleted File Recovery

Autopsy is an open-source digital forensic platform. It is also used as a commercial forensic tool in several investigations. It is a hard drive investigation instrument. Autopsy was designed to be intuitive out of the box. Installation is easy and wizards guide you through every step. All results are found in a single tree. Thus, it is very easy to use. Another great advantage of Autopsy is that the single user case type is totally free to use.

Autopsy as a Vital Digital Forensic Tool

In any sort of investigation external memory devices play a very vital role. As devices like CDs, DVDs and pen drives are external devices they are often used by the criminals as they are easy to destruct and leave very less evidence of there existence to share information among themselves. Thus when an external device is found relating to the case which in present day scenario is mostly pen drives or USB drives, they may result in some significant evidence to the case.

It is very evident that no criminal will possess an USB device or even get rid of one with essential information in it. Mostly the data in the drives are deleted almost immediately after receiving them to not let the data cast a shadow of evidence. However, Autopsy allows us to retrieve those deleted files. But how can that be done? Let’s see.

Process to Recover Deleted Files from an USB Drive

Step 1: At first we need a NTFS formatted pen drive.

NTFS format
NTFS Format Pen Drive

Step 2: We check the files in our Drive.

files-before-deletion
Files Before Deletion

Step 3: Delete the files permanently from the device so that it cannot be retrieved anyhow from any usual sources viz. recycle bin.

Delete the files permanently
Delete the files permanently
After File Deletion
Pen Drive After File Deletion

As we can see now the pen drive is completely empty and all its old files r permanently deleted.

Step 4: Now we open Autopsy and create a new case. Select New Case from the Welcome dialogue box.

Autopsy Welcome Screen
Autopsy Welcome Screen

Step 5: The New Case Information dialogue box will open. Give a Case Name in the Case Name section and select the Base Directory where desired to be saved. Click on Next.

case page 1
Case Page 1

Step 6: In the Optional Information sub-dialogue box provide a number to the case and provide the Examiner Details. Autopsy always requires you to provide the Organization details which can be managed in the Manager Organizations section. Then click on Finish.

case page
case page

Step 7: The Add Data Source Dialogue Box opens. In the Select Host select Generate new host name based on data source name which is the default option. Click on Next.

data source
data source

Step 8: In the Select Data Source Type Step select Local Disk for external devices viz. Pen drives in this case and click on Next.

Data Source
Data Source

Step 9: For the Select Data Source we need to select the Local Disk you want as the Data Source. In this case we will select our Pen Drive from the Select Disk tab and click on OK.

data source
data source

Keep the remaining settings as it is and click on Next.

data source
data source

Step 10: In the Configure Ingest Step we have kept everything checked and moved on by clicking on Next.

Configure Ingest
Configure Ingest

Step 11: Click on Finish on the Final Add Data Source Step in the Add Data Source dialogue box.

Finish Page
Finish Page

Step 12: The Autopsy Main Window open with all the available operations on the left panel.

autopsy screen 2
autopsy screen

The Left Panel:

Left Panel
Left Panel

Step 13: Since we want to view the deleted files we expand the Deleted Files section

Deleted Files
Deleted Files

We then extract the desired files. And select the place where you wanna restore the files. For this case I have restored the files back into the Pen Drive.

Extract Files
Extract Files

Step 14: After extraction of two files, we can see that they are available in the Pen Drive again.

recovered
Recovered Files

This is how we recover deleted files from an external memory device like a Pen Drive.

We can obtain a CSV file of all the deleted files from the Pen Drive for Record Maintenance.

csv file

Official Autopsy Website : Click here

Download Autopsy : Click Here

Also Read : Digital Forensics in Becoming More Popular.

Share your love
Ananya Das
Ananya Das

Hi, Ananya here. A cyber enthusiast looking forward to gather knowledge in the field and come to know a lot of people with the same interest everyday.

Articles: 6
Home
Editorials
Articles
Search