Computer Forensic Using Photorec for Secure Data Recovery Between Storage Media: a Proof of Concept

. Data plays the important role, so that data recovery and data security be prioritized. Computer users often lose their data due to personal errors or by attacks. Digital forensics has one sub-field called computer forensic, which has an important role in the process of secure data recovery. USB Flashdisk as the most widely used storage media has a probability of data loss. It is necessary to do computer forensic actions, especially secure data recovery, on it so that it can restore data securely to other media while protecting it by giving privilege root. In this research, computer forensic testing the 2781 files of various data formats that were erased on a 32 GB USB flash drive using Photorec. The media for collecting data recovery results using an Intel computer, 2 GB RAM, 1.8 GHz processor, the Linux operating system Xubuntu 20.04. Testing is carried out following the test scenarios that have been designed, then observed, recorded, and analyzed. Photorec places recovery data in 6 recup_dir subdirectories. Test results and analysis of the test results show that Photorec is a reliable tool for computer forensic, especially secure data recovery because it can restore 100% of data, accompanied by privilege root for all data recovery results, so they cannot be changed and deleted by an end-user without granted access.


INTRODUCTION
Nowaday, data plays an important role in all aspects of human life: technology, Industry 4.0, Internet of Things, and internet services [1]. Because of data is so important, there are two main priorities, namely: 1.) Data security, 2.) Data recovery process. For data security, one of the main focuses is on data security in the data center, thus requiring the implementation of a data center room using the TIA-942 standard [2]. The second priority is the data recovery process, closely related to digital forensics along with data security challenges in the data recovery process. For this reason, it is necessary to pay attention to secure data recovery that is carried out between data storage media.
Secure data recovery is related to forensics and digital forensics. Forensic is defined as a scientific effort to collect, analyze, and present physical evidence in court, while digital forensics is the same thing in case studies related to digital technology, which is divided into computer forensics, mobile forensics, and network forensics [4]. ISSN: 2722 -4015 http://ijstm.inarah.co.id Digital Forensic with one of its sub-fields called Computer Forensic, provides secure data recovery facilities to help restore lost data as well as secure it [5].
In the law field, data recovery in digital forensics and computer forensics helps investigators in the forensic process to find evidence that supports the course of a case investigation. For example digital forensic file conversations on Whatsapp in online fraud cases [6] and cybercrime cases with evidence of digital conversations on Line [7]. In the business world, data recovery plays a role in protecting the company's digital assets. Because it is so important, that data recovery is included in the Disaster Recovery Plan (DRP) [8] [9] and Disaster Recovery Plan (DRP), both of which are based on the NIST SP 800-34 Framework [10].
Currently, there are a number of choices of data storage media with various storage capacities in it. The following Table 1 shows the data storage media, storage capacities, and descriptions for each storage media: Based on a number of data storage media options in Table 1 above, USB flash drives are the most widely used storage media by computer users. Data of computer users on USB Flashdisk media is often lost or damaged. Given that data is important for personal computer users and organizations in Industry 4.0, it is necessary to strive for a secure data recovery process.
There are eight previous studies that are related and become state of the art. Research from Yudhana describes a mobile forensics method based on guidelines from the National Institute of Standards of Technology (NIST), which produces data type headers in the form of deleted account names, deleted file types, and deleted ISSN: 2722 -4015 http://ijstm.inarah.co.id timestamps [10]. Wollaston et al., in their paper, compared the data recovery functions of two forensic suites and three standalone non-forensic commercial applications, with the result that all tools had a comparable performance with respect to data recovery functions [11]. Sitompul et al., propose an Aho-Corasick parsing technique to read file attributes from the master file table (MFT), in order to examine the file condition, with the result that the file reconstruction process on the file system was performed successfully in 87.50% and string matching process average time was 0.32 second [12]. Bansal et al., describe the various methods and tools to recover data from Harddisk, how data recovery tools work, in what situation the data can lose permanently, and in what conditions data can be recovered [13]. On the other hand, Lazaridis et al., published their research on comparison and evaluation of several digital forensics tools on data recovery scenarios, in which it has been tested and evaluated in order to provide evidence regarding their capabilities in qualitative analysis and recovery of deleted data from various file systems [14]. The other research by Riskiyadi has described the reliability of digital forensic tools in uncovering cybercrime, to obtain digital evidence with integrity, reliability, and legality, using static forensic methods based on the National Institute of Justice (NIJ) framework, with case studies of cybercrime carding and electronic evidence flash disks using digital tools Forensic FTK Imager and Autopsy [15]. The testing of three digital forensics toolkits for data recovery scenarios that have been deleted (Puran File Recovery, Glary Undelete, Recuva Data Recovery) was conducted by Handrizal, in which these three toolkits can restore deleted data that has been tested and analyzed in a USB flash. drives [16]. The last, research by Riadi et al., compared the performance of forensic tools to restore deleted data (contacts, call logs, messages) that were used as evidence in court, using two smartphones and forensic tools (Wondershare dr. Fone for Android), Oxygen Forensics Suite 2014) with the NIST method [17].
Based on the state of the art above, this paper describes the testing of secure data recovery from the digital forensics perspective on USB Flashdisk media to a computer hard drive, using the Photorec tool. The test was carried out on a Toshiba L40 notebook (1.8 GHz processor, 2 GB RAM, 500 GB HDD, 64 bit), Linux Xubuntu 20.04, 2781 files of various data formats on a 32 GB Toshiba USB Flashdisk. Tests are carried out using predetermined test scenarios. The final objective of the study is to test the reliability of the selected Photorec tool in performing secure data recovery.

