Recovering deleted files from Windows and Linux... and a little forensics

I got one of those "tech support" phone calls from a family member this weekend, asking if I could help him undelete some files that were deleted by some ghost that snuck into his office ;) You gotta love it when people say they have no idea how an entire folder got deleted and they swear they've been hacked.

So I scoured the web to see what exists. For *nix based utils, I think sleuthkit with the autopsy forensics browser is the best out there (that's open source).

But of course this user was on a Windows box. I finally found a really nice free tool for recovering files from NTFS. NTFSUndelete does exactly what the titles says. Saved the day for me and the person who "got hacked" ;)

One other really cool forensics tool I ran across was Helix from a company called e-fence. This is really powerful stuff and the guys from hak5 actually did a segment on how to use the tool in one of their episodes.