RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

["George" <gpetkus () columbusmicro com>]

If the drive was formatted format c:/u the data is gone.

-----Original Message-----
From: Clayton Hoskinson [mailto:choskinson () sai state ok us] 
Sent: Tuesday, June 24, 2003 6:31 PM
To: 'Robinson, Sonja'; security-basics () securityfocus com
Subject: RE: Digital Evidence Question - What is an effective Windows
hard -disk search tool?

-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com]
Sent: Friday, June 20, 2003 10:50
To: 'Wilcox, Stephen'; 'security-basics () securityfocus com'
Subject: RE: Digital Evidence Question - What is an effective Windows
hard
-disk search tool?

If you reformatted, don't waste your money on any product, your stuff is
gone and the $75 tool isn't going to help you.  Forensics tolls aren't
going
to help you.

I would take exception to the above comment, assuming a FAT32 system and
using the high level format
the only part of the drive that will be lost is the system area of the
drive.  The data area, cluster 2 and beyond will remain untouched.  So
even
if you format the data is still there, just the system area is zeroed.
Which means you may have to look for it manually, but does not mean that
it
is gone and your search would be a waste of time.

You're only hope is something like Ontrack and that will cost
you.  Even if you could recover some of the information from free space
or
slack space, no your files wouldn't have been readable.  IF you has not
reformatted and IF you had not reinstalled the O/S yes they woul;d have
been
readble by the original program.  You're pretty much toast dude.  Sorry.
It
is possible to reassemble files IF they are still there (99.5% chance
they're hosed) but reassembly will cost you serious $$ because it takes
a
lot of time to do manually.

Actually all that you have to do is rebuild the root files and remap the
FAT, if the files were contained in contiguous clusters before the
formatting it is not that tough to do although a little time consuming.
If
however the files were in non-contiguous clusters then you are in for
time
consuming recovery.

Clayton Hoskinson, CFCE
IS Auditor
State Auditor and Inspector




------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access
in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------