RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

From: Robinson, Sonja (SRobinson_at_HIPUSA.com)
Date: 06/19/03

Next message: Kelly Martin: "Moderator's note: limit your bulky disclaimers"

Previous message: Adam Newhard: "Re: Security issues with running eggdrop as an IRC bot?"
Maybe in reply to: Robinson, Sonja: "RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?"
Next in thread: David Olivier: "RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Wilcox, Stephen'" <StephenWilcox@universalcomputersys.com>, security-basics@securityfocus.com
Date: Thu, 19 Jun 2003 09:05:06 -0400

If you overwrote your drive with a new install of the O/S you just overwrote
your data so you're pretty much scr3w3d unless you do data recovery with
Ontrack who MIGHT be able to recover it but it would cost you some $$$. A
tool such as Encase or FTK MIGHT would probaly be able to recover SOME of
your files but probably only in a text format. Try looking at the drive
with a hex editor and see what you can find. DT Search can also help doing
a search of the drive... When you reinstall the software you've basically
destroyed your FAT andgiven it permission to overwrite any cluster (w/o
getting too technical in the how to's and why's of it).

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office: 212-806-4125
Pager: 8884238615

-----Original Message-----
From: Wilcox, Stephen [mailto:StephenWilcox@universalcomputersys.com]
Sent: Wednesday, June 18, 2003 2:54 PM
To: security-basics@securityfocus.com
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?

Hello

It funny that this discussion started in the last few days.. As Murphy
would have it, last night while installing a new nic card. Something
happened to the boot.ini file and corrupted it. I don't know how or why
except the possibility of it writing to the boot.ini file the nic
information. I don't think that this information is stored in the boot.ini
file but maybe. Anyway the problem I ran into is that the win would not
load and I couldn't recover it. (No safe mode, no fixboot, no fixmbr,
nothing) I figured I would just overlay an OS on top of the old one and
then recover the information, no luck the process would not perform unless I
format. Great... If you know what I mean. I have been researching free
tools to recover lost data but no real luck in a software that performs
properly. I was wondering if anyone has/knows of one. Looking to recover
my office files - *.xls, *.pst file and *.doc files.

Stephen

-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson@HIPUSA.com]
Sent: Wednesday, June 18, 2003 10:54 AM
To: Robinson, Sonja; 'marcus peddle'; security-basics@securityfocus.com
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?

I was a bit rushed yesterday, sorry, so here is a bit more detail but still
in a general kind of knowledge base. I'm trying to keep it a simple
explanation so that the general population can understand the basics. If
people want to get really technical please feel free....

In Windows operating Systems (and others) there is the File Allocation Table
(FAT) that is basically an index of where your files are located. Your
files can and are written across numerous clusters and are not written
sequentially. One file is in a number of pieces across your hard drive and
each cluster points to the next in the chain. In addition, MS writes files
more than once (this you'll find in free space and swap space.) If your
file does not fill up the entire cluster, MS dumps other data into it. This
"extra area" is called unallocated space. This data can be anything and is
normally what was in RAM at the time. So for instance you cluster is 24K
(just throwng out a number here) and your file only fills up 18K, well then
the remaining 6K is filled up with "garbage". "What is one O/S's garbage
could be the confidential info I'm looking for...."

When you delete a file, only the pointer in the FAT table is deleted. The
file is still there until it is overwritten. Since MS writes to random
clusters only parts of your file may be overwritten at anytime and the parts
that aren't overwritten are recoverable. It should be noted that MS
normally starts overwriting the beginning clusters of the drive so of the
file is located near the end of the drive it takes longer to overwrite.
Remember though again, that, it does not write in sequential clusters.
Theortically, the end of the drive may never be written to depending on how
much writing and deleting you do.

In order to obtain this "deleted" or "hidden" information you need to
analyze your drives using tools gnerally used for forensics (NTI, Coroners
tool kit, Encase, FTK, Linux tools). In most acses bitstream copies are
done first to preserve evidence but if you're not worried about evidence and
you just want to see what's on your drive any of these tools will work, but
they're not free (Linux tools generally are). If you just want to undelete
files Norton Utilities works great. It's much easier to see it in a
diagram. I think NTI has a good diagram but I'm sure there are others out
there as well.

UltraEdit and other hex editors are great for reading misc data, files and
disks. You just have to be patient.

Did you ever notice how all of your e-mail is 1K even if it is blank, yes MS
dumps info in there too but it is generally invisible unless you do
analysis. It's amazing what you can find....

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office: 212-806-4125
Pager: 8884238615

-----Original Message-----
From: Robinson, Sonja
Sent: Tuesday, June 17, 2003 3:17 PM
To: 'marcus peddle'; security-basics@securityfocus.com
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?

