RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

["dave klimen" <dave () netmedic net>]

First of all I never said EnCase could recover lost clusters that had been
overwritten. That is just one of many forensic tools I utilize I did not
suggest that should be used in this case. I suggested R-Studio.

Secondly, like I said download the trial version and try it, do not take my
opinion.

Links are at the end but please read this.



R-Studio recovers files: 
 . That have been removed without Recycle Bin, or when Recycle Bin has been
emptied;  
 
 . Removed by virus attack or power failure;  
 
 . After the partition with the files was reformatted, even for different
file system;  
 
 . When the partition structure on a hard drive was changed or damaged. In
this case, R-Studio can scan the drive trying to find previously existed
partitions and recover files from found partitions.  
 
 . From disks with bad sectors. In this case, R-Studio can first copy the
entire disk or its part into an image file and then process such image file.

 
   

R-Studio can create image files for an entire hard drive, logical disk, or
its part. Such image files can be processed like regular disks. Images are
very useful if there is a risk of total data loss due to hardware
malfunction. If bad blocks are constantly appearing on a hard drive, the
only way to save the data is to immediately create an image of that drive.
All data search, scan and recovery can be done from this image.  

How it works  

Each R-Studio product has two operation modes:  


File search on a partition (including recently found):
R-Studio analyzes MFT (Master File Table) on NTFS partitions and FAT (File
Allocation Table) on FAT partitions. Then it will display all files whose
records have been found in the analyzed tables. Recently deleted files,
whose records still remain, can be restored. If files have not been found,
that means that their records have been deleted. In this case, the disk must
be scanned.
 


Disk scan - searching for partitions:
R-Studio scans the entire disk or its part. Using a number of statistic and
deterministic criteria, known as the IntelligentScan technology, it
determines existing or previously existing partitions on the disk and their
file systems. For example, if there was NTFS partition, which later was
reformatted as FAT partition, R-Studio will show two partitions on the same
place of the disk: FAT and NTFS. After scanning the entire disk or its part,
R-Studio will show all found partitions. The parameters of the found
partitions may be corrected, if additional information on them is available.
It's possible to add new partitions by manually setting all required
parameters. 
 

http://www.r-tt.com/htmlhelp/

And the FAQ's have a lot of info:

http://www.r-tt.com/FAQ.shtml#


Your best bet would be to read the users manual:

http://www.r-tt.com/downloads/rstudio.pdf


http://www.r-tt.com/downloads/rundelete.pdf



 
_____________________
Dave Kleiman
dave () netmedic net
www.netmedic.net

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 


-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] 
Sent: Monday, June 23, 2003 13:14
To: 'dave klimen'; 'Gene LeDuc'; 'security-basics () securityfocus com'
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?

Encase can not recover the files if they were overwritten by by a new
install because the O/S overwrote the files.  IF they happen to be near the
end of the hard drive and were NOT overwritten by the O/S install and any
other subsequent files, then Encase can possibly recover some of the files
but not the file structure.  I even verfified this with Encase since a new
version recently came out.  I use Encase (along with other tools) too and
I'm not sure how Encase came up in the conversation or how it will help the
user.  And it's always possible that some people use/know of different tools
then others.  That's why we have this and other lists.  Since I am not
familiar with the R-Studio product I can not say if it can or it can't but
like I previously stated I will download and test it.  Nothing personal but
I test everything not that I don't trust people.  Has nothing to do with
trust.

I don't think anyone meant to question your qualifications or otherwise
attack your statements so please don't take comments so personally and be so
antagnostic.  Asking for qualifications is certainly valid in cyberspace and
no one will (or should) take the "because I said so" as a valid explanation.
No one attacked pricing of any product.  The user just stated that he
preferred something free.  So I'm still left wondering how Encase would be a
valid example since it doesn't do the job and it costs $2500.  

But I am really curious about the R-Studio product and since you have tested
it I hope you don't mind if I ask you a couple of questions.  I know that if
you just repartition and don't install anything you can recover your files,
that's a given.   But what I'm really curious about, because this is the
cool part if what you say is true, is how the software can read a cluster
that has had data overwritten.  So for instance the cluster was for
arguments sake, cluster 195 and it contained "my secret bank account # is"
and that cluster was overwritten with the new O/S install and the part that
filled the cluster was "s.y.s.m.a.i.n...s.d.b.E.......p.Z."   R-Studio can
read the original "My secret...." and put back the rest of that document
"213909485 and it is located in Geneva Switzerland" located in cluster 8715
which was also overwritten (it was in WORD) and have it readable by MS-WORD?

