Re: Digital Evidence Question - What is an effective Windows hard-disk search tool?

["colane () unity ncsu edu" <colane () unity ncsu edu>]

> What I seek is the following:
>  
> -A tool (peferably freeware) that I can use to acquire
> and search my hard drive for
> images/history/general/etc information that I have
> "deleted". 
>  
> Any suggestions?  It goes without saying that any
> ideas you may have would be appreciated.  Thanks!
>  
> Marcus 

If nobody comes up with a suitable Windows-based tool for you, you can 
disconnect the drive and hook it up as a slave to a *nix machine.  From 
there, you can use 'the sleuth kit' to work on the drive.

http://www.sleuthkit.org/sleuthkit/desc.php
From the website:

"The Sleuth Kit (previously known as TASK) is a collection of UNIX-based 
command line file system forensic tools that allow an investigator to 
examine NTFS, FAT, FFS, EXT2FS, and EXT3FS file systems of a suspect 
computer in a non-intrusive fashion. The tools have a layer-based design 
and can extract data from internal file system structures. Because the 
tools do not rely on the operating system to process the file systems, 
deleted and hidden content is shown."

NOTE: I've never used this tool, so I cannot speak for it's reliability, 
effectiveness, etc.

- Christopher Lane - CCNA/BCNE
- NCSU, Computer Science Undergraduate


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
    
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
         
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------