You're looking for something hat does DoD specs, 31x write, try maresware
decalsfy, bcwipe, etc. There are a number of tools. Make sure that it goes
past the eof flag at the end of the drive. And the LE, most likely used
Encase or FTk. What he did was not magic, it's called forensics. Files are
not deleted when you delete them their pointer is so that the O/S can't
effectively find the file anymore even though the file rsides on the drive
until it is overwritten. Files are written multiple time in an MS o/s and
can reside in multiple locations. You need to look at free, swap and
uallocated space. There is a wealth of info there.

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office: 212-806-4125
Pager: 8884238615

-----Original Message-----
From: marcus peddle [mailto:marcus_peddle@yahoo.ca]
Sent: Monday, June 16, 2003 8:12 PM
To: security-basics@securityfocus.com
Cc: marcus_peddle@yahoo.ca
Subject: Digital Evidence Question - What is an effective Windows hard-disk
search tool?

Hello,

I have a question/request:

A few weeks back, a friend of mine in law enforcement
demo'ed a tool he had on is computer that searched his
entire hard drive and built an evidence file (he
called it acquiring the drive). He then used a
propritarty tool to search the file the tool built for
things he thought he had deleted. I am very aware of
the footprint that can be left on a users computer but
he had an extensive wipe tool that I was quite
surprised to see did not delete everything. He began
pulling up images/cookies/files that he thought he had
deleted years ago.

Needless to say i was quite surprized.

So I now use a wiping program on my computer that
deletes and overwrites all deleted files. I also have
a few other footprint erasers going but I wonder how
effective they are.

What I seek is the following:

-A tool (peferably freeware) that I can use to acquire
and search my hard drive for
images/history/general/etc information that I have
"deleted".

Any suggestions? It goes without saying that any
ideas you may have would be appreciated. Thanks!

Marcus

______________________________________________________________________
Post your free ad now! http://personals.yahoo.ca

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant, while
InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended
only for the individual(s) named herein or others specifically authorized to
receive the communication. If you are not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify the sender of the error immediately,
do not read or use the communication in any manner, destroy all copies, and
delete it from your system if the communication was sent via email.

**********************************************************************

----------------------------------------
The information transmitted in this message is intended only for the person
or entity to whom it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and destroy any copies of this
document.

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Next message: Kelly Martin: "Moderator's note: limit your bulky disclaimers"

Previous message: Adam Newhard: "Re: Security issues with running eggdrop as an IRC bot?"
Maybe in reply to: Robinson, Sonja: "RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?"
Next in thread: David Olivier: "RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?
... What it can't do--what no data recovery software can do--is recover ... > non/sequential clusters, etc. and are only responding to ... > potentially overwrote a number of clusters when he ... The Gartner Group just put Neoteris in the top ...
(Security-Basics)
RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?
... hard -disk search tool? ... analyze your drives using tools gnerally used for forensics (NTI, ... Digital Evidence Question - What is an effective Windows hard ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
(Security-Basics)
Re: Hmm...
... US Government could recover the data from the drives. ... you worry about destroying it to ...
(comp.security.misc)
Re: USB 1 to USB 2 corruption
... The problem is the slave drive,it has become corrupt to the point that it cannot be read.This has occured several times in the past with different comp.I have a theory how it got corrupt....It is not a virus or malware,I know this for a fact,my system is clean.My theory involves the USB Interface.Especially with going from USB 1 to USB 2 or vice versa.I have a external box that I have the drive in,it is a USB 2 devise,and as long as I keep it attached to a comp.that has USB 2,no problems.The problems start to occur when the external is attached to a comp. ... wants to do a check disk operation at startup,then finally the drive itself cannot be read.This does not happen over few hours, rather a few months.This last time it happened,the drive was fine till I plugged it up to another comp.When I realized that it was a USB 1 port I unplugged it,that was 7 weeks ago,now as of this morning the drive cannot be read.I almost have the 1T drive full,I really don't want to loose 3 years of work.Oh I also might add that the drive cannot be formatted by any XP means,or by any tools that I had,the last time this happened I had to send the drive off to be formatted.Even my computer guru had a very hard time formatting the drive.As I mentioned both drives are sata...but it has also happened with IDE drives.Like I said before main drive still boots normally .I know this is a bit long winded, but maybe something here will help.This is not only limited to XP,it has also happened on '98,me.,2000,and also vista. ... To recover the data, you need enough space to put the recovered files. ...
(microsoft.public.windowsxp.general)
RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?
... clusters only parts of your file may be overwritten at anytime and the parts ... normally starts overwriting the beginning clusters of the drive so of the ... analyze your drives using tools gnerally used for forensics (NTI, ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
(Security-Basics)