In this example, I am using the SysInternals.E01 file from CyberDefenders‘ challenge. To recover a deleted file using SleuthKit, we need to find its inode, if the inode has a $DATA page in the MFT table, then we can dump it using icat.

ifind: finds the meta-data structure that has data_unit allocated a data unit or has a given file name. In some cases any of the structures can be unallocated and this will still find the results.

istat: displays the uid, gid, mode, size, link number, modified, accessed, changed times, and all the disk units a structure has allocated.

fls: lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode.

icat: opens the named image(s) and copies the file with the specified inode number to standard output.

Find the path of the file using fls #

We were told the user downloaded a malicious Executable, on the mounted filesystem there was nothing in the Downloads directory. If you don’t know the full path of the file you are looking for, then this is where you should start.

 sudo fls -r -d /mnt/ewf/ewf1 > deleted.txt

By using fls with the -r and -d options, we are telling it to search recursively for deleted files/folders. Next, we use grep to find the paths we are interested in. In my case, it was ‘Users/Public/Downloads/SysInternals.exe’.

Find the file’s inode using ifind #

sudo ifind -n Users/Public/Downloads/SysInternals.exe /mnt/ewf/ewf1

So we found the inode, and we can check if there is Non-Resident attributes using istat.

Check file’s metadata with istat #

sudo istat /mnt/ewf/ewf1 124567-128-4

If you are lucky, there should be a ‘$DATA Name: N/A Non-Resident’ Attribute at the end of the output.

Recover the file using icat #

sudo icat /mnt/ewf/ewf1 124567-128-4 > sysinternal.exe

The files recovered are not always perfect, but this is good enough depending on the situation.