RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

["Robinson, Sonja" <SRobinson () HIPUSA com>]

You're looking for something hat does DoD specs, 31x write, try maresware
decalsfy, bcwipe, etc.  There are a number of tools.  Make sure that it goes
past the eof flag at the end of the drive.  And the LE, most likely used
Encase or FTk.  What he did was not magic, it's called forensics.  Files are
not deleted when you delete them their pointer is so that the O/S can't
effectively find the file anymore even though the file rsides on the drive
until it is overwritten.  Files are written multiple time in an MS o/s and
can reside in multiple locations. You need to look at free, swap and
uallocated space.  There is a wealth of info there.

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office:  212-806-4125
Pager: 8884238615



-----Original Message-----
From: marcus peddle [mailto:marcus_peddle () yahoo ca] 
Sent: Monday, June 16, 2003 8:12 PM
To: security-basics () securityfocus com
Cc: marcus_peddle () yahoo ca
Subject: Digital Evidence Question - What is an effective Windows hard-disk
search tool?


Hello,
 
I have a question/request:
 
A few weeks back, a friend of mine in law enforcement
demo'ed a tool he had on is computer that searched his
entire hard drive and built an evidence file (he
called it acquiring the drive).  He then used a
propritarty tool to search the file the tool built for
things he thought he had deleted.  I am very aware of
the footprint that can be left on a users computer but
he had an extensive wipe tool that I was quite
surprised to see did not delete everything.  He began
pulling up images/cookies/files that he thought he had
deleted years ago.
 
Needless to say i was quite surprized.
 
So I now use a wiping program on my computer that
deletes and overwrites all deleted files.  I also have
a few other footprint erasers going but I wonder how
effective they are.  
 
What I seek is the following:
 
-A tool (peferably freeware) that I can use to acquire
and search my hard drive for
images/history/general/etc information that I have
"deleted". 
 
Any suggestions?  It goes without saying that any
ideas you may have would be appreciated.  Thanks!
 
Marcus 


______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant, while
InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or 
others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have 
received this communication in error, please notify the sender of the error immediately, do not read or use the 
communication in any manner, destroy all copies, and delete it from your system if the communication was sent via 
email. 




**********************************************************************


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------