RecuperaBit: Present and Future of NTFS Reconstruction

March 03, 2021 •  Online, Worldwide

Please join us for a webinar on March 3 at 11:00 am EST / 5:00 pm CET. If you are unable to make it live, we’ll provide the recording to everyone who registers

RecuperaBit: Present and Future of NTFS Reconstruction

File system corruption, either accidental or intentional, may compromise the ability to access and recover the contents of files during data recovery and digital forensics activities. Conventional techniques, such as file carving, allow for the recovery of file contents partially, without considering the file system structure. However, the loss of metadata may prevent the attribution of meaning to extracted contents, given by file names or timestamps. RecuperaBit implements a signature recognition process that matches and parses known file records, followed by a bottom-up reconstruction algorithm which is able to recover the structure of the file system by rebuilding the entire tree, or multiple subtrees if the upper nodes are missing. Partition geometry is determined even if the boundaries are unknown by applying an approximate string matching algorithm.

This talk aims to introduce the algorithms used by RecuperaBit and to discuss future plans to make the tool more usable, streamlined and user-friendly by re-thinking its command line user interface.



RecuperaBit: Present and Future of NTFS Reconstruction


Andrea Lazzarotto

Digital Forensics Consultant


Andrea Lazzarotto is an independent digital forensics consultant and software developer based in Italy. He holds a MSc in Computer Science, obtained with a thesis about forensic techniques for reconstructing NTFS with partially corrupted metadata. This work lead to the development of RecuperaBit, an open source program for NTFS data recovery. He provides consulting services related to business IT, data recovery and digital forensics. He is author of several other smaller utilities and scripts, such as Carbon14, a OSINT tool for determining the publication date of a web page.