And I know that you can recover from an fdisk but an fdisk with a format 00
across an entire drive is very difficult to do with most tools, let alone
inexpensive ones.  Saying it's one pass I can see it potenitally happening.
I am also aware that it is now recommended to do 31 passes to ensure data
can't be recovered but I am also aware that it is very difficult to recover
any reformatted data.  To my knowledge, in the past, Ontrack has been the
main commercial player to recover this type of "lost" data.  Now if that
package can do that, I'm all for it.  When you said in your post "Not only
did it find and recover the originals we did it found a WIN98 operating
install that must have been done at the disk or computer manufactures".  Did
you mean that you were able to recover ALL of the original installs in their
original working state or did you mean that you were able to find that at
one time they existed?  Now I ask this because Enacse can tell you if things
previously existed in some circumstances but that didn't mean it could
recover the entire files/install/OS and have it in a format readable by the
original program.  I checked the R-sTudio website and I couldn't find where
it stated it could recover data from a reformatted drive or where cluster
were overwrriten.  Could you send me that link please because I'd really
like to check it out and test it on some drives that someone wiped.

My original point (e-mail) was that if the data has been overwritten you
couldn't recover the previous data (w/o extreme financial costs, blah, blah,
blah).  Am I to understand that this is no longer true?  If so, is there a
white paper anywhere on this and other "non-vendor" data?


Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office:  212-806-4125
Pager: 8884238615



-----Original Message-----
From: dave klimen [mailto:dave () netmedic net] 
Sent: Saturday, June 21, 2003 6:43 PM
To: Robinson, Sonja; 'Wilcox, Stephen'; security-basics () securityfocus com;
'Gene LeDuc'
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?


Sonja,

That is so far from correct.  With R-Studio $79
(http://www.r-tt.com/RStudio.shtml ), you can repartition, reformat (using
diff file systems) and still recover.  We tested a system that came fresh
from the factory with W2K single FAT partition.  We repartitioned it into 4
W2K NTFS partitions. Then one more time into 2 W2K NTFS. 

Not only did it find and recover the originals we did it found a WIN98
operating install that must have been done at the disk or computer
manufactures.

I also use EnCase as well as many other forensic tools. 

If you do not trust my opinion you can simply download the eval-copy which
will find and show you the lost info, but just will not recover them.


 
_____________________
Dave Kleiman
dave () netmedic net
www.netmedic.net

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 

-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] 
Sent: Friday, June 20, 2003 10:50
To: 'Wilcox, Stephen'; 'security-basics () securityfocus com'
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?



If you reformatted, don't waste your money on any product, your stuff is
gone and the $75 tool isn't going to help you.  Forensics tolls aren't going
to help you.  You're only hope is something like Ontrack and that will cost
you.  Even if you could recover some of the information from free space or
slack space, no your files wouldn't have been readable.  IF you has not
reformatted and IF you had not reinstalled the O/S yes they woul;d have been
readble by the original program.  You're pretty much toast dude.  Sorry.  It
is possible to reassemble files IF they are still there (99.5% chance
they're hosed) but reassembly will cost you serious $$ because it takes a
lot of time to do manually.  

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office:  212-806-4125
Pager: 8884238615



-----Original Message-----
From: Wilcox, Stephen [mailto:StephenWilcox () universalcomputersys com] 
Sent: Thursday, June 19, 2003 12:02 PM
To: Ansgar Wiechers; security-basics () securityfocus com
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?


Do to the lack of knowledge and impatience I formatted the drive.  I now
have looked at a couple recovery tools out there but they run around $75..
ouch.  I will bite the bullet and get one I guess.  Here is the question,
once that the information is recover will the application be able to read
the file again or does the file have to be reassembled by a third party?  I
friend said that recovery is not a probable, reassembling the information in
a order so the application can read it is another thing.  I have no idea on
this, what is your thoughts?

Stephen





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant, while
InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


**********************************************************************
CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments
to it,  may contain confidential information or protected health information
subject to privacy regulations such as the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). This transmission is intended only for
the use of the recipient(s) named above.  If you are not the intended
recipient, or a person responsible for delivering it to the intended
recipient, you are hereby notified that any disclosure, copying,
distribution or use of any of the information contained in this transmission
is STRICTLY PROHIBITED.  If you have received this transmission in error,
please immediately notify me by reply e-mail and destroy the original
transmission in its entirety without saving it in any manner. 






**********************************************************************





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------