Lab - Recovering Data From Disk Image Files

Lab Scenario

A criminal realizes they have been busted so they delete all the files on their system to get rid of any evidence. It is up to you to recover the evidence!

Lab Objectives

Recover the deleted evidence from the criminals system.

Lab Environment

Windows Server 2012

Lab Duration

Time: 15 Minutes

Lab Information

Starting Screen - Opening The File

When WinHex opens go to File > Open and find your file and open it. click 'OK' on the window that pops up.



Starting Recovery

When WinHex is done displaying your file go to Tools > Disk Tools then select 'File Recovery By Type'. Click 'OK' if a pop-up appears.

 

 

Selecting Type of File

In this lab we will be recovering pictures, so select 'Pictures' and click 'OK'.




Save Destination

A pop-up will appear titled 'Select Target Folder' here is where you select where to save the recovered results. I recommend creating a folder. Start the process by selecting 'OK'.




Recovery Results

Once the process is done, a pop-up will appear, click 'OK'. Then go to the destination you selected to save the files and all the recovered files will be there.

Return%20to%20Cyberninja