- Windows Forensics Cookbook
- Oleg Skulkin Scar de Courcier
- 225字
- 2021-07-02 20:57:48
How to do it...
Before you start, it's a good idea to find the right data source. ReFS is an active development, and is used usually on Windows servers only. Thankfully, Willi Ballenthin has created a bunch of ReFS images for testing purposes, which are now publically available. Let's use one of them.
- Start ReclaiMe File Recovery. It takes some time for the tool to scan all available drives. After this, you will be taken to the main window, like the one in the following figure:
Figure 4.13. ReclaiMe File Recovery main window
ReclaiMe File Recovery doesn't support E01 images, but this is not a problem because we have an image in RAW format.
Let's go to Disks - Open disk image... Choose the disk image and click Open. Now there should also be an image in the main window, like the one in the following figure:
Figure 4.14. ReclaiMe File Recovery main window (Disk image is added)
- Double-click the image to start the recovery process. Of course, it will take some time, depending on the size of the image. In our case, the image is small enough, so it doesn't take a lot of time. The recovery is shown in the following figure:
Figure 4.15. ReclaiMe File Recovery image processing results
- Now you can save recovered files or even folders using the blue Save button.
推薦閱讀