RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

From: Robinson, Sonja (SRobinson_at_HIPUSA.com)
Date: 06/26/03

  • Next message: Justin Pryzby: "Re: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 618" 
    To: 'NC Agent' <NC_Agent@kueppers-familie.de>, security-basics@securityfocus.com
Date: Thu, 26 Jun 2003 12:01:11 -0400

    >>O/S could be Fat32. We didn't have that info. True. Normal formats
    still retain data in parts of the clusters so data is recoverable. My
    previous posts stated that. A wipe to DoD specs (7 or more passes - 31
    recommended now) would make data unrecoverable. I'm sorry if people missed
    earlier posts where I discussed un/allocated, free, swap space,
    non/sequential clusters, etc. and are only responding to this one or if I
    wasn't as specific as I should have been in . I had previously stated in
    other posts that, potentially, data is recoverable if it was not overwritten
    (and the user potentially overwrote a number of clusters when he reinstalled
    the O/S and the apps, depending on where the new install files were written
    to on the hd of course). And that if the full cluster was overwritten they
    would not be able to recover anything in unallocated space sinec it would
    then be allocated. If only part of the cluster is overwritten/allocated the
    data residing in the unallocated space is recoverable. The user had asked
    if he could recover files in a format readable by the original apps. If
    only parts of the files are recoverable, i.e. using hex editor or similar
    tool then most likely not. (And I will not profess to know every potential
    tool that could potentially recover some in a readable format.) MS tends to
    write non-contiguously and thus it is likely that a part of a file was
    overwritten by one of the newly installed programs. This of course is
    effected by the age of the drive, the amount of data, where the files were
    written to-the beginning of the hard vs the end, the amount of files that
    were "deleted" throughout the years, etc.

    Also, in another post I suggested he try a hex editor to view the data in
    the clusters to see what was available for recovery. Based on that review
    you could determine what it was worth to buy a program to help recover any
    data or what would be necessary to rebuild the files manually. It appeared
    that this was beyond the user's technical capabilities at the moment and
    that such rebuilding would require a third party and an additional cost
    which he did not seem inclined to pay. I think he specifically mentioned a
    PST file and his e-mail messages which is what I was mainly focusing on. In
    all likelihood, PST would be extremely difficult to put back together so it
    was readable by Outlook since all of the messages would be scattered and
    some most likely lost. My main point was that in all likelihood it was going
    to require him to put files back together manually and that they would most
    likely not be readable by the original program. Other files may be easier
    to get in their entirety. I should have clarified this, sorry.

    In any event it is nice to share all of the potential ways to recover lost
    data for varying technical capabilities. The more avenues you have the more
    chances you might have to recover something even if it is only bits and
    pieces.

     
    -----Original Message-----
    From: Robinson, Sonja [mailto:SRobinson@HIPUSA.com]
    Sent: Friday, June 20, 2003 10:50
    To: 'Wilcox, Stephen'; 'security-basics@securityfocus.com'
    Subject: RE: Digital Evidence Question - What is an effective Windows hard
    -disk search tool?

    If you reformatted, don't waste your money on any product, your stuff is
    gone and the $75 tool isn't going to help you. Forensics tolls aren't going
    to help you.

    I would take exception to the above comment, assuming a FAT32 system and
    using the high level format the only part of the drive that will be lost is
    the system area of the drive. The data area, cluster 2 and beyond will
    remain untouched. So even if you format the data is still there, just the
    system area is zeroed. Which means you may have to look for it manually, but
    does not mean that it is gone and your search would be a waste of time.

    You're only hope is something like Ontrack and that will cost you. Even if
    you could recover some of the information from free space or slack space, no
    your files wouldn't have been readable. IF you has not reformatted and IF
    you had not reinstalled the O/S yes they woul;d have been readble by the
    original program. You're pretty much toast dude. Sorry. It is possible to
    reassemble files IF they are still there (99.5% chance they're hosed) but
    reassembly will cost you serious $$ because it takes a lot of time to do
    manually.

    Actually all that you have to do is rebuild the root files and remap the
    FAT, if the files were contained in contiguous clusters before the
    formatting it is not that tough to do although a little time consuming. If
    however the files were in non-contiguous clusters then you are in for time
    consuming recovery.

    Clayton Hoskinson, CFCE
    IS Auditor
    State Auditor and Inspector

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant, while
    InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

    **********************************************************************
    CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments to it, may contain confidential information or protected health information subject to privacy regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This transmission is intended only for the use of the recipient(s) named above. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail and destroy the original transmission in its entirety without saving it in any manner.

    **********************************************************************

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

  • Next message: Justin Pryzby: "Re: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 618"

    Relevant Pages