🌐Introduction
In the ever-evolving world of cybersecurity, one truth stands strong: attackers will try to hide their tracks — often by deleting files, logs, or data traces.
But deletion doesn’t mean destruction.
That's where digital forensics steps in. And in my latest project, I dove headfirst into a hands-on recovery scenario that challenged me to retrieve deleted files from a compressed archive. The result? A deeper appreciation — and, frankly, an obsession — with the art of uncovering what isn't meant to be found.
This post walks you through the full process, tools used, the learning outcomes, and why this kind of project is so critical in modern cybersecurity.
🚀 Background: From Burnout to Obsession
Since March 2025, I took a break from being active to focus on two big things:
- 🧠 Studying for the CompTIA CySA+ certification
- 🛌 Recovering from a bout of sickness that forced me to slow down
That downtime turned into something powerful: I began immersing myself in digital forensics — and this project marks the beginning of my practical journey.
💼 The Challenge: Recovering a Deleted File
The project was inspired by a Root Me forensics challenge, where you're given a .gz file — and that's it.
The objective?
➡️ Recover a deleted file that was hidden inside.
Sounds simple?
Not when you realize:
- The original file was compressed
- Then renamed
- And the actual content inside had been deleted
- You don’t know the file type, structure, or extension
This challenge forced me to think like a forensic investigator: follow the breadcrumbs, verify every assumption, and carve through digital noise.
🧰 Tools Used
| Tool | Purpose |
|---|---|
gunzip |
Decompress the .gz archive |
mv |
Rename and prepare the archive for extraction |
tar |
Extract archived files |
file |
Identify file types |
| Foremost | File carving: recover deleted files based on known signatures |
🛠️ Step-by-Step Walkthrough
1️⃣ Decompress the .gz Archive
gunzip ch39.gz
This gave me a single file named ch39, with no extension. That hinted it might be a tarball — just renamed.
2️⃣ Rename and Extract the Archive
mv ch39 ch39.tar
tar -xvf ch39.tar
This revealed a single suspicious file. I ran file on it:
file usb.image
But even this didn’t give me clarity. That’s when I turned to Foremost.
3️⃣ File Carving with Foremost
Foremost is a digital forensics tool that searches raw data for file headers and footers to reconstruct files — even if they’re “deleted.”
foremost -i usb.image -o output/
This carved out audit.txt & png. I then opened each recovered file, cross-checked the structure and content, and finally uncovered the flagged file — the one that had been deliberately deleted and hidden.
💡 Lessons Learned
- File carving is essential when metadata is gone or tampered with.
- Command-line forensics is powerful and foundational for incident response.
- Even simple challenges can simulate real-world attacker behavior (e.g., renaming, compressing, deleting).
- Foremost is a must-know tool for any digital forensics beginner.
_Why Digital Forensics Matters Now More Than Ever
With advanced attackers and insider threats rising, digital forensics plays a critical role in:
- 🔓 Incident response
- 📁 Legal & compliance investigations
- 🔍 Threat hunting
- 🔄 Root cause analysis
The ability to recover deleted or obfuscated files often makes the difference between knowing how a breach occurred — or staying in the dark.
💙 My Growing Obsession
This project reminded me that digital forensics is more than a skill — it's a mindset.
🕵🏽♀️ It’s about thinking like an investigator.
🧠 It’s about asking “what’s missing?”
🧩 It’s about piecing together broken data until the story becomes clear.
As someone pursuing a career in blue teaming and security operations, this project confirmed that forensics is where my passion lies — and where I’m investing even more time going forward.
📂 Full Project on GitHub
You can find the complete project (with detailed bash commands, recovery steps, and file carving output) here:
👉 Deleted File Recovery GitHub Repo
🗣️ Let’s Connect
If you’re:
- Exploring cybersecurity
- Studying for CySA+ or Security+
- Interested in digital forensics and incident response
…then let’s connect here on Dev.to, or on LinkedIn. I’d love to exchange insights and support each other’s growth.
Top comments (0)