O'Reilly logo

Windows Forensics Cookbook by Scar de Courcier, Oleg Skulkin

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

How to do it...

Before we start, it's important to note that PhotoRec supports disk images: not only RAW, but also E01. As we are carving data for forensic purposes, let's use an E01 image that we acquired in one of the previous recipes.

  1. Start the Windows Command Prompt from an account in the Administrator group, and change the directory to testdisk-7.0. Use the following command:
         photorec_win.exe X:52.E01
  1. Make sure you typed the path to the image you acquired, as it can have a different name and location.
  2. The first dialog box that you see is 'Select a media'. In our case we are dealing with an E01 image, so we have only one option, and all we need to do is press Enter to proceed.
Figure 4.16. PhotoRec Select a media dialog
  1. Now we ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required