II. METHODS
This research was conducted privately in the author's home at Gianyar, Bali (Indonesia) during the Covid-19 pandemic, from June 2020 to December 2020. This research was carried out using experimental research method. The research steps were carried out according to the experimental research method, including: 1.)Identification of data problem cases, 2.)Identification of data extensions, 3.)Data recovery process based on conditions. The three steps are presented in the form of a flowchart diagram as shown in Fig. 1. below:   Fig. 1. Flowchart diagram As shown in Fig. 1. above, the research steps start from identification of data problem cases, then continue with identification of data extensions, then proceed with data recovery process based on conditions. Then there is a condition whether the data extension is identified. If yes, then the data is identified, while if it is no, then the data is not identified.

Scenario Testing
The scenario testing used in this study is as follows: 1.)Provided a 32 GB USB Flashdisk with 2781 files (various data formats) as a data recovery target, plugged it into the computer, then checked the entire partition and found the location of the mounted USB Flashdisk partition. 2.)Run Photorec in Linux Terminal, detect USB Flashdisk, filesystem, a partition that is the target of recovery, and partition where data is saved from recovery. 3.)Perform testing, observe and record test results, analyze test results. 4.) Documentation of research results.
Testing In this research, testing is carried out through the following set of processes below: 1.)After the USB Flashdisk as the recovery target is plugged in, then tested via the fdisk command to see the location of the USB flash drive partition that is mounted to the system. From the above test, it can be seen /dev/sda as the computer's hard disk partition and /dev/sdb as a USB flash partition mounted to the system. 2.)Photorec is run through the command in Linux Terminal with root access (sudo) as follows, to display a list of partitions on the computer: certain-death@my-toshiba:~$ sudo /usr/bin/photorec [sudo] password for certain-death: PhotoRec 7.1, Data Recovery Utility, July 2019 Christophe GRENIER <grenier@cgsecurity.org> https://www.cgsecurity.org PhotoRec is free software, and comes with ABSOLUTELY NO WARRANTY.
Select a media (use Arrow keys, then press Enter): >Disk /dev/sda -500 GB / 465 GiB (RO) -ST500VT000-1DK142 Disk /dev/sdb -31 GB / 28 GiB (RO) -TOSHIBA TransMemory USB flash media (/dev/sdb) is the target of data recovery in this research, to be moved to the computer hard disk partition (/dev/sda). 3.)Move the cursor to the USB flash disk partition in /dev/sdb, selecting the Proceed option. Photorec will reads the partition from the target recovery media (/dev/sdb) ISSN: 2722 -4015 http://ijstm.inarah.co.id belonging to the USB Flashdisk, identified with the FAT32 filetype. Click the Search option. 4.)Photorec reads the filesystem type of the target partition, which is FAT32. Select the Other option. The recovery process is carried out through an unrecognized memory location on the FAT data, then select the Free option. 5.)Choose a location on the hard disk partition on the computer to accommodate the data recovery files, namely /home/certain-death/recovery. Point the cursor to the recovery sub directory. click the recovery sub directory then press C. The recovery process will start running. The recovery process was successful and finished well for 2781 files. By providing root access to the files recovered by Photorec, the secure data recovery process can be realized. Root access ensures that no user other than root can access these files. Users who can access these recovery files are only those who have root access or are granted access by root, where the root is the highest user in the system.

IV. CONCLUSION
Based on the tests that have been carried out, it can be concluded that: 1.) Photorec is a reliable digital forensic tool for data recovery that supports secure data recovery because it can restore all files completely (100%), 2.) Secure data recovery on Photorec implemented in the form of providing root access for all recovered files so that they cannot be accessed by any user without granted access. V.