Blog

Windows Backup File Analysis via BKF File Forensics Tool

Carl Wilson | September 29th, 2017 | Freebies

Treasuring the precious data is a practice that every computer user performs. A good backup strategy is what one needs to make sure that a copy of the data is kept safe and sound. Backing up crucial data ensures that even if you lose your data somehow, the backup files will always help you get out of the mess and will restore all the lost data. These backup files can also serve an important role in an investigation process. When a forensic investigation is carried out, the experts acquire the user system and dig deep in the system to carve out data that might prove the culprit guilty or innocent. Even a deleted or corrupt backup file can prove to be of huge importance and can bring a major change in the direction in which the investigation is going on.

Recovering and analyzing corrupt or deleted backup file manually can lead to unnecessary wastage of time and resources. The extra efforts put forth in the process defeat the very purpose of investigation i.e. more evidences in the least possible time. Therefore forensic investigators prefer adopting professional forensic tool for the same. One of the most efficacious forensic tools for recovering and viewing the corrupt BKF files is BKF File Viewer. For more information and a detailed review of the tool you can access the later sections of the write up.

Analyzing Creator Of Windows Backup (BKF) Files

Windows Backup or BKF files are the proprietary file formats for the backup files created by NTBackup utility. The NTBackup utility was a backup utility, a kind of BKF file viewer responsible for creating backups and pre-installed in Windows NT to Windows Server 2003 versions. The utility can save or backup the system state of the computer. For computers that are not domain controllers (server which do not respond to the security authentication requests) the NTBackup utility takes backup of Windows registry, IIS metabase, boot files, Exchange server data and so on. On computers that are domain controllers, the NTBackup utility creates backup of Active Directory. With the help of NTFS, normal, incremental, differential, daily backups and so on are created.

Structure Of Backup Files

A Windows backup file may contain backup of several different files. During an investigation process, it happens that the investigators dig out evidences from each of the available resources. There are strong chances that a backup file may contain backup of some data that might prove to be useful for the case. The information residing In the BKF file might contain some information that links with the case. When a BKF file is opened with the help of a Hex Editor following structure is displayed. We see that when a file is clicked to be viewed, what we usually get are scrambled letters that do not prove to be useful at all. The only thing that can be made clear with this is what kinds of file are backed up in the BKF file. As we can see, all the files that are present in the BKF file include DAT files, executable files and so on.

BKF Forensics

Restoring Data From BKF Files

Since the opening and accessing of BKF files created by NTBackup utility was limited up to Windows Server 2008 versions, therefore for accessing a BKF file in any other version, the NTBackup Restore utility is used. This utility can only be deployed in computer running Windows 7 and Windows Server 2008 to restore backup created on Windows XP and Windows server 2003. The recovered data from BKF files can contribute to the investigation process being carried out. The information extracted may provide useful hints or link the crime back to useful information of the past.

Restore And Investigate BKF Files With BKF File Forensics

A backup or BKF File is always created keeping in mind the fact that the backed up data will prove to be useful in recovering or restoring data at times of data loss. But nothing turns out to be more frustrating than a situation when the backup files are approached for recovery and you come across the truth that the backup files have themselves gone corrupted. These corrupt backup files when used in an investigation process halt the complete investigation process. Manual recovery and restoration of backup files cannot be possibly done in all the versions of Windows operating system. The manual processes can only restore BKF file in a few versions.

In such scenario, third party investigation tools like BKF File Forensics enable the investigators to carry on with the complete process. The tool is equipped with advanced features that enable to scan and view even the corrupted backup files. The tool facilitates restoration of both corrupt as well as healthy BKF files in all the versions of Windows.

Download BKF Forensics Tool

Lucrative Features Of BKF File Forensics

The list of lucrative features in BKF File Forensics, enable the investigators to carry out the investigation in the most efficient way. These features make the tool one of the most advanced and efficacious tool in the BKF file research domain.

  • Dual Scanning Mode

The software offers dual scanning mode to recover and view healthy and even corrupted BKF files. The Quick scan mode enables the investigators to open and give a preview of the healthy BKF files. On the other hand Deep scan mode enables recovery of corrupted BKF files. This mode helps to view the corrupted BKF files in their original form.

BKF Forensics

  • Search Within Recovered BKF File

To make the investigation process an easy one, the tool has been equipped with an efficient search option. The investigators can search the required file in the bundle of files stored in the BKF File. Just type the name or the file extension you are searching for and the file will be searched within a few seconds.

Open BKF File

  • Preview Of Attributes In BKF File

Once the BKF file is recovered and scanned, a preview of all the files residing within the BKF file is generated. The details like name of the file, their creation date, the size, etc. are displayed. The details help the investigators to get a general idea of whether the files created at a particular time have anything in common with the crime.

BKF File Viewer

Summary

To summarize, the investigation process of cybercrimes may find some useful links in the backup files, if created by the culprit. The BKF files cannot be viewed just by clicking them. Therefore deploying forensic tools such as BKF File Viewer for viewing and investigating the BKF files is usually preferred.