For this exercise, we'll be using a very small .raw image created using DD. This file is approximately 6 MB and is publicly available at http://dftt.sourceforge.net/test7/index.html:

1. Click on the ZIP file to download it and extract it to its default location. When extracted, the name of the file shows up as 7-ntfs-undel.dd. Using the preceding steps, start DD if you haven't yet opened the program. Before we import the image, take a moment to observe the icons next to the entries in the main window area. The icon for the Logical files field is a white folder with a hint of blue:

2. To open our downloaded DD image in DFF, either click on File | Open evidence or click on the Open evidence button, as shown in the following screenshot:

3. In the Select evidence type box, ensure that the RAW format option is checked and the File option is selected in the drop-down box. Click on the green plus (+) sign to browse to the 7-ntfs-undel.dd file. Click OK to continue:

In both the left pane and the main windows of DFF, observe the plus sign next to the Logical files icon. This tells us that although there are no entries for size, tags, and path, the image has been successfully added and we can explore the Logical files section:

4. In the left window pane, click on the Logical files category. In the main window, the name of the image is displayed:

5. Double-click on the name of the image in the main window. In the Apply module box, click on Yes:

After the module is applied, the image name appears (7-ntfs-undel.dd) under  Logical files in the left pane:

6. Click on the plus sign to the left of the image name in the left pane to expand the menu and view the contents image. Once expanded, we can see that there are two folders, namely NTFS and NTFS unallocated:

7. To view the contents of the files, double-click on the NTFS entry in the main window:

8. Click on the frag1.dat deleted file. The right pane displays information about the file including the following:
   • name: frag1.dat
   • node type: file deleted
   • generated by: ntfs
   • Creation time: 2004-02-29 20:00:17
   • File accessed time: 2004-02-29 20:00:17
   • File altered time: 2004-02-29 20:00:17
   • MFT altered time: 2004-02-29 20:00:17

9. Let's inspect another deleted file. Click on the mult1.dat:ADS stream and view its details:

According to the file listing at http://dftt.sourceforge.net/test7/index.html, this image contains 11 deleted files, including mult1.dat:ADS, which contains hidden content in an NTFS Alternate Data Stream. DFF has found all 11 files. Visit the preceding site or view the following screenshot to view the names of the deleted files for comparison: