Page tree
Skip to end of metadata
Go to start of metadata

Overview

This Professional Recovery Module not only recovers live and deleted data from a number of different sources, it deconstructs the link file and writes the recovered information out to a number of different formats:

  • CSV
  • Excel Specific CSV (for easy opening in Microsoft Excel)
  • XML
  • SQLite Database

Each recovered record allows the forensic investigator to identify the exact location the data was recovered from.

This module supports Unicode characters.

To access the recovery options for this Module, right click on the Recovery profile.  The following dialogue will be shown which allows you to select the Module Properties.

 

Figure 1

 

This screen shows the module properties for the Link File Extractor and Deconstructor.  From this screen, the user can select the output format to review the evidence.  The variety of export formats allow the data to easily be imported into a number of different applications for review and analysis.  The user can also decide whether he/she wishes the link files from the original source to be written out.  The output contains a full audit trail allowing the forensic examiner to identify exactly where the link evidence was found in the source data.

Link File Recovery

The process is in two stages:

  • During stage one, Blade Pro looks for link file headers across the entire image.
  • During stage two, Blade Pro attempts to extract the link file and validates the data is intact and conforms to the correct structure.

Each field is parsed and the data is output in the various formats selected.  If the user has selected to export the actual files as well, they are also written out.  Currently, there  are options to extract the data in CSV, Excel specific CSV and XML.

The output data can be loaded into e2 (Evidence Examiner) for analysis.  This software is available in Blade > v1.8.  Figure 2 shows the deconstructed link file data from Blade Professional loaded into e2.

 

Figure 2

 

The following video demonstrates Blade Professional recovering and deconstructing Windows Link Files: