File recovery for dummies

In 2015, the company I worked for at the time implemented Office 365 as the main administrative and collaborate tool suite. This covers not only the Office suite; it also includes the use of Yammer and SharePoint sites for internal communication, Skype for business for chat and OneDrive for cloud storage. The various divisions and projects adapted SharePoint sites well, using libraries for shared access and work on files. Unfortunately, the economy took a beating around this time and many companies had lay-offs, including mine. The company had to let quite a number of people go and this led to some technical complications.

After the news of the first layoff, some instances were reported of files disappearing from SharePoint. Soon reports and official complaints came in from various departments. The first initial fear was of disgruntled, fired employees deleting files as a revenge before they had to leave. The second fear was of unauthorised access to the company’s SharePoint sites.

In the end, it turned out that the reasoning was human error: employees cleared out their computers before handing them in to IT services. The users had synchronized shared SharePoint libraries to their computers and did not consider that if they deleted the local copy, this would also be synced. In other words, the files would be deleted online too. Information of how to stop synchronizing folders were distributed, but damage repairs would have to be conducted.

Personal tools for file recovery:

I am a big fan of, which review and recommend various software. They list a number of free or free to try out software. You should consider investing some money in a tool if you find it useful and it helps you recover files, many of these tools are not particularly expensive – especially considering you get your files back! Take a look at

Business tools for recovery of the lost files:

My company managed to recover files from backups and SharePoint waste bins, however here are some suggestions if you don’t use cloud solutions or even they don’ work.

1) EnCase – file restoration

Why I recommend the tool:
EnCase has become the industry gold standard when it comes to forensic computing. In addition to creating copies of the data, EnCase can also run integrity checks on the data using CRC, MD5 and SHA-1. (Bunting, 2012)

EnCase does not access the files through the Windows operating system which was running on the employee’s PC. Instead, it reads all data on the hard drive and creates an index of the files in an evidence file. (Casey, 2011, pp. 112-114, 251)

The EnCase evidence file is otherwise known as the image file. The terminology comes from the UNIX dd command. In UNIX everything is a file, discs too, hence it can be copied. Image files are typically given the extension .img. The purpose of this file is to preserve an exact copy of the drive so that we can work on the copy and leave the original untouched, should we need more copies or evidence. (Bunting, 2012, pp. 200)

When a file is deleted, the most common action taken by the operating system is to simply delete the pointer to the file storage, in the address table. Actual overwriting of the data location is much slower. This is why it is often possible to find the original files a while after deletion, at their “hidden” location without a pointer. In Windows, for example, the default action of clearing out the recycle bin is to delete a file called INFO2, containing information about all the deleted files, folders and their metadata. (Ivatcu, 2011, pp.614-617)

Image source: Bunting, 2012, pp. 276

How I would use this tool:

I would use EnCase to take a copy of the original hard drive and work on the copy. This is common practice to avoid the risk of altering the original files. (Casey, 2011, pp. 26) EnCase would also be able to restore the files we need, making us able to upload them to the SharePoint library once more.


2) Splunk – data log analysis

Why I recommend the tool:

Splunk is a “Google-style” search and interface platform for analysing data logs from all parts of a computer and network system. Previously called a tool, Splunk now has many other sections of interest for an enterprise such as user activity analytics, making them call themselves a “platform”. Presuming the systems are set up for most components to log their every event, Splunk will make order of the chaos that is detailed log files. Log files from various applications, app servers, web servers, network wire data, databases, virtual machines, telecom equipment, the operating systems and much more will be analysed and handle the big data into something easily maintainable.  Based on these big data, Splunk will be able to alert IT security about possible breaches or incidents if the log files detect abnormal activity.  (Nott, 2016, pp.11-11, Kerner, 2016, pp.14-14)

The “Handbook of Digital Forensics and Investigation” recommends digital forensic practitioners to be able to combine large amounts of log data and search through it through tools like Splunk. (Casey, 2010, pp. 437-516)

How I would use this tool:

Thanks to logs such as the Windows internal user activity log files, firewall log files as well as the OneDrive Sync application log files and SharePoint log files, it will be possible to find out when a file was deleted and by whom. (Casey, 2011, pp. 209-300) By looking at the file size, it will also be possible to see if any changes were made before deletion.

According to Splunk’s help files on their website, a good search would be to search for the “EventCode” corresponding to the action I would like to document for the file. (Splunk Enterprise, 2018) The event code for deletion in Windows is 564, with event 560 often occurring close to this event. (Smith, 2018)

Splunk will be able to help search through the logs for the file and its metadata, rather than a person manually looking through all this data to find a particular item. Should Splunk not be installed at the time, it is backwards compatible as long as the log files were gathered by the various systems and can be fed into the new Splunk installation.

If the user who deleted the files is found, and the incident was quite recent, it might be worth checking the Windows recycle bin on the local machine before starting any recovery programs. This would save time and effort, because if Splunk was already running on the systems, a search for such information should be easily obtainable.



Bunting, S. V. (2012) Encase computer forensics. [electronic book] : the official ENCE : Encase certified examiner study guide. Indianapolis, IN : Wiley Pub., Inc., 2012; 3rd ed. [EBSCO].

Casey, E. (2011) Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press. [google].

Casey, E. (2010) Handbook of digital forensics and investigation. [electronic book]. London : Academic, 2010. [EBSCO].

Ivatcu, M. (2011) ‘Data Erasure on Magnetic Storage’, Proceedings of the Scientific Conference AFASES, pp.614-7.

Kerner, S. M. (2016) ‘Splunk Updates Enterprise Security, User Behavior Analytics Platforms’, eWeek, pp.14-.

Nott, G. (2016) ‘Splunk’s ambition to weave machine data fabric through your entire business’, CIO (13284045), pp.11-.

Smith, R. F. (2018) Windows Security Log Events: 564 Object Deleted [Online] Available from: (Accessed: 02.10.2018).

Splunk Enterprise. (2018) Getting Data In – Monitor file system changes on Windows [Online] Available from: (Accessed: 06.10.2018).

Image: Pixabay user www_slon_pics, CC0